SEO

I recently ran into problem with a pair 500MHz Pentium III OpenBSD 3.9
systems running as a pfsync'd firewall pair. The systems each had
three 100Mbit ethernet interfaces (inside, outside, and one for
pfsync) and a total of 18 carp interfaces (yes, I know that many carp
interfaces probably sounds crazy). The master firewall's carp
interfaces were set to advbase=1, advskew=0 while the backup
firewall's carp interfaces were set to advbase=1, advskew=100. Both
firewalls were set with net.inet.carp.preempt=1.

The problem was that the backup firewall would intermittently (and
seemingly randomly) try to become master. I ran tcpdump on both
firewalls and I could see that the backup firewall was really
receiving the carp advertisements from the master firewall right on
time, but the backup firewall would then send out its own carp
advertisements as it tried to become master. This would, of course,
cause problems with the connections running through this firewall
pair.

After some Googling I found these two posts on the archive which
indicate that others have encountered this problem (I would have
replied to the posts but they were too old so I had to create a new
post):

Original post:
http://groups.google.com/group/lucky...e94c463ce1cb69

Followup post:
http://groups.google.com/group/lucky...ec18bef44023da

In the earlier thread others indicated that this problem could be the
result of the two firewalls not having their time well synchronized.
This was not the problem in my case -- both firewalls got their time
from a local ntp server and were well synchronized.

I reduced the number of carp interfaces to 15 and the problem was
greatly improved. I later decided to reduce the number of carp
interfaces to 2 (I decided to put all of my separate class C subnets
into two class B subnets) and the problem appears to be completely
fixed.

I am posting this in case others run into this problem and in case
this might point to some kind of a bug in the carp code. If there is
an interest in more information I can provide tcpdump output showing
the problem.

By the way, I am very pleased with the quality of OpenBSD in general
and I think that the ability to run a carp/pfsync firewall pair is
fantastic. Thanks to all who have contributed to such a great OS.

Sincerely,
Neal Lauver