Diff for /wikisrc/tutorials/how_to_set_up_a_carp_enabled_firewall.mdwn between versions 1.1 and 1.2

version 1.1, 2011/11/20 21:35:54 version 1.2, 2012/02/05 07:14:36
Line 1 Line 1
 By **Liam J. Foy** - liamfoy[at]sepulcrum[dot]org  By **Liam J. Foy** - liamfoy[at]sepulcrum[dot]org 
   
 **Contents**  **Contents**
   
 [[!toc levels=2]]  [[!toc levels=2]]
   
 #   What is CARP?  #   What is CARP?
   
 CARP is the Common Address Redundancy Protocol which orignated from the OpenBSD Project and is incorparated in FreeBSD and now NetBSD!    CARP is the Common Address Redundancy Protocol which orignated from the OpenBSD Project and is incorparated in FreeBSD and now NetBSD!   
      
 Quoted from <http://www.openbsd.org/faq/pf/carp.html>  Quoted from <http://www.openbsd.org/faq/pf/carp.html>
      
 **"** CARP is the Common Address Redundancy Protocol. Its primary purpose is to allow multiple hosts on the same network segment to share an IP address. CARP is a secure, free alternative to the Virtual Router Redundancy Protocol and the Hot Standby Router Protocol.    **"** CARP is the Common Address Redundancy Protocol. Its primary purpose is to allow multiple hosts on the same network segment to share an IP address. CARP is a secure, free alternative to the Virtual Router Redundancy Protocol and the Hot Standby Router Protocol.   
      
 CARP works by allowing a group of hosts on the same network segment to share an IP address. This group of hosts is referred to as a "redundancy group". The redundancy group is assigned an IP Address that is shared amongst the group members. Within the group, one host is designated the "master" and the rest as "backups". The master host is the one that currently "holds" the shared IP; it responds to any traffic or ARP requests directed towards it. Each host may belong to more than one redundancy group at a time.    CARP works by allowing a group of hosts on the same network segment to share an IP address. This group of hosts is referred to as a "redundancy group". The redundancy group is assigned an IP Address that is shared amongst the group members. Within the group, one host is designated the "master" and the rest as "backups". The master host is the one that currently "holds" the shared IP; it responds to any traffic or ARP requests directed towards it. Each host may belong to more than one redundancy group at a time.   
      
 One common use for CARP is to create a group of redundant firewalls. The virtual IP that is assigned to the redundancy group is configured on client machines as the default gateway. In the event that the master firewall suffers a failure or is taken offline, the IP will move to one of the backups firewalls and the service will continue unaffected.    One common use for CARP is to create a group of redundant firewalls. The virtual IP that is assigned to the redundancy group is configured on client machines as the default gateway. In the event that the master firewall suffers a failure or is taken offline, the IP will move to one of the backups firewalls and the service will continue unaffected.   
      
 CARP supports IPv4 and IPv6.**"**  CARP supports IPv4 and IPv6.**"**
   
    <http://www.openbsd.org/faq/pf/carp.html>     <http://www.openbsd.org/faq/pf/carp.html>
   
 #   How do I enable CARP ?  #   How do I enable CARP ?
   
 You can now use CARP (assuming you're tracking the [last developments][[11|How to build NetBSD-current]]) by adding the following line to your kernel configuration file:  You can now use CARP (assuming you're tracking the [last developments][[11|How to build NetBSD-current]]) by adding the following line to your kernel configuration file: 
   
 pseudo-device           carp  pseudo-device           carp
          
   
 Then proceed to build/re-build your kernel. Make sure you also build [ifconfig(8)](http://netbsd.gw.com/cgi-bin/man-cgi?ifconfig+8+NetBSD-current) and [netstat(1)](http://netbsd.gw.com/cgi-bin/man-cgi?netstat+1+NetBSD-current) (and install of course). Once you have built your kernel and installed it you're now ready for use.  Then proceed to build/re-build your kernel. Make sure you also build [ifconfig(8)](http://netbsd.gw.com/cgi-bin/man-cgi?ifconfig+8+NetBSD-current) and [netstat(1)](http://netbsd.gw.com/cgi-bin/man-cgi?netstat+1+NetBSD-current) (and install of course). Once you have built your kernel and installed it you're now ready for use. 
   
   
 #   Example configuration  #   Example configuration
   
 As mentioned earlier, CARP is great for usage on firewalls. I will show a popular and basic example here. Assume the following (lightly assume):  As mentioned earlier, CARP is great for usage on firewalls. I will show a popular and basic example here. Assume the following (lightly assume): 
          
          
                 Internet/Outside world                  Internet/Outside world
                         |                          |
                         |                          |
                 -----------------                  -----------------
                 |   firewall    |                  |   firewall    |
                 -----------------                  -----------------
                         |                          |
         ----------- Shared LAN -------------          ----------- Shared LAN -------------
          
   
 The obvious problem with this is that here the firewall is a single point of failure. When it goes down for reasons such as:  The obvious problem with this is that here the firewall is a single point of failure. When it goes down for reasons such as: 
   
   * Botched upgrade    * Botched upgrade 
   * The other 100 reasons here    * The other 100 reasons here 
   
 it's normally tough luck. Unless you fix it, you have no internet (in the majority of cases).  it's normally tough luck. Unless you fix it, you have no internet (in the majority of cases). 
   
