carp(4) load balancing made easy

Contributed by jl on 2008-02-07 from the yin-yang dept.

Marco Pfatschbacher (mpf@) has just committed the last bit of an extensive work to unify and simplify the configuration of load balanced carp(4) setups.

Please help test these changes for the upcoming 4.3 release of OpenBSD. If you are running carp(4) with ARP or IP balancing you'll have to change your configuration:

Multiple carp(4) interfaces sharing an IP have been replaced with the carpnodes option
The net.inet.carp.arpbalance sysctl has been replaced with balancing mode arp.
The LINK0,1,2 flags used for IP balancing have been replaced with the balancing modes ip, ip-stealth and ip-unicast.

In addition, IPv6 can now also be balanced with the Neighbor Discovery Protocol (NDP), which works similar to IPv4 ARP balancing.

(Comments are closed)

Comments

By cameronsto (165.2.186.10) on 2008-02-07 16:35 cameronstokes.com

These are great changes. Up until a week ago (we shutdown the rack) we ran an OpenBSD firewall cluster in front of a small colo rack and had 0 issues with it over the entire 3 years it was running.

OpenBSD/pf/carp is an incredible firewall platform, and these additions only add to its capabilities.

-cameron
Comments
1. By Terrell Prude' Jr. (151.188.247.104) tprude@cmosnetworks.com (this is a spamtrap address) on 2008-02-08 22:05 http://www.cmosnetworks.com/
  
  > These are great changes. Up until a week ago (we shutdown the rack) we ran an OpenBSD firewall cluster in front of a small colo rack and had 0 issues with it over the entire 3 years it was running.
  >
  > OpenBSD/pf/carp is an incredible firewall platform, and these additions only add to its capabilities.
  >
  > -cameron
  
  You're right, it is. Like many others, I use PIXes and ASA's from Cisco at work. OpenBSD is certainly a drop-in replacement for a PIX or ASA, with fewer problems, and that is Free Software. If I could replace every PIX or CheckPoint firewall installation that I see with an OpenBSD solution on some good, fast hardware, I wouldn't hesitate.
  
  There's only one thing I can think of that OpenBSD doesn't do that Cisco's PIX/ASA does, and that's talk to Websense. The protocol is proprietary. Of course, there are several other ways to filter Web access, so this is hardly a show-stopper. Rather, it's a cheap excuse. Sadly, Websense has "mind share" with not just those who control the corporate checkbook, but also the army of MCSE's that are scared of Freedom. "BSD?! Sorry, we don't do Linux here, we're a Windows shop!"
  
  --TP
  Comments
  1. By Anonymous Coward (24.37.242.64) on 2008-02-08 22:23
    
    > > These are great changes. Up until a week ago (we shutdown the rack) we ran an OpenBSD firewall cluster in front of a small colo rack and had 0 issues with it over the entire 3 years it was running.
    > >
    > > OpenBSD/pf/carp is an incredible firewall platform, and these additions only add to its capabilities.
    > >
    > > -cameron
    >
    > You're right, it is. Like many others, I use PIXes and ASA's from Cisco at work. OpenBSD is certainly a drop-in replacement for a PIX or ASA, with fewer problems, and that is Free Software. If I could replace every PIX or CheckPoint firewall installation that I see with an OpenBSD solution on some good, fast hardware, I wouldn't hesitate.
    >
    > There's only one thing I can think of that OpenBSD doesn't do that Cisco's PIX/ASA does, and that's talk to Websense. The protocol is proprietary. Of course, there are several other ways to filter Web access, so this is hardly a show-stopper. Rather, it's a cheap excuse. Sadly, Websense has "mind share" with not just those who control the corporate checkbook, but also the army of MCSE's that are scared of Freedom. "BSD?! Sorry, we don't do Linux here, we're a Windows shop!"
    >
    > --TP
    
    "BSD?! Sorry, we don't do Linux here, we're a Windows shop!"
    
    lol, isn't that so true. It just gives me the chizelnitches when they say that, thinking it's yet another fragment of Linux - shows how smart they are in the IT industry, as a whole.

Latest Articles

Wed, Apr 24
- 04:35 Game of Trees 0.98 released (0)
Tue, Apr 23
- 05:25 pfctl(8) and systat(8) to display fragment reassembly statistics (0)
Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (12)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]