Help with bridging firewall failover w/ CARP, OpenBSD 3.7

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Help with bridging firewall failover w/ CARP, OpenBSD 3.7

Ramsey Tantawi-2
I can't get failover of a bridging firewall to work using CARP and OpenBSD 3.7.

All the documentation + googling I've done leads me to believe it
*should* work.  I think.  But with everything setup all I get is a
flood of ARP requests that paralyze the network and the firewalls.

The setup:

Two computers, each with 4 Ethernet ports:

fxp0 -- WAN -- no IP address
rl0 -- LAN -- no IP address
rl1 -- SSH -- public IP address
rl2 -- pfsync -- directly connected to other computers, IP's are
10.0.0.1 and 10.0.0.2.

fxp0, rl0, rl1 all work fine.  bridgename.bridge0 works fine, the
bridges work great on each computer individually),  tcpdump indicates
that pfsync (hostname.pfsync0) works fine too.

In addition to settings needed for bridging, net.inet.carp.preempt=1
and net.inet.carp.log=1 are set.

Here are my carp settings for the primary firewall:

hostname.carp0:
up vhid 1 carpdev fxp0 pass passxxxx advbase 3

hostname.carp1:
up vhid 2 carpdev rl0 pass passyyyy advbase 3


and for the secondary:

hostname.carp0:
up vhid 1 carpdev fxp0 pass passxxxx advbase 3 advskew 100

hostname.carp1:
up vhid 2 carpdev rl0 pass passyyyy advbase 3 advskew 100

I tried adding a publicly-routable IP address to carp0 and carp1, but
I got a "couldn't set this IP address" error from those two interfaces
when I ran netstart.  Or should I use a non-routable IP here?

pf.conf consists of just:
set loginterface fxp0
pass all keep state

Network looks like:
                                                           
--------firewall A -----
T1 --> crappy 8-port unmanaged switch --|                           |
--- unmanaged switch
                                                           
--------firewall B -----

Any help would be much appreciated!

Ramsey

Reply | Threaded
Open this post in threaded view
|

Re: Help with bridging firewall failover w/ CARP, OpenBSD 3.7

Camiel Dobbelaar
On Fri, 18 Nov 2005, Ramsey Tantawi wrote:
> I can't get failover of a bridging firewall to work using CARP and OpenBSD 3.7.
>
> All the documentation + googling I've done leads me to believe it
> *should* work.  I think.  But with everything setup all I get is a
> flood of ARP requests that paralyze the network and the firewalls.

Carp is meant to fail over addresses, not interfaces.

For a redundant bridge setup you need spanning tree.  See "stp" in the
brconfig(8) manpage.

--
Cam

Reply | Threaded
Open this post in threaded view
|

Re: Help with bridging firewall failover w/ CARP, OpenBSD 3.7

Ramsey Tantawi-2
On 11/19/05, Camiel Dobbelaar <[hidden email]> wrote:
>
> Carp is meant to fail over addresses, not interfaces.
>
> For a redundant bridge setup you need spanning tree.  See "stp" in the
> brconfig(8) manpage.

I'm using unmanaged switches that don't support STP, so for now I'm out of luck.

Thanks for the info.

Ramsey

Reply | Threaded
Open this post in threaded view
|

Re: Help with bridging firewall failover w/ CARP, OpenBSD 3.7

Camiel Dobbelaar
On Sat, 19 Nov 2005, Ramsey Tantawi wrote:
> > For a redundant bridge setup you need spanning tree.  See "stp" in the
> > brconfig(8) manpage.
>
> I'm using unmanaged switches that don't support STP, so for now I'm out of luck.

No, that's ok.  You don't have to run STP on every device, only on the
ones that might otherwise be able to create a loop.

Reply | Threaded
Open this post in threaded view
|

Re: Help with bridging firewall failover w/ CARP, OpenBSD 3.7

Ramsey Tantawi-2
On 11/19/05, Camiel Dobbelaar <[hidden email]> wrote:
>
> On Sat, 19 Nov 2005, Ramsey Tantawi wrote:
> > > For a redundant bridge setup you need spanning tree.  See "stp" in the
> > > brconfig(8) manpage.
> >
> > I'm using unmanaged switches that don't support STP, so for now I'm out of luck.
>
> No, that's ok.  You don't have to run STP on every device, only on the
> ones that might otherwise be able to create a loop.

Ah, I think I get it now.

For simple failover to a backup firewall, I would have these
bridgename.bridge0 configurations:

Master:
add fxp0
add rl0
stp fxp0
stp rl0
maxage 5
hellotime 2
priority 100
ifcost fxp0 100
ifcost rl0 55
up

Backup:
add fxp0
add rl0
stp fxp0
stp rl0
maxage 5
hellotime 2
priority 50000
ifcost fxp0 100
ifcost rl0 55

This would do the following:

--Enable Spanning tree protocol on both interfaces, and set interface
cost so rl0 will be the root port on the non-root bridge (the backup).
 Thus master and backup will communicate on rl0.  In normal operation
fxp0 would be blocked due to it's higher cost.

--Set priority of the primary lower so it will be the root bridge.
All interfaces can remain at default priority.

--Set maxage to 5 meaning that the maximum time failover will take is
5 seconds.  Explicitly set hellotime to 2 for clarity.

Any errors in the above?

Thanks much,

Ramsey