LinkedIn Sourceforge

Vincent's Blog

Pleasure in the job puts perfection in the work (Aristote)

High availability on OpenBSD with carp

Posted on 2024-11-15 21:42:00 from Vincent in OpenBSD High Availability

In this blog, I explain how to setup high availability services between 2 different machines thanks to carp.


Introduction

Configuring CARP can enhance the availability and reliability of services like DHCP and routing in OpenBSD environments. This guide outlines the steps to set up CARP on two physical firewall machines.

In my specific case, 192.168.1.31 is fw1 and 192.168.1.32 is fw2. The virtual shared IP will be 192.168.1.1.

Enabling CARP on OpenBSD Firewalls

Step 1: Update sysctl Settings

On both machines, ensure packet forwarding and CARP preemption are enabled by adding the following lines to /etc/sysctl.conf on both machines:

~ # cat /etc/sysctl.conf
net.inet.ip.forwarding=1   # Permit forwarding (routing) of IPv4 packets
net.inet.carp.preempt=1    # Enable CARP preemption

You can apply these settings with:

sysctl net.inet.ip.forwarding=1
sysctl net.inet.carp.preempt=1

Step 2: Update pf.conf for CARP Traffic

On both machines, allow heartbeat signals between the firewalls by adding the following rule to /etc/pf.conf:

pass on $int_if inet proto carp keep state

then, reload the pf configuration:

pfctl -f /etc/pf.conf

Step 3: Create the CARP Interface

On both machines, reate the carp1 interface on both machines:

ifconfig carp1 create

Step 4: Configure Host-Specific Settings

On each machine edit the /etc/hostname.carp1 file on each machine to define their CARP configurations:

On fw1 (192.168.1.31):

~ # cat /etc/hostname.carp1
inet 192.168.1.1 255.255.255.0 192.168.1.255 vhid 1 pass passcarp carpdev re1 advskew 100

On fw2 (192.168.1.32):

~ # cat /etc/hostname.carp1
inet 192.168.1.1 255.255.255.0 192.168.1.255 vhid 1 pass passcarp carpdev igc1 advskew 50

Explanation of Configuration Parameters:

vhid 1: The Virtual Host ID (must be the same on both machines).
pass passcarp: Shared password for CARP authentication.
carpdev: The physical interface associated with the CARP device.
advskew: Sets priority; lower values make the host more likely to become the master.

Step 5: Reboot and Verify

Reboot both machines. Upon startup, one machine will be the active master, and the other will serve as a backup. You can check the status with:

~ # ifconfig carp

You should have something like this:

fw1:~ # ifconfig carp
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    lladdr 00:00:5e:00:01:01
    index 5 priority 15 llprio 3
    carp: BACKUP carpdev re1 vhid 1 advbase 1 advskew 100
    groups: carp
    status: backup
    inet 192.168.3.1 netmask 0xffffff00 broadcast 192.168.3.255

fw2:~ # ifconfig carp
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    lladdr 00:00:5e:00:01:01
    index 7 priority 15 llprio 3
    carp: MASTER carpdev igc1 vhid 1 advbase 1 advskew 30
    groups: carp
    status: master
    inet 192.168.3.1 netmask 0xffffff00 broadcast 192.168.3.255

Please note that the mac address associated on those 2 carp are the same ;)
In the case here, fw2 is master and fw1 is passive.

Forcing a Role Swap

To manually change which machine is the active master, adjust the advskew value:

Make a machine the master:

~ # ifconfig carp1 advskew 30

Make a machine the backup:

~ # ifconfig carp1 advskew 70

In fact, the machine having the lowest advskew value will become "master".

Synchronizing Configuration Files

To maintain consistency between the master and backup, ensure key configuration files such as /etc/pf.conf and /etc/dhcpd.conf are synchronized. Using rsync triggered by file changes is a robust method, which will be covered in an upcoming post.



0, 0
displayed: 404



What is the last letter of the word Python?