CARP redundancy, link down, not just power failure
-
First off, to the admins/developers: A wonderful job on an awesome product!
Today I replaced my 2 routers which were running linux+vrrp with pfsense (1.0 BETA1) and CARP. VRRP worked pretty good, but had its drawbacks, and automatically syncing rules/states/etc seemed very appealinig… Anyway I ran into a few problems, and would appreciate any input (I am fairly new to *BSD, coming from a linux background).
I configured CARP using 2 routers in the following manner:
router1: LAN: 68.x.x.150
WAN: 68.x.x.37
vip carp (internal): 68.x.x.149 in VHID group 1
vip carp (external): 68.x.x.36 in VHID group 2router2: LAN: 68.x.x.151
WAN: 68.x.x.38
vip carp (internal): 68.x.x.149 in VHID group 1
vip carp (external): 68.x.x.36 in VHID group 2on router1 both vip's have 'Advertising Frequency' 0 and router2 both vip's are set to 100 (i set them lower but they changed to 100 automatically). I have checked that the VHID password is correct for each group.
Now the problem's/oddities. First of all (not a huge deal but), router1 shows Master on both VIP's as it should, but router2 shows blank, or nothing (i expected a 'BACKUP' notification as per the tutorial). The second, and more serious problem is, when I unplug say, the external interface on router1, no failover occurs. I try unplugging for 30+ seconds and no go, I end up having to plug router1 ext back in, and then it starts routing again. So I tried the same thing on router1 internal (since that is the interface CARP is talking on) and still no go. I unplug that one for 30+ seconds and still see no failover.
Any thoughts on what I may have misconfigured? Is router2's Advertising Frequency of '100' meaning 100 seconds? If so, how can I shorten it, so that failover occurs immediately, the settings don't seem to stay. Does CARP protect against failed links instead of just total system loss? (the data center I'm in has had a problem keeping link on one of my connections, which prompted this whole project in the first place).
Thanks in advance for all the help.
-
Do you have preemption turned on in CARP settings? If not, try turning that on.
-
I guess you have enabled syncing over virtual IPs (that's why the advertisingfrequency at your backup is set to 100 on sync). AFAIK there is a slight problem starting carp after syncing virtual ip settings atm. At the backup system disable and enable carp manually at status>carp in the webgui. This is only an issue when adding a virtual IP at the master system and syncing that one over and should be fixed soon. It won't affect a running config or reboots.
btw, you are not trying to use that in a bridged scenario and your wan-/lan-subnets are non conflicting?
-
I was able to get this working, and now it seems stable and flawless.
My findings (and this seems to be repeatable).
I Configured carp on the master (with preemption, virtual ip sync and firewall rule sync enabled) The firewall rules were already in place to allow the syncing, etc to pass. I chose to sync over the LAN side, rather than have a seperate SYNC interface (since i don't have spare interfaces). Once the Master was configured, the settings were pushed to the backup as expected. At this point if you take the master down, or disable an interface, the Backup will NOT properly take over the VIP's. What i had to do is reboot the backup after the master was set up, and the configs had been pushed over to the backup. As soon as you reboot the backup, it shows itself as Backup in the carp-status page, and taking the master down causes the backup to come online almost instantaniously.
Once I got that working, i was able to test by rebooting master, disabling either of master's interfaces, etc and backup always came online in almost no time and properly failed back when master was again available.
In short, it appears that pushing Carp settings from master to backup requires backup to be rebooted before carp will work. This may be a bug, maybe someone can verify.
Thanks guys for your responses.
-
I fixed this bug yesterday. Should be ok in beta 2.
-
Awesome!
On a side note, I've been wanting to work on helping to develop a firewall project like this for a while, but I don't want to re-invent the wheel, so what I'd like to do is (rather than start my own project) to add support for IDS/IPS (snort) as an add-on feature. I looked and saw that no one else was working on IDS specifically, and as I have a need for it, its about time that I give something back to the community ;)
-
Awesome. I'm not aware of anyone working on this package, go for it.