|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: NetOne - Doichin Dokov (root
net1.cc)
Date: Sat Dec 01 2007 - 14:31:15 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Carl Roberso ??????:
> Henning Brauer wrote:
>
>> 6000 irq/s is not much.
>> increase sysctl net.inet.ip.ifq.maxlen.
>>
>>
>
> Thank you v-e-r-y much Henning, this seems to have cured the problem.
>
> Another problem seems left, anyway. :(
>
> I'm running bgpd on both OpenBSD boxes: it's really a fine piece of
> software, but when dealing with a setup like mine (same box does PF & BGP
> routing, from here "the firewall"), you can get in trouble when using one
> BGP session per-provider-per-firewall, and the uplink ISP get you some
> packets on firewall A, some others on firewall B (so, there isn't a priority
> on BGP session). Another similar problem arise when the firewall B becomes
> master, the firewall A stops to packets flow, but maybe it's BGP sessions
> remains acrive (the "most" active, or the really one with most priority,
> depends on the ISP).. and packet confusion starts.
>
> Of course a "solutions" seems to have a BGP session actived ONLY when a
> given firewall is active.. but this means that when instantly (without
> losing the TCP sessions) CARP help to switch to the "secondary" firewall..
> everything will be blocked, waiting for the BGP session to download routes.
>
> Any of you guys has a hint also for this situation (that's having concurrent
> BGP sessions, but making sure that the "master firewall" gets all packets
> coming from all BGP sessions, without mangling with PF states)?
>
> Again, thank you in advance.
>
The BGP problem is solved by doing this:
You need 3 IPs for communicating with each provider. Let's say you have
172.16.0.1, 172.16.0.2 and 172.16.0.3 to communicate with ISP1.
You setup 172.16.0.1 on Firewall #1, 172.16.0.2 on Firewall #2, and you
set up 172.16.0.3 on both of them with CARP.
Then you establish BGP sessions from 172.16.0.1 and 172.16.0.2 to your
provider, and tell the provider to set next-hop for both of them to
172.16.0.3
This way both of the sessions are live, and traffic goes to the active
machine. Once it fails, the other one takes over the common 172.16.0.3
and keeps receiving the traffic without waiting for BGP timeouts, nor
BGP prefix download or something else.
Do the same with ISP2 and you're ready to go.
Regards,
Doichin
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]