Hello,
I've setup a openbsd-ha firewall, based on the
http://www.openbsd.org/faq/pf/carp.html.
If the master goes down - the backup system become the Master rule.
All established connections are in sync and stay active - so thats
perfect.
But if the original Master system comes back again and fall back to
the Master state - all established connections are broken, maybe they
not successfully synced to the old master?
Is there a way to prevent fallback, so the backup system stay in
Master rule after failover?
Maybe also I've a wrong setup.
Primary setup:
/etc/hostname.carp0:
inet 10.1.1.1 255.255.255.0 10.100.255.255 vhid 1 pass bbb
/etc/hostname.carp1:
inet 10.1.2.1 255.255.255.0 10.68.255.255 vhid 2 pass aaa
/etc/hostname.carp2:
inet 10.1.3.1 255.255.255.0 10.101.10.255 vhid 3 pass xxx
/etc/hostname.pfsync0
up syncdev em1
net.inet.carp.preempt=1
net.inet.ip.forwarding=1
net.inet.carp.log=7
pf.conf
# allow pfsync
pass quick on em1 proto pfsync
# allow carp
pass quick on { em0, em2, em3 } proto carp keep state
Standby setup:
/etc/hostname.carp0:
inet 10.1.1.1 255.255.255.0 10.100.255.255 vhid 1 advskew 100 pass bbb
/etc/hostname.carp1:
inet 10.1.2.1 255.255.255.0 10.68.255.255 vhid 2 advskew 100 pass aaa
/etc/hostname.carp2:
inet 10.1.3.1 255.255.255.0 10.101.10.255 vhid 3 advskew 100 pass xxx
/etc/hostname.pfsync0
up syncdev em1
net.inet.carp.preempt=1
net.inet.ip.forwarding=1
net.inet.carp.log=7
pf.conf
# allow pfsync
pass quick on em1 proto pfsync
# allow carp
pass quick on { em0, em2, em3 } proto carp keep state
A failover and fallback gives me the follow entrys in the message log:
the master goes down:
Apr 9 16:02:05 fw-bkp /bsd: carp1: state transition: BACKUP -> MASTER
Apr 9 16:02:05 fw-bkp /bsd: carp0: state transition: BACKUP -> MASTER
Apr 9 16:02:05 fw-bkp /bsd: carp2: state transition: BACKUP -> MASTER
the master comes back:
Apr 9 16:25:07 fw-bkp /bsd: carp0: state transition: MASTER -> BACKUP
Apr 9 16:25:07 fw-bkp /bsd: carp2: state transition: MASTER -> BACKUP
Apr 9 16:25:17 fw-bkp /bsd: carp1: state transition: MASTER -> BACKUP
the primary booting up and takeover the master rule:
Apr 9 16:24:11 fw-pri /bsd: carp: carp0 demoted group carp to 129
Apr 9 16:24:11 fw-pri /bsd: carp: carp1 demoted group carp to 130
Apr 9 16:24:11 fw-pri /bsd: carp: carp2 demoted group carp to 131
Apr 9 16:24:11 fw-pri /bsd: carp0: state transition: INIT -> BACKUP
Apr 9 16:24:11 fw-pri /bsd: carp: carp0 demoted group carp to 134
Apr 9 16:24:12 fw-pri /bsd: carp: pfsync0 demoted group carp to 131
Apr 9 16:24:12 fw-pri /bsd: carp: pfsync0 demoted group pfsync to 1
Apr 9 16:24:12 fw-pri /bsd: carp1: state transition: INIT -> BACKUP
Apr 9 16:24:12 fw-pri /bsd: carp: carp1 demoted group carp to 130
Apr 9 16:24:12 fw-pri /bsd: carp2: state transition: INIT -> BACKUP
Apr 9 16:24:12 fw-pri /bsd: carp: carp2 demoted group carp to 129
Apr 9 16:24:12 fw-pri /bsd: carp1: state transition: BACKUP -> MASTER
Apr 9 16:24:29 fw-pri /bsd: carp: pfsync0 demoted group carp to 0
Apr 9 16:24:29 fw-pri /bsd: carp: pfsync0 demoted group pfsync to 0
Apr 9 16:24:30 fw-pri /bsd: carp0: state transition: BACKUP -> MASTER
Apr 9 16:24:30 fw-pri /bsd: carp2: state transition: BACKUP -> MASTER
hopefully you can help me.
Regards,
Tom
