OpenBSD Journal

Firewall Failover with pfsync and CARP

Contributed by jose on from the super-stable-networking dept.

Daniel Hartmeier writes: " Ryan McBride describes the exciting new firewall features in the upcoming OpenBSD 3.5 release in his article Firewall Failover with pfsync and CARP ."

(Comments are closed)

  1. By Anonymous Coward () on

    Sweeeeeeeet! I was hoping for something like this. TY TY TY!

  2. By Christian () on

    Thanks for this nice article and for this nice OS! This is going to be a real nice feature! Let's see how it works in production :-)

    1. By Anonymous Coward () on

      Quite well. We have 25000 states and 2 firewall in HA with the cvs version.

      1. By ViPER () on

        How did you persuade your boss in running a snapshot release in production environment ? :)

        (Just guessing that we are not dealing with your box at home running a *LOT* of sessions)

        1. By Anonymous Coward () on

          Why are you persuading your boss anything? He's probably the network admin, in which case its his decision, not his bosses.

          1. By Anonymous Coward () on

            Various arguments to persuade the Boss :

            * The proprietary alternative is quite expansive on the long term (you have to pay maintenance and support contract for nothing more than a simple license key without any services),

            * In case of failure with OpenBSD/pf, we can move easily to a working status without shutting down business. With the proprietary alternative, sometimes you don't know why the system goes down and if you find where is the issue, you can't make the update by yourself because you don't have access to the inner operation of the system),

            * Accounting is more easy and flexible than the proprietary alternative. A simple label on a rule and we have an excellent accounting per rules. Try that on a proprietary : reset a counter on a specific rule,....

            * ...

            1. By Anonymous Coward () on

              I think you're missing the point. The question was running production on "snapshot" or -current, not -release.

  3. By OBSD User () on

    Is amazing how this "heads" made CARPS, but I have a question.

    If i have a connection to a web server (a php page, ie), and I am wating for a sql reply form a php.
    And then... the webserver crashes. Whata happen with the connection, to de webserver-php-sql?

    Thanks in advance.
    and sorry for my english ;)

    1. By Anthony () on

      I don't think there's any kind of application level failover. Just the sockets.

      1. By OBSD User () on

        I think it so.

        Anyways, thanks!

  4. By Michael van der Westhuizen () on

    This is amazing functionality! Fantastic work, and a well written introductory document to boot :-)

  5. By Petr R. () on

    Does someone know how to handle site-to-site IPSec failover with CARP?

    1. By Anonymous Coward () on

      As far as failing over the IPSec tunnels? About the only thing I've heard of which can fail over IPsec without renegotiating the tunnels/certs/whatever has been a nokia product. VRRP alone doesn't handle such advanced things, and my guess is neither does CARP.

      If I'm wrong, awesome - but it's my understanding that such a thing would really need to be tied more closely to the app (or VPN/ipsec code in this case).

      1. By Petr R. () on

        Well,I do think that Ciski VPN concentrators could do the same.
        however,i do not have a need for 'statefull' failover. what i need is tunel that will be renegotiated after firewall failure. but i could not run isakmpd on both HA firewalls right ? or I could but only one shouldbe active,second should be launched incase of faliure.

    2. By Strog () on

      Failover can be handled be isakpmd itself. Some friends of mine and I have a little (8 networks across the US and Canada) VPN setup that has 2 vpn concentrators that failover automatically. You wouldn't know that a concentrator dropped except the traceroute shows the other IP.

      [Phase 1]
      xx.xx.xx.xx= vpnserver
      xx.xx.xx.yy= vpnserver2

      Define each the same settings except for IP in the peer section. You basically make 2 entries for each network (one for vpnserver and another for vpnserver2). There's a little more to it but that's the gist of it.

      Just imagine how robust your connection would be if each concentrator was sitting behind a couple CARP enabled OpenBSD firewalls. Of course robust has a different meaning when someone cuts a fiber line but that's another topic.

      (I have to give credit to elmore for hosting the vpn servers and getting the framework all setup. thanks man)

      1. By Petr R. () on

        Wow, sweet. I will try that. Thanks. I will have two CARP firewalls each with two ISP connection. So I will create one isakmpd on first fw, first ISP and second on second one :o] I will give it a try.

  6. By Mike () on

    I was trying to setup IPSEC between my OpenBSD server and Windows XP client with preshared keys.
    But I can't setup OpenBSD. Please can somebody give link or advice to set up this?
    Thanks a lot and sorry for OT

    1. By Petr R. () on

      Mail me, l will send you working sample. I will respond in couple of days(l'm in hospital now :-( )

      1. By Anonymous Coward () on

        Any chance you can post it on a website and link it here?

        Hope your hospital stay isn't too serious and that you get better.

        1. By Petr R. () on

          I'll do it, no sweat. it is actually site-to-site vpn,both sides accept clients as well.
          I do have a plan to replace one side with CARP cluster(there are two conn. to ISPs, so it should be firewall and ISP HA :-),so the setup will be interesting.

  7. By Anthony () on

    It says the pfsync state updates are batched on a best effort basis. This implies that the pfsync updates are not atomic (eg, a packet can be NATed, sent on to the destination, before the update goes out to the other firewall nodes).

    The question is, can this result in a connection being left in an inconsistent state?

    I'm thinking it only allows pfsync updates to be postponed until the ACK packet comes back from the internal host, as the external host is obligated to be able to retransmit packets that haven't been ACKed... am I out to lunch here?

  8. By Anonymous Coward () on

    In the discusion before the song

    Licenser: How much did you pay for that?
    The customer say:
    Customer: Sixty quid, and twenty grand for the PIX.

    If I refer to the money slang dictonary one quid is one pound. I doubt that the cost of the cisco software is 60 pounds...

    How much does the same setup cost in the cisco world ?

    1. By Petr R. () on

      You need at least 2 Pix 515, with unrestricted licence(failover and more than three nic ) or FA bundle (one Pix is crippled and could be only slave).
      You have active/passive failover(one pix is waiting all the time doing nothing).
      i'm not so sure about price, i will findit tommorrow, but I think that one Pix 515 is about 5k USD ?!?

    2. By Sam () on

      Doesn't sixty quid refer to the piece of paper he's holding?

    3. By Petr R. () on

      So two PIXes in failover connection will cost you something about 10k USD...

  9. By Eduardo Alvarenga () eduardo at thrx dot org on mailto:eduardo at thrx dot org

    I don't know if it's about CARP or PFSYNC or anything else, but is there any project about a real load-ballance solution? I mean memory/process balance, like a very loaded webserver sharing it's resources information to another machine (a network/application ballancer) and this machine redirecting data to the less loaded server on the network?

    1. By engineer () on

      IMHO, application balanser MUST be desined and embedded in application itself. So you can request about this to Apache project, for example. Some activity seen in PostgreSQL project.
      As you can see PF project has done this - pfsync.

      PS: sorry, bad english

    2. By Rafael Coninck Teigao () on

      Well, if I understand you correctly, you can take a look at distributed shared memory:

      With DSM you can share memory between nodes and try to tie it up with some application mods to do application level failover.

  10. By Anonymous Coward () on

    I can testify, I've been running pfsync/carp on a 2 firewall setup that averages about 40mbit, spikes well past it - solid as a rock since we put it in about 2 months ago, on 3.4-CURRENT as of that time. The firewalls are redundant for eachother via CARP, the web servers in the back are load balanced using PF's round-robin redirection, plus a small shell script I wrote to check if a server is down, and if so remove it from the pool.

    This stuff is great!


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]