Hi list. I've installed two firewall, 1 master and 1 backup. Trying some 
test to see if carp and pfsync works, I get this issue: fw master works, 
all network connection works, then I disconnect che external interface 
cable of fw1 and carp0 go in INIT, carp1 in BACKUP and carp2 in BACKUP, 
on fw 2, carp0, carp1 and carp2 become MASTER. After 5/10 seconds, 
always with cable disconnected, the carp0 of firewall 1 is in INIT, 
carp1 and carp2 return to MASTER, and on fw2 the carp0 is MASTER and 
carp1, carp2 become BACKUP, and each 5/10 seconds fw1: carp0 INIT carp1 
MASTER carp2 MASTER, after 5/10 seconds fw1 become carp0 INIT carp1 
BACKUP carp2 BACKUP and so on.

Then:
State before cable disconnection
fw1                fw2
carp0: MASTER            carp0: BACKUP
carp1: MASTER            carp1: BACKUP
carp2: MASTER            carp2: BACKUP

State after cable disconnection:

fw1                fw2
carp0: INIT            carp0: MASTER
carp1: BACKUP            carp1: MASTER
carp2: BACKUP            carp2: MASTER

State after 5/10 seconds always with disconnected cable:

fw1                fw2
carp0: INIT                   carp0: MASTER
carp1: MASTER            carp1: BACKUP
carp2: MASTER            carp2: BACKUP

after other 5/10 seconds with disconnected cable:

fw1                fw2
carp0: INIT            carp0: MASTER
carp1: BACKUP            carp1: MASTER
carp2: BACKUP            carp2: MASTER

after other 5/10 seconds without cable:

fw1                fw2
carp0: INIT                   carp0: MASTER
carp1: MASTER            carp1: BACKUP
carp2: MASTER            carp2: BACKUP

and so on...

these are my pf rules for carp and pfsync:

pass in quick proto pfsync
pass in quick proto carp
....
..
block in all
...


FW1 [MASTER]: net.inet.carp.preempt=1
FW2 [BACKUP]: net.inet.carp.preempt=0  (tried also with 1)

and this are my ifconfig.


IFCONFIG FW1:


lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33200
     priority: 0
     groups: ...
[ message continues ]

test to see if carp and pfsync works, I get this issue: fw master works, all
network connection works, then I disconnect che external interface cable of
fw1 and carp0 go in INIT, carp1 in BACKUP and carp2 in BACKUP, on fw 2, carp0,
carp1 and carp2 become MASTER. After 5/10 seconds, always with cable
disconnected, the carp0 of firewall 1 is in INIT, carp1 and carp2 return to
MASTER, and on fw2 the carp0 is MASTER and carp1, carp2 become BACKUP, and
each 5/10 seconds fw1: carp0 INIT carp1 MASTER carp2 MASTER, after 5/10
seconds fw1 become carp0 INIT carp1 BACKUP carp2 BACKUP and so on.



Afaik, the sysctl value net.inet.carp.preempt should be set to the same value
on both nodes. Are you sure you see the same behavior if you set that value to
0 on both nodes, or alternatively to 1?

/Johan

[ message continues ]

Hi Johan. Thanks for the reply, I've already tried to set on each 
firewall net.inet.carp.preempt=1 and the problem is the same. Now I've 
tried to set them to 0, and seems to work. My question is, why setting 
up each firewall net.inet.carp.preempt to 1 it does not work?
On OpenBSD faq:

net.inet.carp.preempt
    Allow hosts within a redundancy group that have a better advbase and
    advskew to preempt the master. In addition, this option also enables
    failing over a group of interfaces together in the event that one
    interface goes down. If one physical CARP-enabled interface goes
    down, CARP will increase the demotion counter, carpdemote, by 1 on
    interface groups that the carp(4) interface is a member of, in
    effect causing all group members to fail-over together.
    net.inet.carp.preempt is 0 (disabled) by default. 

another issue, but with preempt enabled, removing $ext iface cable, 
carp0 go in INIT and it must  forces carp(0/1/2) to go in backup mode. 
Why there is not this behaviuor?

Disabling preemption, If an interface goes down, the group members go on 
fail-over together?
Another question, it is the same thing set all firewall to 1 and 0? The 
preempt allow to a fw that was master to become a new time master in 
front of other backup, if has advbase and advskew will be better of 
them, but if it is disabled, the master without preempt can't become 
another time the master without a carpdemote for carp group? This is the 
difference  between 1 and 0?


thanks in advance.

[ message continues ]

Le Thu, 30 Dec 2010 19:58:21 +0100,

And in output?

[ message continues ]

in output I've:
pass out all

To exclude also pf rules problem, I've tried a rule set as:

match...nat-to...

pass all

but the problem persists.

Other Issue?

thanks in advance

[ message continues ]

Le Fri, 31 Dec 2010 18:09:40 +0100,

Hmmm Ok, I don't know where is the problem.

I've made recently a lot of tests with carp and pfsync without any
problem (on 4.8/amd64). IMO it should work (but I don't use the
carp peer option).

One remark, you should use a dedicated interface for pfsync. In your
setup, rl0 is shared by pfsync and carp1. This is a no sense.

Best regards and happy new year to all.

[ message continues ]

Hi ,

Happy new year to all. I am little bit busy. But, I can help you with below
URL .


http://www.pantz.org/software/carp/openbsdfirewallfailover.html

It may be useful.









-- 
Thank you
Indunil Jayasooriya

[ message continues ]

Hi list and happy new year to all. Now, I've solve temporarly this 
problem using ifstated, and master and backup work fine. For pfsync nic, 
in past I had used a dedicated nic for pfsync but now cause xl0 for wan, 
rl0 for lan and rl1 for dmz, I must use rl0 only 3 nic. I've read on 
OpenBSD FAQ that we can use the same iface, but using IPSec.

Best regards
For now it's only testing, but in future

[ message continues ]