On 18.02.2009, at 19:07, Jason Dixon wrote:
> Is anyone using the carpnodes load-balancing feature for carp(4)? I
> can't seem to get it to balance any traffic across the two nodes. I'm
> testing a simple dual-homed CARP/pfsync pair. Creating the interfaces
> is simple enough and they seem to behave ok. I have to use ip-stealth
> for the switch to work properly.
>
> host-a # ifconfig carp0 10.20.0.1 netmask 255.255.255.0 \
> carpnodes 1:0,2:100 balancing ip-stealth
> host-a # ifconfig carp1 10.30.0.1 netmask 255.255.255.0 \
> carpnodes 1:0,2:100 balancing ip-stealth
>
> host-b # ifconfig carp0 10.20.0.1 netmask 255.255.255.0 \
> carpnodes 1:100,2:0 balancing ip-stealth
> host-b # ifconfig carp1 10.30.0.1 netmask 255.255.255.0 \
> carpnodes 1:100,2:0 balancing ip-stealth
>
> After a short delay I can ping 10.20.0.1 from another host.
> Everything
> looks normal except there is a lack of routes on host-b pointing to
> the
> carp interfaces (output abbreviated for clarity).
>
> host-a # netstat -rn -finet | grep carp
> 10.20.0.1 10.20.0.1 UH 0 0 - 4 carp0
> 10.30.0.1 10.30.0.1 UH 0 0 - 4 carp1
>
> host-b # netstat -rn -finet | grep carp
>
> I will then issue a network test from a client (10.20.0.4) to a server
> (10.30.0.4). While monitoring netstat -i, I can see all of the
> traffic
> entering and leaving both interfaces on host-a, but only entering
> interfaces
> on host-b (no forwarding). Forwarding is correctly enabled on both
> hosts and they're running the same ruleset. Same results with pf
> disabled.
>
> I haven't found many examples of carpnodes in production on the lists.
> Can someone please verify this is truly feature complete and that I'm
> just doing something stupid (highly possible)?
I'm testing a similar environment with -Current and the new PFSYNC V5 on
both firewalls. The box behind starts a connection and fails after
seconds.
The routing entries seems similar to Jason's. box-A has a routing with
carp as device and the box-B doesn't.
I've tried nat with and without source-hash. carp seems to work
correctly
and pfsync runs on its own interface without filtering.
nat on if_wan from 10.10.10.10/16 to ! 10.10.10.10/16 -> x.x.x.x
pass quick on { if_sync } proto pfsync keep state (no-sync)
pass quick on { carp } proto carp keep state (no-sync)
Is someone running a loadbalanced firewall solution and know what to-do
solving the problem?
Thanks for every hint or info
Kind regards
Karl-Heinz
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
