Re: Integration between CARP and BGPD ?
Or re-write next-hop to the carp address, so carp actually decides the master firewall. /T Den tors 13 sep. 2018 kl 00:20 skrev Tim Jones < b631093f-779b-4d67-9ffe-5f6d5b1d3...@protonmail.ch>: > > On Wednesday, 12 September 2018 20:49, Stuart Henderson < > s...@spacehopper.org> wrote: > > > On 2018-09-11, Tim Jones > b631093f-779b-4d67-9ffe-5f6d5b1d3...@protonmail.ch wrote: > > > > > I've had a quick look through the man pages and am still a bit > unclear, perhaps I'm just overthinking this ? > > > Let's say I've got two perimeter "firewalls" running OpenBSD, talking > BGP to upstream routers. > > > On the "LAN" side I'm thinking about CARP, which is active/passive, > and the devices on "LAN" side will have the CARP set as their default > gateway. > > > If both BGP talkers advertise the "LAN" to the upstreams (i.e. > "network 192.0.2.0/24" in bgpd.conf), how does that work in terms of > reachability from the device that is currently CARP passive ? > > > The man pages mention two CARP related configuration options for > bgpd.conf but these don't seem to cater for the application I'm thinking of > ? (i.e. "demote" is more related to waiting until BGP is established, and > "depend on" is related to staying in idle if CARP is passive, which is > obviously not an attractive idea as I'd obviously like both upstreams BGP > sessions active ? ). > > > > If both are advertising the same prefixes, packets could arrive at > > either router, so to do this you'll need an IP address on the "carpdev > > interface" i.e. the interface that carp is running over. > > > > PF does TCP sequence number checking, so to avoid problems there you'll > > also need one of the following > > > > - not use PF > > - use PF rules with "keep state (sloppy)" > > - use pfsync(4) with the "defer" flag > > > > Alternatively maybe you could control advertising the network by not > > listing it in config, but use "bgpctl network" commands from > ifstated or > > similar, that way directing traffic towards the correct machine. > Either > > advertise with low localpref when you have carp backup and switch to > > high localpref when you have master. Or (probably only really useful > > within your own network) advertise the whole lan all the time, but > also > > advertise deaggregates from the machine with carp master. > > > > Thank you Stuart ! > > Based on your comments I've just spent in a bit of time with ifstated and > it seems that was the missing link. Fails over nicely now with both BGP > instances advertising but changing prefs. > >
Re: Integration between CARP and BGPD ?
On Wednesday, 12 September 2018 20:49, Stuart Henderson wrote: > On 2018-09-11, Tim Jones b631093f-779b-4d67-9ffe-5f6d5b1d3...@protonmail.ch > wrote: > > > I've had a quick look through the man pages and am still a bit unclear, > > perhaps I'm just overthinking this ? > > Let's say I've got two perimeter "firewalls" running OpenBSD, talking BGP > > to upstream routers. > > On the "LAN" side I'm thinking about CARP, which is active/passive, and the > > devices on "LAN" side will have the CARP set as their default gateway. > > If both BGP talkers advertise the "LAN" to the upstreams (i.e. "network > > 192.0.2.0/24" in bgpd.conf), how does that work in terms of reachability > > from the device that is currently CARP passive ? > > The man pages mention two CARP related configuration options for bgpd.conf > > but these don't seem to cater for the application I'm thinking of ? (i.e. > > "demote" is more related to waiting until BGP is established, and "depend > > on" is related to staying in idle if CARP is passive, which is obviously > > not an attractive idea as I'd obviously like both upstreams BGP sessions > > active ? ). > > If both are advertising the same prefixes, packets could arrive at > either router, so to do this you'll need an IP address on the "carpdev > interface" i.e. the interface that carp is running over. > > PF does TCP sequence number checking, so to avoid problems there you'll > also need one of the following > > - not use PF > - use PF rules with "keep state (sloppy)" > - use pfsync(4) with the "defer" flag > > Alternatively maybe you could control advertising the network by not > listing it in config, but use "bgpctl network" commands from ifstated or > similar, that way directing traffic towards the correct machine. Either > advertise with low localpref when you have carp backup and switch to > high localpref when you have master. Or (probably only really useful > within your own network) advertise the whole lan all the time, but also > advertise deaggregates from the machine with carp master. > Thank you Stuart ! Based on your comments I've just spent in a bit of time with ifstated and it seems that was the missing link. Fails over nicely now with both BGP instances advertising but changing prefs.
Re: Integration between CARP and BGPD ?
On 2018-09-11, Tim Jones wrote: > I've had a quick look through the man pages and am still a bit unclear, > perhaps I'm just overthinking this ? > > Let's say I've got two perimeter "firewalls" running OpenBSD, talking BGP to > upstream routers. > > On the "LAN" side I'm thinking about CARP, which is active/passive, and the > devices on "LAN" side will have the CARP set as their default gateway. > > If both BGP talkers advertise the "LAN" to the upstreams (i.e. "network > 192.0.2.0/24" in bgpd.conf), how does that work in terms of reachability from > the device that is currently CARP passive ? > > The man pages mention two CARP related configuration options for bgpd.conf > but these don't seem to cater for the application I'm thinking of ? (i.e. > "demote" is more related to waiting until BGP is established, and "depend > on" is related to staying in idle if CARP is passive, which is obviously not > an attractive idea as I'd obviously like both upstreams BGP sessions active ? > ). > > If both are advertising the same prefixes, packets could arrive at either router, so to do this you'll need an IP address on the "carpdev interface" i.e. the interface that carp is running over. PF does TCP sequence number checking, so to avoid problems there you'll also need one of the following - not use PF - use PF rules with "keep state (sloppy)" - use pfsync(4) with the "defer" flag Alternatively maybe you could control advertising the network by not listing it in config, but use "bgpctl network" commands from ifstated or similar, that way directing traffic towards the correct machine. Either advertise with low localpref when you have carp backup and switch to high localpref when you have master. Or (probably only really useful within your own network) advertise the whole lan all the time, but also advertise deaggregates from the machine with carp master.
Integration between CARP and BGPD ?
I've had a quick look through the man pages and am still a bit unclear, perhaps I'm just overthinking this ? Let's say I've got two perimeter "firewalls" running OpenBSD, talking BGP to upstream routers. On the "LAN" side I'm thinking about CARP, which is active/passive, and the devices on "LAN" side will have the CARP set as their default gateway. If both BGP talkers advertise the "LAN" to the upstreams (i.e. "network 192.0.2.0/24" in bgpd.conf), how does that work in terms of reachability from the device that is currently CARP passive ? The man pages mention two CARP related configuration options for bgpd.conf but these don't seem to cater for the application I'm thinking of ? (i.e. "demote" is more related to waiting until BGP is established, and "depend on" is related to staying in idle if CARP is passive, which is obviously not an attractive idea as I'd obviously like both upstreams BGP sessions active ? ).
