On Sat, Apr 10, 2010 at 9:44 AM, tom baecker <tb4...@googlemail.com> wrote:
> Hello, > > I've setup a openbsd-ha firewall, based on the > http://www.openbsd.org/faq/pf/carp.html. > > If the master goes down - the backup system become the Master rule. > All established connections are in sync and stay active - so thats > perfect. > But if the original Master system comes back again and fall back to > the Master state - all established connections are broken, maybe they > not successfully synced to the old master? > > Is there a way to prevent fallback, so the backup system stay in > Master rule after failover? > Maybe also I've a wrong setup. > > Primary setup: > /etc/hostname.carp0: > inet 10.1.1.1 255.255.255.0 10.100.255.255 vhid 1 pass bbb > /etc/hostname.carp1: > inet 10.1.2.1 255.255.255.0 10.68.255.255 vhid 2 pass aaa > /etc/hostname.carp2: > inet 10.1.3.1 255.255.255.0 10.101.10.255 vhid 3 pass xxx > /etc/hostname.pfsync0 > up syncdev em1 > > net.inet.carp.preempt=1 > net.inet.ip.forwarding=1 > net.inet.carp.log=7 > > pf.conf > # allow pfsync > pass quick on em1 proto pfsync > # allow carp > pass quick on { em0, em2, em3 } proto carp keep state > > > Standby setup: > /etc/hostname.carp0: > inet 10.1.1.1 255.255.255.0 10.100.255.255 vhid 1 advskew 100 pass bbb > /etc/hostname.carp1: > inet 10.1.2.1 255.255.255.0 10.68.255.255 vhid 2 advskew 100 pass aaa > /etc/hostname.carp2: > inet 10.1.3.1 255.255.255.0 10.101.10.255 vhid 3 advskew 100 pass xxx > /etc/hostname.pfsync0 > up syncdev em1 > > net.inet.carp.preempt=1 > net.inet.ip.forwarding=1 > net.inet.carp.log=7 > > pf.conf > # allow pfsync > pass quick on em1 proto pfsync > # allow carp > pass quick on { em0, em2, em3 } proto carp keep state > > > > > A failover and fallback gives me the follow entrys in the message log: > > the master goes down: > Apr 9 16:02:05 fw-bkp /bsd: carp1: state transition: BACKUP -> MASTER > Apr 9 16:02:05 fw-bkp /bsd: carp0: state transition: BACKUP -> MASTER > Apr 9 16:02:05 fw-bkp /bsd: carp2: state transition: BACKUP -> MASTER > the master comes back: > Apr 9 16:25:07 fw-bkp /bsd: carp0: state transition: MASTER -> BACKUP > Apr 9 16:25:07 fw-bkp /bsd: carp2: state transition: MASTER -> BACKUP > Apr 9 16:25:17 fw-bkp /bsd: carp1: state transition: MASTER -> BACKUP > > > the primary booting up and takeover the master rule: > Apr 9 16:24:11 fw-pri /bsd: carp: carp0 demoted group carp to 129 > Apr 9 16:24:11 fw-pri /bsd: carp: carp1 demoted group carp to 130 > Apr 9 16:24:11 fw-pri /bsd: carp: carp2 demoted group carp to 131 > Apr 9 16:24:11 fw-pri /bsd: carp0: state transition: INIT -> BACKUP > Apr 9 16:24:11 fw-pri /bsd: carp: carp0 demoted group carp to 134 > Apr 9 16:24:12 fw-pri /bsd: carp: pfsync0 demoted group carp to 131 > Apr 9 16:24:12 fw-pri /bsd: carp: pfsync0 demoted group pfsync to 1 > Apr 9 16:24:12 fw-pri /bsd: carp1: state transition: INIT -> BACKUP > Apr 9 16:24:12 fw-pri /bsd: carp: carp1 demoted group carp to 130 > Apr 9 16:24:12 fw-pri /bsd: carp2: state transition: INIT -> BACKUP > Apr 9 16:24:12 fw-pri /bsd: carp: carp2 demoted group carp to 129 > Apr 9 16:24:12 fw-pri /bsd: carp1: state transition: BACKUP -> MASTER > Apr 9 16:24:29 fw-pri /bsd: carp: pfsync0 demoted group carp to 0 > Apr 9 16:24:29 fw-pri /bsd: carp: pfsync0 demoted group pfsync to 0 > Apr 9 16:24:30 fw-pri /bsd: carp0: state transition: BACKUP -> MASTER > Apr 9 16:24:30 fw-pri /bsd: carp2: state transition: BACKUP -> MASTER > > > hopefully you can help me. > Regards, > Tom > > net.inet.carp.preempt Allow virtual hosts to preempt each other. Set it to 0 and give it a try. /Tony
