setting up carp & pfsync on netbsd

pf legacy | carp

tested on netbsd 9.3

introduction

openbsd and netbsd CARP implementations seem nicer than freebsd’s, as it offers dedicated carp interfaces for that purpose.

warning / lessons learned

in case we don’t have enough front-facing IP addresses, the workaround to use unused IP static there works — but we need to define the default front-facing gateway anyway and in advance — fortunately, that works.

requirements

you need to rebuild the kernel to disable NPF

    #pseudo-device  npf                     # NPF packet filter

and enable those instead

    pseudo-device pf              # PF packet filter
    pseudo-device pflog           # PF log interface
    pseudo-device pfsync

    pseudo-device   carp                    # Common Address Redundancy Protocol

and eventually ALTQ if you like, see kernel and tweaks.

static names are always a good thing to define, from most trusted to untrusted networks

vi /etc/hosts

10.3.3.28       pfsync1
10.3.3.29       pfsync2

10.1.0.28       pfsync1
10.1.0.29       pfsync2

10.4.4.1        pfsync1
10.4.4.2        pfsync2

carp & pfsync setup

kernel settings

mv -i /etc/sysctl.conf /etc/sysctl.conf.dist
grep -vE '^(#|$)' /etc/sysctl.conf.dist > /etc/sysctl.conf
vi /etc/sysctl.conf

ddb.onpanic?=0
kern.securelevel=1
net.inet.ip.forwarding=1
net.inet.carp.allow=1
net.inet.carp.preempt=1

vrrp setup – let us make node1 preferred master – note that we absolutely need some IP, even an otherwise unused one, on every VRRP interface

vi ifconfig.xennet0
vi ifconfig.xennet1
vi ifconfig.xennet2
vi ifconfig.carp0
vi ifconfig.carp1
vi ifconfig.pfsync0

node1

inet 10.4.4.1/24 up

inet 10.1.0.28/16 up

inet 10.3.3.28/24 up

create
vhid 1 carpdev xennet0 advskew 10 217.19.208.157/29

create
vhid 2 carpdev xennet1 advskew 11 10.1.255.254/16

create
up syncdev xennet2

note the skews differ between carp0 and carp1 so we can easily sniff the vrrp packets flying around

node2

inet 10.4.4.2/24 up

inet 10.1.0.29/16 up

inet 10.3.3.29/24 up

create
vhid 1 carpdev xennet0 advskew 20 217.19.208.157/29

create
vhid 2 carpdev xennet1 advskew 21 10.1.255.254/16

create
up syncdev xennet2

seems like we should NOT switch the NAT and RDR rules towards carp0 instead of xennet0. but you might like to add this.

set skip on carp
set skip on pfsync

ready to go

shutdown -r now

and check

sysctl kern.securelevel
sysctl net.inet.ip.forwarding
sysctl net.inet.carp.allow
sysctl net.inet.carp.preempt

ifconfig carp0
ifconfig carp1

ifconfig pfsync0

resources

https://man.netbsd.org/carp.4

https://man.netbsd.org/pfsync.4

https://www.oreilly.com/library/view/the-book-of/9781593271657/ch02s03.html

yandex cloud

https://cloud.yandex.ru/ru/docs/troubleshooting/vpc/how-to/using-failsafe-vpn ==> no layer2 there


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2024 Pierre-Philipp Braun