Using carp for 3x30 ips
-
hi,
I am wondering how to get the following working:
1. have three /27 ipblocks carped with the least effort
2. if both pfsense boxes are up, distribute the blocks over both boxes to load balance1: I have the following three blocks: 1.1.1.32/27, 1.1.1.64/27 and 1.1.1.160/27.
each pf gets one of (if alias) ip in each block.
now, I want to carp the remaining ips from each block.a few reasons why i want this:- I am way too lazy to add 3x 28 ip's to the carp config
- this would give me 84 vhid groups, each of them sending quite a few packets every now and then to tell everybody about their well being, this seems waste of packets as it might be more efficient to just have one vhid group that handles all of those ips at once.
2: grouping those ip's would give us the ability to prefer one of our datacenters for each group and consequently lower the load on the link between those two dc's. Otherwise, only one PF will handle all traffic while the other is resting. However, a lot of backend servers are located in one DC atm. so, traffic arriving for them in the other DC travels through the interlink.
it might well be the case that what we want is just not possible. and there might good reasons for that. however: i am curious to learn about those reasons…
thanks for your help/explanation/interest, best regards,Alex
-
hi everyone, yesterday on the ##pfsense chatroom someone explained me this:
1. adding those ip's to carp has to be done either via the wui or by backup config.xml, edit it and restore it back with all ip's. this should normally be done on the pfsync master.
2. one can prefer one of the machines as master by tweaking the base/skew variables. the lowest sum of them will be master in default situation. however, there is one downside to this: you have to stop pfsyncing your virtual ips. otherwise the pfsync master will allways increase the skew with 100 when syncing to the slave and therefor always keeping itself as master.
I decided to stop pfsyncing the vips. but, while typing this I think of a new problem: how would the statetables be synced back in this case? there's only a one-way sync… have to test some more... keep you posted.
-
hi everyone, yesterday on the ##pfsense chatroom someone explained me this:
ah on which IIRC net it is? (http://www.freenode.net/irc_servers.shtml if I guess right from
http://irc.netsplit.de/channels/details.php?room=%23%23pfsense&net=freenode ?)1. adding those ip's to carp has to be done either via the wui or by backup config.xml, edit it and restore it back with all ip's. this should normally be done on the pfsync master.
Yes, found this type of editing also nice to get the slave easy to be cloned…
Idea/Question for this:
- Would be nice to have perhaps also a cut&paste synchronization for different fw pairs with mostly same configuration.
- Are there special format requirements for XML ? Found editing aliases very problematic if you have dozen of IPs with comments in one big line...
2. one can prefer one of the machines as master by tweaking the base/skew variables. the lowest sum of them will be master in default situation. however, there is one downside to this: you have to stop pfsyncing your virtual ips. otherwise the pfsync master will allways increase the skew with 100 when syncing to the slave and therefor always keeping itself as master.
Would be nice to have an option like in the firewall rules:
No XMLRPC Sync ( Hint: This prevents the rule on Master from automatically syncing to other CARP members. This does NOT prevent the rule from being overwritten on Slave. )or better an option like
I am slave for this VIPso this task would be easier to handle
Bests
Reiner
-
ah on which IIRC net it is? (http://www.freenode.net/irc_servers.shtml if I guess right from
http://irc.netsplit.de/channels/details.php?room=%23%23pfsense&net=freenode ?)Hi Reiner030, good guess, see http://www.pfsense.org/index.php?option=com_content&task=view&id=64&Itemid=72.
Yes, found this type of editing also nice to get the slave easy to be cloned…
Idea/Question for this:- Would be nice to have perhaps also a cut&paste synchronization for different fw pairs with mostly same configuration.
- Are there special format requirements for XML ? Found editing aliases very problematic if you have dozen of IPs with comments in one big line...
- I don't understand what you mean with the cut&paste sync?
- I think you also have clarify yourself about the special req for xml question. or just try another editor: vim? ;-)
Would be nice to have an option like in the firewall rules:
No XMLRPC Sync ( Hint: This prevents the rule on Master from automatically syncing to other CARP members. This does NOT prevent the rule from being overwritten on Slave. )or better an option like
I am slave for this VIPGood idea!