Implementing CARP in a Cloud Based Infrastructure

arafay

New Member


Messages: 2

Hello to all! Hope you are all good!
My query is that I am trying to implement automatic failover of 2 FreeBSD firewalls (acting as edge gateway), using CARP, in a cloud based environment and the problem is that the infrastructure does not support multicast traffic, or any other pre-reqs for implementing CARP (such as promiscuous mode, forged transmits, etc.) In fact, upon googling, I found that a couple of well known cloud service providers such as AWS do not provide support for such type of traffic at all. So, my question is that is there any way that we can achieve HA/auto-failover in cloud, using either CARP or something similar to CARP? I heard of UCARP on FreeBSD and tried its implementation, but due to a lack of documentation and support, it was seemingly not a feasible solution (If although you can direct me to a detailed tutorial or a great how-to, it will also be appreciated). Plus, example of any case where FreeBSD firewall are implemented in auto-failover in production (using any method), will also be of great help as that would let me know what are the best practices for implementing CARP in cloud based envs. Do keep in mind that this solution will be implemented in prod environment, thus will need to be stable and well-tested.
Any and all help in this regard will be greatly appreciated!
 

Bobi B.

Well-Known Member

Reaction score: 194
Messages: 416

Do you mind telling us what services are you looking into making HA?
 
OP
A

arafay

New Member


Messages: 2

Yea sure. I am trying to achieve failover of 2 FreeBSD machines and the specific service that I am targeting is pf (packet filter). A case in point would be to have 2 redundant firewalls with virtual IPs floating at both internal and external interface (achieved through CARP) and have their state table synced (achieved through pfsync). In case the Master fw fails, the Backup could take up its role and keep the connectivity alive.
 

Bobi B.

Well-Known Member

Reaction score: 194
Messages: 416

But you're not telling what you're hiding behind pf(4). Not that I have much experience with cloud-based environments, a-la AWS & Azure, but I bet they do support HA up to an extent, or some form of fail-over and/or load-balancing.
 
Top