Re: OpenBGP on firewall
Hi I tried something similar: 2x machines (FreeBSD) with OpenBGPD, CARP (for fail-over of the internal default gateway), PF and pfsync. I encountered problems especially with assymetric routed traffic. E.g. traffic coming in via router 1, going to the client/server and going out via router 2. pf/pfsync sets up the session and replicates states to the other machine - the connection is established.. but I have massive problems with really transferring data (which means, POP3 login works, small mails are downloaded, but then it interrupts). Maybe I have mistakes in the pf.conf (I use the keep state everywhere..). I am also not sure, if this setup is a clever idea.. anyone? Regards, Reto I started working for a company that its production site is running 2 PIX firewalls with no VRRP (to save cost on licensing, duh). I offered and they approved to replace them with 2 OpenBSD and CARP. In front of the FW there is a Cisco 7200 router doing BGP. I offered to remove the router and use OpenBGP on the OpenBSD firewalls instead, thus achieving failover on BGP too. But I don't know whether this is a good idea or should I add 2 more OpenBSD systems specifically for BPG? TIA Paolo PS - The FWs will be single CPU Dell PowerEdge 1850 systems with (probably) 1GB RAM.
Re: CARP on firewalls connected to ISP and OpenBGPd
Hi We wanted to do something similar - but try consider connecting one FW/router to ISP1 and the second to ISP2. Because if you use CARP to failover BGP sessions, you would loose the connection shortly. Your upstream ISPs detect this and withdraw your /24 from their routing table.. and propagating this further on. Maybe you end up route flap dampened. (Although it is possible - the keyword in bgpd.conf is depend on) We connect one router to ISP1 and one to ISP2 and do CARP on the inside interface (which is the default gateway for all clients). Works perfectly for us. Regards, Reto -Urspr|ngliche Nachricht- Von: peceka [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 13. Januar 2006 17:49 An: misc@openbsd.org Betreff: CARP on firewalls connected to ISP and OpenBGPd Hi, i need some suggestions from you. The problem I have is decribed below: i'm building network as it is drawn on pic http://devnet.pl/~pck/network.jpg . with isp1 and isp2 i have to set up BGP (i've got public AS) and i'm thinking to use openbgpd for this. to connect to ISP1 i have 1.1.1.4/30. .4/30 is IP for my router, .3/30 is for ISP1 router. to connect to ISP2 i have 2.2.2.4/30. .4/30 is IP for my router, .3/30 is for ISP2 router. for DMZ i've got public IPs /24, for example: 3.3.3.0/24. FW3 and FW4 are exactly the same machines, they've got 4 ethernets, for example: e0: 1.1.1.4/30 (ISP1) e1: 2.2.2.4/30 (ISP2) e2: 3.3.3.1/24 (ISP3) e3: for pfsync between FW3 and FW4 i want to set CARP on ISPs and DMZ side. is it possible? I have only one IP for connecting to ISP, so can i set 192.168.0.1/24 and 192.168.0.2/24 on e0 and then make hostname.carp0 with ip address 1.1.1.4/30? and something like this on ISP2 side. and how to compile this with openbgpd? will openbgpd work in master-slave technology? and second question is how can i resolve problem like this: i've got two machines in dmz (on public ip) which do the same (ie.: web servers): 3.3.3.40 3.3.3.41 and one of them dies, so redirect all traffic two the second machine. should i do it with rdr rule? like: rdr on $ext_e0 proto tcp from any to 3.3.3.40 port 80 - 3.3.3.41 port 80 rdr on $ext_e1 proto tcp from any to 3.3.3.40 port 80 - 3.3.3.41 port 80 or something else? thanks for any advice, p.
Re: OpenBGP+CARP : OpenBGP does not see CARP going into master state
Hi Sylvain OpenBGPd looks fine for eBGP and iBGP links as long as it does not depend on carp. I think this depend on is a nice feature - but I would not use for 100% fail save connections. You must take into account, that the session will go down if you trigger a failover. This might be acceptable for some kind of sessions (peerings, backup links) but may be undesirable for main (transit) links. Unfortunately, I had not the possibility to play with this feature so far, so I can't tell if there is a bug. Regards, Reto
BGPD on FreeBSD
Hi list May be a little bit OT - but are there any users with experiences in using OpenBGPD on FreeBSD? I have some strange problems here. Setup is OpenBGPD 3.7 on FreeBSD 6-RELEASE. Just a basic config with one transit and one iBGP session with some standard filters (check prefixlen and rfc1918 networks) works fine. But as soon as we add more peers and filters, the bgpd daemon dies regularly with different messages: E.g. fatal in RDE: nexthop_cmp: unknown af dispatch_imsg in main: pipe closed - This should not happen (the code could not compare either Inet4 or Inet6)?!? We also have entries in /var/log/messages like these: exited on signal 6 I can provide more information (config file, etc.) if needed. Please contact me directly if this topic does not fit into this list. Regards, Reto
