[pfSense Support] CARP - battle of the firewalls
Title: CARP - battle of the firewalls Hi again We're gradually getting closer to our desired setup: 2 pfSense boxes with CARP failover, each with multiple LAN interfaces and load-balanced dual WANs. This is obviously quite a complex setup, and getting it all working at once seems elusive - but we're almost there! At the moment, the biggest problem is still CARP. When firewall B is brought up, it tries to become "master" for both LAN interfaces, whilst remaining "backup" for the WANS. This is at the same time that firewall A is "master" for everything, as it should be. So the CARP failover just isn't working - the machines seem to be fighting each other to become master, which breaks things. I have checked the settings, and consulted the list, multiple times, but can't get to the bottom of this. Any more ideas on why CARP is behaving so erratically? The machines are both running RC1 + SNAPSHOT_07_06_2006, as suggested by Scott earlier, and they have a dedicated crossover link for the pfsync traffic. Regards Alastair
RE: [pfSense Support] CARP - battle of the firewalls
Check the switches you use at LAN. I think there were some strange errors reported previously with some specific switches where it looked like the keepalive broadcasts were lost somewhere and the backup machine didn't see the master anymore. Are the switches used at WAN and LAN the same model and vendor? Holger -Original Message- From: Alastair Stevens [mailto:[EMAIL PROTECTED] Sent: Friday, July 14, 2006 12:44 PM To: support@pfsense.com Subject: [pfSense Support] CARP - battle of the firewalls Hi again We're gradually getting closer to our desired setup: 2 pfSense boxes with CARP failover, each with multiple LAN interfaces and load-balanced dual WANs. This is obviously quite a complex setup, and getting it all working at once seems elusive - but we're almost there! At the moment, the biggest problem is still CARP. When firewall B is brought up, it tries to become "master" for both LAN interfaces, whilst remaining "backup" for the WANS. This is at the same time that firewall A is "master" for everything, as it should be. So the CARP failover just isn't working - the machines seem to be fighting each other to become master, which breaks things. I have checked the settings, and consulted the list, multiple times, but can't get to the bottom of this. Any more ideas on why CARP is behaving so erratically? The machines are both running RC1 + SNAPSHOT_07_06_2006, as suggested by Scott earlier, and they have a dedicated crossover link for the pfsync traffic. Regards Alastair Virus checked by G DATA AntiVirusKit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CARP - battle of the firewalls
Alastair Stevens wrote: Hi again We're gradually getting closer to our desired setup: 2 pfSense boxes with CARP failover, each with multiple LAN interfaces and load-balanced dual WANs. This is obviously quite a complex setup, and getting it all working at once seems elusive - but we're almost there! At the moment, the biggest problem is still CARP. When firewall B is brought up, it tries to become "master" for both LAN interfaces, whilst remaining "backup" for the WANS. This is at the same time that firewall A is "master" for everything, as it should be. So the CARP failover just isn't working - the machines seem to be fighting each other to become master, which breaks things. I have checked the settings, and consulted the list, multiple times, but can't get to the bottom of this. Any more ideas on why CARP is behaving so erratically? The machines are both running RC1 + SNAPSHOT_07_06_2006, as suggested by Scott earlier, and they have a dedicated crossover link for the pfsync traffic. Regards Alastair I have an almost identical setup, except I'm not carping my WAN2, only WAN and LAN. When firewall A reboots it many times will only get one of the carps. When I reboot B that clears it up for me. However, I have only rarely experienced a problem with B taking over upon boot up. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CARP - battle of the firewalls
Spanning tree port lockout will nail you pretty hard with CARP. Make sure your switch ports (if managed switches) are in port fast. Also, make sure that you haven't inadvertantly turned on port security and limited the port to a single MAC (each CARP VHID uses a MAC along with the physical interfaces MAC). --Bill On 7/14/06, Royce Mitchell III <[EMAIL PROTECTED]> wrote: Alastair Stevens wrote: > Hi again > > We're gradually getting closer to our desired setup: 2 pfSense boxes > with CARP failover, each with multiple LAN interfaces and > load-balanced dual WANs. This is obviously quite a complex setup, and > getting it all working at once seems elusive - but we're almost there! > > At the moment, the biggest problem is still CARP. When firewall B is > brought up, it tries to become "master" for both LAN interfaces, > whilst remaining "backup" for the WANS. This is at the same time that > firewall A is "master" for everything, as it should be. So the CARP > failover just isn't working - the machines seem to be fighting each > other to become master, which breaks things. > > I have checked the settings, and consulted the list, multiple times, > but can't get to the bottom of this. Any more ideas on why CARP is > behaving so erratically? > > The machines are both running RC1 + SNAPSHOT_07_06_2006, as suggested > by Scott earlier, and they have a dedicated crossover link for the > pfsync traffic. > > Regards > Alastair > I have an almost identical setup, except I'm not carping my WAN2, only WAN and LAN. When firewall A reboots it many times will only get one of the carps. When I reboot B that clears it up for me. However, I have only rarely experienced a problem with B taking over upon boot up. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CARP - battle of the firewalls
