CARP with single external IP under 1.2.3-PreRelease-Testing version

fastcon68 · Sep 3, 2009, 8:03 PM

I was reviewing my not and was wondering if I could set up CARP with two virtual machines with one external IP address. I have been debating reviewing this.

If this is possible does anyone have any guides to setting up CARP in this manner.

The main reason for this type of configuration for me is that I have had my firewall lockup from time to time. I like the second firewall to take over in this case.

I have been busy testing my firewall to the limit. I have the following services running on it:
avahi
DNS Server
iperf
denyhosts
snort
ntop
dnsmasq
dhcpd
racoon

Only thing I have noticed is that ntop keeps stopping. Everything else is running great. Processor is spiking up to 25% but does not stay there for long. Even Snort is running great.

PF-Sense just keeps getting better. I can't wait for the final release.
RC

dotdash · Sep 3, 2009, 9:23 PM

CARP still needs a public IP for each firewall, and at least one for a CARP interface. I haven't been following it lately, but AFAIK CARPDEV still doesn't work on FreeBSD. If that's incorrect, someone let me know so I can send Max or whoever a beer.

fastcon68 · Sep 4, 2009, 4:14 AM

Now I know with a microsoft cluster really the only address that needs to be exposed is the virtual addresses. So if we put the two servers on lets say 10.0.0.1 and 10.0.0.2 and the virtual address is our exposed WAN address does this meet the critera.

So on the inside we would would use two dhcp servers in and set up a split scope in the event one of the two servers went down. The same would go for open VPN.

Now if I am totally off base please let me know. I would really like to consided a more redundant enviroment if possible. Even if it is virtual reduancy is key whenspread across two servers in a clustered enviroment.
RC

dotdash · Sep 4, 2009, 1:32 PM

You're totally off base here.
Under FreeBSD, CARP needs a public IP for each firewall, so the minimum setup is three public IPs.
In OpenBSD, you can use point a CARP interface at specific interface (say your WAN interface), but under FreeBSD the CARP interface must match the subnet of actual interface. So you can't have a private IP on WAN and float a public CARP address. This won't change until the functionality is ported to FreeBSD.
As for the DHCP, if you're running it on the firewall, the failover DHCP is much cleaner than running a split scope.

fastcon68 · Sep 6, 2009, 5:56 AM

I get the idea that I have to have three external ip's. Which i can't have. But not I have a new question, I want to research and get a better understanding or CARP and it's functionality.

Now looking ahead is the funtionality I am looking for is it being built into release 2.0 or is going to be added to 1.2.3 later? i trying to build a prototype enviroment and looking to put as much power and redundancy it it as possible. A clustered enviroment would be the best if possible.
RC

cmb · Sep 6, 2009, 7:41 PM

It definitely won't be in 1.2.x. 2.0 depends on if/when it gets into FreeBSD, probably not likely for 2.0 either. You need 3 static public IPs if you want stateful failover. You can do with two if you don't want to fail over and retain states.