carp+pfsync+freevrrpd+jail

Dear all.
I have the following trouble:
Using carp and pfsync i have made the redundand firewall (OS is 6.1p2 and everything is done like in mans, even ifconfig options)
The only thing that is different that i have 2 ethernet interface (one for crosover link and the other is the paren interface for vlans)

host1
ifconfig_vlan101="inet X.Y.Z.1 netmask 255.255.255.0 broadcast X.Y.Z.255 vlan 101 vlandev em0"
ifconfig_carp0="vhid 1 pass abc X.Y.Z.3"
ifconfig_vlan100="inet A.B.C.1 netmask 255.255.255.0 broadcast A.B.C.255 vlan 100 vlandev em0"
ifconfig_carp1="vhid 1 pass abc A.B.C.3"
ifconfig_pfsync0="up syncif em1"

host2
ifconfig_vlan101="inet X.Y.Z.2 netmask 255.255.255.0 broadcast X.Y.Z.255 vlan 101 vlandev em0"
ifconfig_carp0="vhid 1 advskew 100 pass abc X.Y.Z.3"
ifconfig_vlan100="inet A.B.C.2 netmask 255.255.255.0 broadcast A.B.C.255 vlan 100 vlandev em0"
ifconfig_carp0="vhid 1 advskew 100 pass abc A.B.C.3"
ifconfig_pfsync0="up syncif em1"


What i have is that when i'm pinging carp0 (inet) or carp1(lan) interface's ip address of my firewall - i'm receivind DUP responses.

And when host2 is ths slave and i'm starting to ping carp0 address - no traffic appears on master host - that means that the local carp interface responding to my packets..

That means that in case some service (provided by jail managed by freevrrpd) will be accessed from outside - i cannot be sure what host will answer the request.

I have done some tests. When i'm sshing to virtual IP - sometimes i'm getting ssh prompt and can login, and sometimes it says that host auth info is bad (yes, because second server answering me at this time) and sometimes i'm loosing ssh connection while session is active.

net.inet.carp.preempt = 1
net.inet.carp.log=2
net.inet.carp.arpbalance=0

No ballance needed. I want to have some service run in main OS, some services run in jail and i want to be sure which host will answer the request when bouth hosts are up and running.

Could please someone direct me what to do or where to read?

Best regards,
Anton Nikiforov
_______________________________________________
freebsd-stable@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: DHCP Client roaming issues
    ... A "release/renew after it is moved" doesn't work. ... The renew process takes longer and the host presents it's old ip address. ... Since the client checks with the DHCP Server ... > ip-address from our dhcp server in the server vlan. ...
    (microsoft.public.windows.server.networking)
  • Re: Configure InterVLAN
    ... server on VLAN 143, from a host on VLAN 142. ... The host determines that the server is not on the same network by ... forwards it over the trunk to the router. ... The router receives the packet, strips of the VLAN tag, looks at its ...
    (comp.dcom.sys.cisco)
  • Re: Configure InterVLAN
    ... Lets say your VLAN IDs were 142 and 143, and you wanted to access a server on VLAN 143, from a host on VLAN 142. ... The host determines that the server is not on the same network by applying the network mask to both addresses, ... forwards it over the trunk to the router. ... The router receives the packet, strips of the VLAN tag, looks at its routing table and determines that it does have a route to the server via sub-interface 192.168.143.1. ...
    (comp.dcom.sys.cisco)
  • VLAN help
    ... VLAN scenarios. ... VLAN's on the same subnet. ... Host B is on VLAN 3 and has an IP address 192.168.4.20/24 ... there is no problem...Host A can ping other ...
    (comp.dcom.sys.cisco)
  • Re: vlans and cloning
    ... I also modified the vlan code to use this ... ifconfig vlan create vlan 1 vlandev em0 ... Given the above do we still need to support setting vlan tag+device ...
    (freebsd-arch)