 However, with CARP we can now have something like this:  However, with CARP we can now have something like this: 
          
          
                 ---Internet/Outside world---                  ---Internet/Outside world---
                 |                          |                  |                          |
                 |                          |                  |                          |
                 em1                       em1                  em1                       em1
         ------------------      ---------------------          ------------------      ---------------------
         |   Firewall 1   |      |   Firewall 2      |          |   Firewall 1   |      |   Firewall 2      |
         ------------------      ---------------------          ------------------      ---------------------
                 em0                       em0                  em0                       em0
                 |                         |                  |                         |
         ----------- Shared LAN ----------------          ----------- Shared LAN ----------------
          
   
 When data comes from the Shared LAN destined for the outside world the two machines talk to each other and decided who's the MASTER and thus will handle the data. So for example, with the below configuration firewall 1 is the MASTER firewall and firewall 2 is the BACKUP. If firewall 1 does down, all traffic is automatically handled by firewall 2 completely transparent to the user. Infact, you could put an axe through firewall 1 anf nothing would change. If firewall 1 then managed to recover, is could then resume its position.  When data comes from the Shared LAN destined for the outside world the two machines talk to each other and decided who's the MASTER and thus will handle the data. So for example, with the below configuration firewall 1 is the MASTER firewall and firewall 2 is the BACKUP. If firewall 1 does down, all traffic is automatically handled by firewall 2 completely transparent to the user. Infact, you could put an axe through firewall 1 anf nothing would change. If firewall 1 then managed to recover, is could then resume its position. 
   
 #   Configuration for the above  #   Configuration for the above
   
 Interface IP Addresses:  Interface IP Addresses: 
   
 firewall 1 em0: 172.16.0.1    firewall 1 em0: 172.16.0.1   
 firewall 1 em1: 192.0.2.1    firewall 1 em1: 192.0.2.1   
 firewall 2 em0: 172.16.0.2    firewall 2 em0: 172.16.0.2   
 firewall 2 em1: 192.0.2.2  firewall 2 em1: 192.0.2.2 
   
 The IPs we wish to share:  The IPs we wish to share: 
   
 LAN shared IP: 172.16.0.100 WAN/Internet shared IP: 192.0.2.100  LAN shared IP: 172.16.0.100 WAN/Internet shared IP: 192.0.2.100 
   
 On firewall 1:  On firewall 1: 
          
     ! enable preemption and group interface failover (man carp)      ! enable preemption and group interface failover (man carp)
     # sysctl -w net.inet.carp.preempt=1      # sysctl -w net.inet.carp.preempt=1
          
          
     ! configure CARP on the LAN side      ! configure CARP on the LAN side
     # ifconfig carp1 create      # ifconfig carp1 create
     # ifconfig carp1 vhid 1 carpdev em0 pass lanpasswd \      # ifconfig carp1 vhid 1 carpdev em0 pass lanpasswd \
           172.16.0.100 255.255.255.0            172.16.0.100 255.255.255.0
          
          
     ! configure CARP on the WAN/Internet side      ! configure CARP on the WAN/Internet side
     # ifconfig carp2 create      # ifconfig carp2 create
     # ifconfig carp2 vhid 2 carpdev em1 pass netpasswd \      # ifconfig carp2 vhid 2 carpdev em1 pass netpasswd \
          192.0.2.100 255.255.255.0           192.0.2.100 255.255.255.0
          
   
 On firewall 2:  On firewall 2: 
          
     ! enable preemption and group interface failover (man carp)      ! enable preemption and group interface failover (man carp)
     # sysctl -w net.inet.carp.preempt=1      # sysctl -w net.inet.carp.preempt=1
          
          
     ! configure CARP on the LAN side      ! configure CARP on the LAN side
     # ifconfig carp1 create      # ifconfig carp1 create
     # ifconfig carp1 vhid 1 carpdev em0 pass lanpasswd \      # ifconfig carp1 vhid 1 carpdev em0 pass lanpasswd \
           advskew 128 172.16.0.100 255.255.255.0            advskew 128 172.16.0.100 255.255.255.0
          
          
     ! configure CARP on the WAN/Internet side      ! configure CARP on the WAN/Internet side
     # ifconfig carp2 create      # ifconfig carp2 create
     # ifconfig carp2 vhid 2 carpdev em1 pass netpasswd \      # ifconfig carp2 vhid 2 carpdev em1 pass netpasswd \
          advskew 128 192.0.2.100 255.255.255.0           advskew 128 192.0.2.100 255.255.255.0
          
   
 For more complete information regarding each configuration setting see [carp(4)](http://netbsd.gw.com/cgi-bin/man-cgi?carp+4+NetBSD-current).  For more complete information regarding each configuration setting see [carp(4)](http://netbsd.gw.com/cgi-bin/man-cgi?carp+4+NetBSD-current). 
   
   
 #   Other  #   Other
   
 I would 'really' like further testing with CARP on NetBSD. I currently can't test very many network configurations due to my small home network. If you find any issues, please contact me and let me know - its likely my fault. Thanks to everyone who has helped me test too!  I would 'really' like further testing with CARP on NetBSD. I currently can't test very many network configurations due to my small home network. If you find any issues, please contact me and let me know - its likely my fault. Thanks to everyone who has helped me test too! 
   
 #   References  #   References
   
   * <http://www.countersiege.com/doc/pfsync-carp/>    * <http://www.countersiege.com/doc/pfsync-carp/>
   * <http://www.openbsd.org/faq/pf/carp.html>    * <http://www.openbsd.org/faq/pf/carp.html>
   * <http://www.bsdportal.org>    * <http://www.bsdportal.org>
   
   
 #   Additional Information  #   Additional Information
   
   * [[basics/sysctl]]    * [[basics/sysctl]]
   * [[basics/netstat]]    * [[basics/netstat]]
   * [[basics/ifconfig]]    * [[basics/ifconfig]]
   

Removed from v.1.1  
changed lines
  Added in v.1.2


CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb