On Fri, Dec 5, 2008 at 12:11 PM, Paul de Weerd <[EMAIL PROTECTED]> wrote:
> Hey Felipe, > > On Fri, Dec 05, 2008 at 11:51:05AM +0100, Felipe Alfaro Solana wrote: > | Hi misc, > | > | I've been thinking about this for a while but can't seem to figure out > | a proper solution. Perhaps you have seen an scenario like this before > | and have ideas on how to tackle it. > | > | I have two OpenBSD 4.4 boxes configured in active/backup CARP, > | connected to an ADSL router. I want to reconfigure the ADSL router an > | turn it into a bridge. This way, my public IP address will move from > | the ADSL router into the CARP interface and will be shared by both > | OpenBSD machines. The ADSL router has a built-in hub where both > | OpenBSD machines are plugged into. > > Some years ago, I did exactly this. Configured a ADSL modem for > rfc1483 mode (which my ISP supported) and had two machines behind it > for routing (NATting) my local network out. > > | While the machine whose CARP interface is in ACTIVE won't have > | problems sending and processing traffic, the OpenBSD machine whose > | CARP interface is in BACKUP will. The machine whose CARP interface is > | in BACKUP will be able to send traffic to the Internet from its public > | IP address, but will not be able to process any response, for example > | to contact a NTP server: the UDP response from the NTP server will > | arrive at both OpenBSD machines (since both are sharing the public IP > | address), but the machine whose CARP interface is BACKUP will likely > | ignore the NTP response. For TCP is also very similar. > > I did this before we had openntpd and didn't run "that other" ntpd on > my machines. Internet access was only available when the machine was > CARP master. I think there's two solutions here, both of which have > issues. First solution (only solves the ntp issue), configure your > CARP'ed routers to use an ntpd on your local network (which gets its > time via the same set of CARP'ed routers). The other option is to get > more public IP's from your ISP. This makes your routers accessible > from the internet. These are a very interesting ideas. I'm now thinking of running two openntpd daemons, one on each machine. openntpd can be configured to use a NTP server from the internet and the other OpenBSD peer. For the active CARP, it can reach both NTP servers. For the backup CARP, it can only reach its peer and still keep the time up to date. > Downsides are that the first solution requires an extra machine and > the second solution is probably difficult with most ISPs. My ISP won't give me any more IP addresses, unfortunately. It's Telefonica, and I was one of the very first lucky customers to get a public, fixed IP address in 1999. Nowadays, they don't hand out public IP addresses anymore and I can feel myself lucky by not getting mine withdrawn. | I have no idea how to deploy an scenario like this, while allowing the > | machine whose CARP interface is in BACKUP to access the Internet. A > | workaround is having the machine whose CARP interface is in BACKUP > | have a default route installed pointing to the machine whose CARP > | interface is ACTIVE. The problem is the setup is more complex and > | requires a way of dynamically adjusting the default route. A possible > | solution is using ifstated(8). Is it possible to use OSPF instead? > > I don't really like that solution. My suggestion would be to try and > minimize the amount of traffic the machines need to send to the > internet (preferably to 0). Maybe use IPv6 (if your ISP does native > v6 on the link) when you can't work around this. No native IPv6 either. Same problem as with IPv4. In Spain, IPv6 is just SciFi, unless you use a tunnel broker like SixXS. And since this requires IPv4, I have a dead lock :( Thanks for your suggestions, Paul! Cheers ;) > > Paul 'WEiRD' de Weerd > > -- > >++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+ > +++++++++++>-]<.>++[<------------>-]<+.--------------.[-] > http://www.weirdnet.nl/ > -- http://www.felipe-alfaro.org/blog/disclaimer/
