Send packet from backup CARP interface

P

petrochen

Hello,

I have some issue with CARP interface in FreeBSD.

FW1 and FW2 servers are connected to one cisco switch.
carp0 in master mode on FW1 and in backup on FW2.
carp0 have 10.0.0.1 ip.

Now what is the problem:

If I bind on carp0 interface on FW2 I can send packet with 10.0.0.1 source address from backup carp interface. (ping -S 10.0.0.1 google.com) After this cisco get new arp for 10.0.0.1 ip and send all incoming connection to the backup carp interface.

Is it possible to deny any outgoing packets with source address of backup carp interface ?
 
You can run some script at startup that will use pf to block all outgoing connections with carp's ip address, something like:

Code: 
#!/bin/sh

while true; do
    if test "x`ifconfig carp0| egrep "carp: \<BACKUP|INIT\>"`" != "x"; then
        # here should be check if rule is already loaded
        pfctl -e
        echo "block out quick on $IFACE inet from 10.0.0.1 to any" | pfctl
    else
        # here should be check if pf is already disabled
        pfctl -d
    fi
    sleep 1
done

But it's a lame solution and it needs some modifications if you have any other pf rules.

I would rather find out why is there any outgoing connection with carp's address from backup node. Do you know the source?
 
Thanks you pbd for answer.

I'm trying to create OpenVPN failover, but have issue with it.

On my FW1 and FW2 installed identical OpenVPN server with tha same configuration:

Code: 
cd /usr/local/etc/openvpn/fe
client-config-dir /usr/local/etc/openvpn/fe/ccd
port 5556
local 1.1.1.1
proto udp
dev tun2
server 172.31.192.0 255.255.255.0
ifconfig 172.31.192.1 172.31.192.2
ca /usr/local/etc/openvpn/fe/keys/ca.crt
cert /usr/local/etc/openvpn/fe/keys/server.crt
key /usr/local/etc/openvpn/fe/keys/server.key
dh /usr/local/etc/openvpn/fe/keys/dh1024.pem
tls-server
tls-auth keys/ta.key 0
tls-timeout 120
auth MD5
comp-lzo
cipher BF-CBC        # Blowfish (default)
keepalive 5 20
ping-timer-rem
persist-key
persist-tun
user nobody
group nobody
status /var/log/openvpn/fe-status.log
log /var/log/openvpn/fe.log
verb 3
mute 20

And have about 10 clients with following configuration:

Code: 
client
dev tun1
proto udp
remote 1.1.1.1 5556
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
auth MD5
cipher BF-CBC
ns-cert-type server
comp-lzo
verb 3
mute 20
ca /etc/openvpn/fw/ca.crt
key /etc/openvpn/fw/f02.key
cert /etc/openvpn/fw/f02.crt
tls-client
tls-auth /etc/openvpn/fw/ta.key 1
log /var/log/openvpn/fw.log
script-security 3
up /etc/openvpn/fw/up_route.sh
keepalive 5 30


Where 1.1.1.1 is carp0 IP.

All evil lies in keepalive directive.

By default OpenVPN running on both boxes and bind to 1.1.1.1 carp0 IP.

After FW1 does down clients waits 30 secodns for answer from server, but FW2 as master don't know about this clients and keep silent.
After 30 seconds client will restart connection to server and will establish new connection to FW2.
Now all is ok and clients and server exchenged they keepalive pings.
In this time FW1 come back from reboot and take away master status for carp interface.

Now clients will recontects after 30 seconds with FW1.
!!!BUT FW2 still send keepalive ping packets to clients from 1.1.1.1 carp IP!!!!!
When FW2 send keepalive ping from 1.1.1.1 ip, switch change arp record for this IP and all traffic from clients will be send to FW2 for some time while FW1 don't send any packet from 1.1.1.1 IP to change arp recond on switch.

It's ugly.

I can stop it only by removing carp interfaces on FW2 for some time.
 
Configure devd.conf(5) on both machines to listen for CARP notices and to run a script when switching from master to slave status (and vice versa). In that script, start/stop OpenVPN as needed. That way, OpenVPN is only running on the master box.

A good write-up of the setup is available on Michael Lucas' blog. It talks about using devd notifications from CARP to start/stop ZFS, but the same setup can be used here.
 
Thank you for devd hint!
I think problem will be solved with devd + monit.
Monit will be run and stop openvpn and other services.

Thanks Guys!
 
You must log in or register to reply here.
Back
Top