Bill Marquette wrote: Spanning tree port lockout will nail you pretty hard with CARP. Make sure your switch ports (if managed switches) are in port fast. Also, make sure that you haven't inadvertantly turned on port security and limited the port to a single MAC (each CARP VHID uses a MAC along with the physical interfaces MAC). When this happens, I do not have two masters for any single carp ip, so that would seem to indicate they do see eachother at least somewhat. Also, these are not managed switches, and the sync interface is a cross-over cable between the two dedicated sync interfaces, no intermediate hardware involved. I just double-checked and the VHID's are different for each carp ip and the advertisting freqs are 0's on router A and 100's on router B. After thinking about what you said, I decided to go and double-check what was plugged in where, and I think I found the problem. The WAN should be ok: both routers' wan interfaces are plugged into a 3Com SuperStack DS Hub 500 24 port 3c16611, and the only other thing plugged into this device is the cable for the packets to be sent out through ( it actually goes through another switch before getting to the "modem", but I don't see a problem there ). The LAN side is where I think I discovered the problem. Router A is plugged into my main LAN switch, a D-Link DGS-1024D, however router B isn't plugged directly into that, but a secondary switch, a AOpen AOW-605M, which is then plugged into the D-Link. Your statement above of "port fast" leads me to believe that the interfaces need to be able to see eachother's packets in a more-timely-than-usual manner. I will move both LAN cables onto the same router and then report if the problem goes away. Since I have all unmanaged switches ( well, I actually have one managed on the LAN, but we've never cracked it open, and it wouldn't ever see any of the packets in question ), would it be advisable to give each carp interface a dedicated switch, or is it safe for example, to hook both LAN interfaces to the aforementioned D-Link, which is a 24-port gigabit unmanaged switch which all my servers are plugged into? Thanks for your help! Royce Mitchell III - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CARP - battle of the firewalls
On 7/14/06, Royce Mitchell III <[EMAIL PROTECTED]> wrote: ever see any of the packets in question ), would it be advisable to give each carp interface a dedicated switch, or is it safe for example, to hook both LAN interfaces to the aforementioned D-Link, which is a 24-port gigabit unmanaged switch which all my servers are plugged into? Given your setup and the fact that you still have a single point of failure on the WAN side of your firewall, I'd probably plug both firewalls into your most reliable switch. Trying to split them may end up in some rather goofy network issues anyway in failover scenarios. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CARP - battle of the firewalls
Bill Marquette wrote: On 7/14/06, Royce Mitchell III <[EMAIL PROTECTED]> wrote: ever see any of the packets in question ), would it be advisable to give each carp interface a dedicated switch, or is it safe for example, to hook both LAN interfaces to the aforementioned D-Link, which is a 24-port gigabit unmanaged switch which all my servers are plugged into? Given your setup and the fact that you still have a single point of failure on the WAN side of your firewall, I'd probably plug both firewalls into your most reliable switch. Trying to split them may end up in some rather goofy network issues anyway in failover scenarios. It wasn't intential to set them up so goofily so much as just an experiment that turned into a working setup without reviewing ( until now ) the setup. There's no avoiding a single point of failure on the wan side because there's only one modem, which is why we have the dual-wan setup. While each isp is a single point of failure, the fact that we have two mitigates the single point of failure. The only real single point of failure we have is the central d-link switch. Anyway I will try getting all carp interfaces on shared switches next week and see what that improves. Thanks! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] CARP - battle of the firewalls
Title: RE: [pfSense Support] CARP - battle of the firewalls Hi - well this sounds interesting, though not very encouraging! The whole thing is set up on a test bench at the moment, and as it happens, we are using *different* types of switches on different interfaces. The LANs are using 24-port Netgears, and the WANs are using cheapo D-Link consumer switches temporarily. All but one are unmanaged, though I think we'll be using the managed ones in the production setup. This looks like a tricky one to diagnose - maybe it will all 'just work' in production? :-) -Original Message- From: Holger Bauer [mailto:[EMAIL PROTECTED]] Sent: Fri 14/07/2006 12:00 To: support@pfsense.com Subject: RE: [pfSense Support] CARP - battle of the firewalls Check the switches you use at LAN. I think there were some strange errors reported previously with some specific switches where it looked like the keepalive broadcasts were lost somewhere and the backup machine didn't see the master anymore. Are the switches used at WAN and LAN the same model and vendor? Holger
Re: [pfSense Support] CARP - battle of the firewalls
On 7/17/06, Alastair Stevens <[EMAIL PROTECTED]> wrote: Hi - well this sounds interesting, though not very encouraging! The whole thing is set up on a test bench at the moment, and as it happens, we are using *different* types of switches on different interfaces. The LANs are using 24-port Netgears, and the WANs are using cheapo D-Link consumer switches temporarily. All but one are unmanaged, though I think we'll be using the managed ones in the production setup. This looks like a tricky one to diagnose - maybe it will all 'just work' in production? :-) CARP is a multicast protocol and uses a multicast MAC address. The cheap switches _should_ handle it fine, with that said, I've only run it on high end Cisco's, Nortels, a netgear (consumer grade) and whatever is built into my cable modem and when I had it dsl modem. One the Ciscos and Nortels, I've certainly run it 'cross switch where each firewall interface was on a different interface, it works (be careful with the Nortels, we ran into code bugs with them). Not sure what more I can suggest, it sounds like you've got a pretty basic setup and it's still not working properly :-/ --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
