Thank you for visiting!
My little window on internet allowing me to share several of my passions
Categories:
- OpenBSD
- High Availability
- vdcron
- My Sysupgrade
- FreeBSD
- Nas
- DragonflyBSD
- fapws
- Alpine Linux
- Openbox
- Desktop
- Security
- nvim
- yabitrot
- nmctl
- Tint2
- Firewall
- VPN
- Project Management
- Hifi
- Alarm
Most Popular Articles:
Last Articles:
High availability on OpenBSD with carp
Posted on 2024-11-15 21:42:00 from Vincent in OpenBSD High Availability
In this blog, I explain how to setup high availability services between 2 different machines thanks to carp.
Introduction
Configuring CARP can enhance the availability and reliability of services like DHCP and routing in OpenBSD environments. This guide outlines the steps to set up CARP on two physical firewall machines.
In my specific case, 192.168.1.31 is fw1 and 192.168.1.32 is fw2. The virtual shared IP will be 192.168.1.1.
Enabling CARP on OpenBSD Firewalls
Step 1: Update sysctl Settings
On both machines, ensure packet forwarding and CARP preemption are enabled by adding the following lines to /etc/sysctl.conf
on both machines:
~ # cat /etc/sysctl.conf
net.inet.ip.forwarding=1 # Permit forwarding (routing) of IPv4 packets
net.inet.carp.preempt=1 # Enable CARP preemption
You can apply these settings with:
sysctl net.inet.ip.forwarding=1
sysctl net.inet.carp.preempt=1
Step 2: Update pf.conf for CARP Traffic
On both machines, allow heartbeat signals between the firewalls by adding the following rule to /etc/pf.conf
:
pass on $int_if inet proto carp keep state
then, reload the pf
configuration:
pfctl -f /etc/pf.conf
Step 3: Create the CARP Interface
On both machines, reate the carp1
interface on both machines:
ifconfig carp1 create
Step 4: Configure Host-Specific Settings
On each machine edit the /etc/hostname.carp1
file on each machine to define their CARP configurations:
On fw1 (192.168.1.31):
~ # cat /etc/hostname.carp1
inet 192.168.1.1 255.255.255.0 192.168.1.255 vhid 1 pass passcarp carpdev re1 advskew 100
On fw2 (192.168.1.32):
~ # cat /etc/hostname.carp1
inet 192.168.1.1 255.255.255.0 192.168.1.255 vhid 1 pass passcarp carpdev igc1 advskew 50
Explanation of Configuration Parameters:
vhid 1: The Virtual Host ID (must be the same on both machines).
pass passcarp: Shared password for CARP authentication.
carpdev: The physical interface associated with the CARP device.
advskew: Sets priority; lower values make the host more likely to become the master.
Step 5: Reboot and Verify
Reboot both machines. Upon startup, one machine will be the active master, and the other will serve as a backup. You can check the status with:
~ # ifconfig carp
You should have something like this:
fw1:~ # ifconfig carp
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:5e:00:01:01
index 5 priority 15 llprio 3
carp: BACKUP carpdev re1 vhid 1 advbase 1 advskew 100
groups: carp
status: backup
inet 192.168.3.1 netmask 0xffffff00 broadcast 192.168.3.255
fw2:~ # ifconfig carp
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:5e:00:01:01
index 7 priority 15 llprio 3
carp: MASTER carpdev igc1 vhid 1 advbase 1 advskew 30
groups: carp
status: master
inet 192.168.3.1 netmask 0xffffff00 broadcast 192.168.3.255
Please note that the mac address associated on those 2 carp are the same ;)
In the case here, fw2 is master and fw1 is passive.
Forcing a Role Swap
To manually change which machine is the active master, adjust the advskew
value:
Make a machine the master:
~ # ifconfig carp1 advskew 30
Make a machine the backup:
~ # ifconfig carp1 advskew 70
In fact, the machine having the lowest advskew value will become "master".
Synchronizing Configuration Files
To maintain consistency between the master and backup, ensure key configuration files such as /etc/pf.conf
and /etc/dhcpd.conf
are synchronized. Using rsync
triggered by file changes is a robust method, which will be covered in an upcoming post.