Solved Fail-over with CARP on the public internet

[jbo@]

Hello folks,

I have two identical baremetal machines in a datacenter. Both machines have two NICs each. Both interfaces have static public IPv4 addresses. The servers are essentially connected "directly to the internet". Both machines run FreeBSD 11.1 64-bit.

The second machine is purely there for fail-over. Looking at just one server, the purpose of that server is to proxy all internet traffic to/from a small company network also doing SSL termination for web- and application servers behind the proxy. The other machines are connected via OpenVPN to that proxy. To achieve that, the machine is running HAproxy and OpenVPN in server mode.

Right now everything is setup on one machine and it runs well - no problems at all. Now I'd like to add the second machine as a fail-over and I have a couple of questions.

1. It appears that the most sane solution to achieve fail-over for the HAproxy instance(s) is to use CARP. I've read quite a lot of documentation on this but there's one thing that always strikes me: It seems that CARP uses an ID to distinguish the packages from various CARP based setups. Apparently, each setup needs to have an individual/unique CARP ID. My question: How does that work on "the public internet"? Can I run the CARP over the public internet NICs or do I need a private network / peering between the two servers for that (eg. patching the second NICs of both machines together)?
2. I only found vague information on OpenVPN server fail-over. It appears that OpenVPN supports that by default out of the box without any hacky solutions. Is that correct or does one need to deploy special services anyway?

I'd be thankful for any kind of information on this.

 

[Bobi B.]

As far as my experience goes, you can run CARP in both -- load-balancing mode (AKA active-active) or fault-tolerance mode (AKA active-passive). In either case there is an additional IP address in use. In the former case it is up on both machines and both service requests. In the latter case IP address is up only on the active machine; this is the case I have some experience with.

It seems that CARP uses an ID to distinguish the packages from various CARP based setups. Apparently, each setup needs to have an individual/unique CARP ID. My question: How does that work on "the public internet"?

IIRC CARP's ID concerns layer 2 only. Internet is on the other side of the gateway, hence layer 3.

I only found vague information on OpenVPN server fail-over.

Maybe this will help, but it could be for commercial version only: OpenVPN, Setting up high-availability failover mode.

 

[SirDice]

It seems that CARP uses an ID to distinguish the packages from various CARP based setups

You can also configure a password. The password is mainly there to prevent a rogue CARP host from taking over the connection. Not sure how "brute-forcible" that password is but it's better than nothing.

     The following parameters are used to configure carp(4) protocol on an
     interface:

{....}
     pass phrase
             Set the authentication key to phrase.

From ifconfig(8)

 

[`Orum]

Sorry to necro but I'm not sure if the OP ever got a satisfactory answer, and I wanted to clear some things up.

Can I run the CARP over the public internet NICs or do I need a private network / peering between the two servers for that (eg. patching the second NICs of both machines together)?

Whether you can or not depends on how your ISP sets things up--namely, if you have multiple access at layer 2. At work, our ISP has set up a /29 network where they hold one IP for the router, and the rest we can assign as we see fit. The demarc is on an Ethernet cable between their switch (acting as a modem between fiber and copper) and ours, so we have your typical CSMA/CD between all of the routers. Naturally I set up our routers in a redundant configuration using CARP on all interfaces that they share routing over (i.e. everything except lo0 and the pfsync VLAN). This of course requires running CARP on the internet-facing VLAN.

If you only have point-to-point at layer 2, you'd have to look elsewhere as CARP isn't the tool for the job.

I only found vague information on OpenVPN server fail-over. It appears that OpenVPN supports that by default out of the box without any hacky solutions. Is that correct or does one need to deploy special services anyway?

You can run OpenVPN on both machines using the shared IP. We do it, but it's not as transparent as routing if one box goes down--i.e. the connection context isn't shared between both machines (such as ephemeral keys). OpenVPN may provide some way to do this so you don't lose the connection and have to reopen it if the particular machine you're connected to dies. However, I've never investigated as it's not a big deal for us if a reconnection happens and the machines are rarely offline.

IIRC CARP's ID concerns layer 2 only. Internet is on the other side of the gateway, hence layer 3.

Depending on how his ISP is setting things up, there could be other hosts accessible via layer 2. So yes, he should be using CARP with secure passwords.

 

[jbo@]

Thank you for all this valuable information, folks!

 

[justinnoor]

Are you asking if the CARP masters and backups can have public IPs?
Any chance you could post your rc.confs?