carp+pfsync+freevrrpd+jail

Dear all.
I have the following trouble:
Using carp and pfsync i have made the redundand firewall (OS is 6.1p2 and everything is done like in mans, even ifconfig options)
The only thing that is different that i have 2 ethernet interface (one for crosover link and the other is the paren interface for vlans)

host1
ifconfig_vlan101="inet X.Y.Z.1 netmask 255.255.255.0 broadcast X.Y.Z.255 vlan 101 vlandev em0"
ifconfig_carp0="vhid 1 pass abc X.Y.Z.3"
ifconfig_vlan100="inet A.B.C.1 netmask 255.255.255.0 broadcast A.B.C.255 vlan 100 vlandev em0"
ifconfig_carp1="vhid 1 pass abc A.B.C.3"
ifconfig_pfsync0="up syncif em1"

host2
ifconfig_vlan101="inet X.Y.Z.2 netmask 255.255.255.0 broadcast X.Y.Z.255 vlan 101 vlandev em0"
ifconfig_carp0="vhid 1 advskew 100 pass abc X.Y.Z.3"
ifconfig_vlan100="inet A.B.C.2 netmask 255.255.255.0 broadcast A.B.C.255 vlan 100 vlandev em0"
ifconfig_carp0="vhid 1 advskew 100 pass abc A.B.C.3"
ifconfig_pfsync0="up syncif em1"


What i have is that when i'm pinging carp0 (inet) or carp1(lan) interface's ip address of my firewall - i'm receivind DUP responses.

And when host2 is ths slave and i'm starting to ping carp0 address - no traffic appears on master host - that means that the local carp interface responding to my packets..

That means that in case some service (provided by jail managed by freevrrpd) will be accessed from outside - i cannot be sure what host will answer the request.

I have done some tests. When i'm sshing to virtual IP - sometimes i'm getting ssh prompt and can login, and sometimes it says that host auth info is bad (yes, because second server answering me at this time) and sometimes i'm loosing ssh connection while session is active.

net.inet.carp.preempt = 1
net.inet.carp.log=2
net.inet.carp.arpbalance=0

No ballance needed. I want to have some service run in main OS, some services run in jail and i want to be sure which host will answer the request when bouth hosts are up and running.

Could please someone direct me what to do or where to read?

Best regards,
Anton Nikiforov
_______________________________________________
freebsd-stable@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: DHCP Client roaming issues
    ... A "release/renew after it is moved" doesn't work. ... The renew process takes longer and the host presents it's old ip address. ... Since the client checks with the DHCP Server ... > ip-address from our dhcp server in the server vlan. ...
    (microsoft.public.windows.server.networking)
  • Re: Configure InterVLAN
    ... server on VLAN 143, from a host on VLAN 142. ... The host determines that the server is not on the same network by ... forwards it over the trunk to the router. ... The router receives the packet, strips of the VLAN tag, looks at its ...
    (comp.dcom.sys.cisco)
  • Re: Exposing multiple VLANs to host
    ... operating system on that host has to know how to deal with the dot1q ... This differs per operating system. ... the attached host to be aware of many VLANs on that port at the same time. ... VLAN X and after disconnecting it another host with IP address of VLAN Y. ...
    (comp.dcom.sys.cisco)
  • Re: Exposing multiple VLANs to host
    ... operating system on that host has to know how to deal with the dot1q ... address space of VLAN X and after disconnecting it another host with IP ... host and configuring it for say VLAN X I was not able to ping the ... Trunking will tag the packets with a vlan tag. ...
    (comp.dcom.sys.cisco)
  • Re: vlans and cloning
    ... I also modified the vlan code to use this ... ifconfig vlan create vlan 1 vlandev em0 ... Given the above do we still need to support setting vlan tag+device ...
    (freebsd-arch)