How to implement CARP master/backup with IPv6 RAs from OpenBSD firewall pair?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

How to implement CARP master/backup with IPv6 RAs from OpenBSD firewall pair?

Martin Gignac
Hi,

How does one implement a redundant OpenBSD firewall pair with IPv6?

With IPv4 I would use CARP to have one of the boxes be the
master/active while the other one is backup/standby. But with IPv6 I
want to use Router Advertisements so that hosts on the internal
network can use SLAAC for IPv6 address autoconfiguration. Therefore
hosts will receive RAs from both OpenBSD boxes and set both as
possible default GWs in their routing table.

In that case, how do I get the internal hosts to send all traffic to
the "primary" firewall? I've configured the CARP interface on the box
with IPv6, but the RAs are still sent from both boxes (master and
backup) so the RA-configured hosts don't end up using the IPv6 CARP
VIP at all and I seem to end up with possible asymmetric firewall
flows.

Thanks,
-Martin

Reply | Threaded
Open this post in threaded view
|

Re: How to implement CARP master/backup with IPv6 RAs from OpenBSD firewall pair?

Selveste1
For a IPv6 only setup I would put a IPv6 anycast address on your
interface on both servers and then announce that in you RA, and use OSPF
between the servers if they are connected to two different
upstream-providers.

But if you are dependent on a CARP IPv4 and tunneling setup on the
outside for your IPv6 connectivity, so that only one of the servers is
able to route traffic at a time, you would have to put your IPv6 address
as a alias on a CARP for the inside and get you RA-daemon to advertise
on that CARP interface, then it would stop sending on the interface in
backup-state.

Med Venlig Hilsen / Best Regards
Henrik Dige Semark

On 2018-07-26 22:57, Martin Gignac wrote:

> Hi,
>
> How does one implement a redundant OpenBSD firewall pair with IPv6?
>
> With IPv4 I would use CARP to have one of the boxes be the
> master/active while the other one is backup/standby. But with IPv6 I
> want to use Router Advertisements so that hosts on the internal
> network can use SLAAC for IPv6 address autoconfiguration. Therefore
> hosts will receive RAs from both OpenBSD boxes and set both as
> possible default GWs in their routing table.
>
> In that case, how do I get the internal hosts to send all traffic to
> the "primary" firewall? I've configured the CARP interface on the box
> with IPv6, but the RAs are still sent from both boxes (master and
> backup) so the RA-configured hosts don't end up using the IPv6 CARP
> VIP at all and I seem to end up with possible asymmetric firewall
> flows.
>
> Thanks,
> -Martin
>


Reply | Threaded
Open this post in threaded view
|

Re: How to implement CARP master/backup with IPv6 RAs from OpenBSD firewall pair?

Martin Gignac
The way the setup is currently done is with an external connection to
a single ISP. For both IPv4 and IPv6 on the external side the
configuration is all static address assignment, with a single default
route towards the ISP and the ISP has a single static route (well, one
route for IPv4 and one for IPv6) for the delegated IPv4 and IPv6
ranges we were assigned that points towards the IPv4 and IPv6 CARP
VIPs I've configured on the external side. So from an ISP-to-me point
of view it's very simple and it works. I do not run any IPv6 routing
advertisements on that external side since everything is configured
statically.

My question and concern is really from an internal perspective. That
being said, I realized I was doing it wrong when I read your "get you
RA-daemon to advertise on that CARP interface". I was configuring
/etc/rad.conf with "interface em1", when I now realize I should have
put "interface carp0" instead. With this change the RA daemon now
sends a single advertisement for the CARP interface's link-local
address, which is what I wanted all along.

Thanks!
-Martin
On Thu, Jul 26, 2018 at 6:11 PM Henrik Dige Semark <[hidden email]> wrote:

>
> For a IPv6 only setup I would put a IPv6 anycast address on your
> interface on both servers and then announce that in you RA, and use OSPF
> between the servers if they are connected to two different
> upstream-providers.
>
> But if you are dependent on a CARP IPv4 and tunneling setup on the
> outside for your IPv6 connectivity, so that only one of the servers is
> able to route traffic at a time, you would have to put your IPv6 address
> as a alias on a CARP for the inside and get you RA-daemon to advertise
> on that CARP interface, then it would stop sending on the interface in
> backup-state.
>
> Med Venlig Hilsen / Best Regards
> Henrik Dige Semark
>
> On 2018-07-26 22:57, Martin Gignac wrote:
> > Hi,
> >
> > How does one implement a redundant OpenBSD firewall pair with IPv6?
> >
> > With IPv4 I would use CARP to have one of the boxes be the
> > master/active while the other one is backup/standby. But with IPv6 I
> > want to use Router Advertisements so that hosts on the internal
> > network can use SLAAC for IPv6 address autoconfiguration. Therefore
> > hosts will receive RAs from both OpenBSD boxes and set both as
> > possible default GWs in their routing table.
> >
> > In that case, how do I get the internal hosts to send all traffic to
> > the "primary" firewall? I've configured the CARP interface on the box
> > with IPv6, but the RAs are still sent from both boxes (master and
> > backup) so the RA-configured hosts don't end up using the IPv6 CARP
> > VIP at all and I seem to end up with possible asymmetric firewall
> > flows.
> >
> > Thanks,
> > -Martin
> >
>
>

Reply | Threaded
Open this post in threaded view
|

Re: How to implement CARP master/backup with IPv6 RAs from OpenBSD firewall pair?

Marc Peters-3
In reply to this post by Martin Gignac
On Thu, Jul 26, 2018 at 04:57:09PM -0400, Martin Gignac wrote:

> Hi,
>
> How does one implement a redundant OpenBSD firewall pair with IPv6?
>
> With IPv4 I would use CARP to have one of the boxes be the
> master/active while the other one is backup/standby. But with IPv6 I
> want to use Router Advertisements so that hosts on the internal
> network can use SLAAC for IPv6 address autoconfiguration. Therefore
> hosts will receive RAs from both OpenBSD boxes and set both as
> possible default GWs in their routing table.
>
> In that case, how do I get the internal hosts to send all traffic to
> the "primary" firewall? I've configured the CARP interface on the box
> with IPv6, but the RAs are still sent from both boxes (master and
> backup) so the RA-configured hosts don't end up using the IPv6 CARP
> VIP at all and I seem to end up with possible asymmetric firewall
> flows.
>
> Thanks,
> -Martin

rtadvd will only start on the master, because the interface has to
be active. With ifstated, you can automate this (starting, stopping).
I don't know, if rad is also dependent on the interface, but once you
have the ifstated in place, you would just need to change the name of
the daemon and restart ifstated.

hth,
Marc