Discussion:
vrrp vs. carp
(too old to reply)
sam
2005-02-25 14:27:49 UTC
Permalink
Hi,

It looks like freevrrp in freebsd only deal with redundancy control
within a machine using two network cards. How about redundant firewalls
like CARP? It looks like CARP deal with redundant firewalls.

If VRRP can be setup to handle redundant firewalls, how can I setup a
VRRP for this?

Thanks
Sam
David Magda
2005-02-26 21:45:01 UTC
Permalink
Post by sam
It looks like freevrrp in freebsd only deal with redundancy control
within a machine using two network cards. How about redundant
firewalls like CARP? It looks like CARP deal with redundant
firewalls.
CARP is a way of two or more machines to share an IP: whether that IP
is used to firewalls, web servers, DNS servers, etc. is
irrelevant. It's a way for multiple machines to keep tabs on each
other, and if the one that currently has the IP stops functioning
another machine takes over.

It's a more general solution then simplely firewalls (though it is
used in that way).
Post by sam
If VRRP can be setup to handle redundant firewalls, how can I setup
a VRRP for this?
For what? Redundant firewalls? That's the only thing that VRRP does
-- firewalls. That's what the letters stand for: Virtual Router
Redundancy Protocol. See RFC 3768 for details.

Be advised that Cisco may hold some patents to VRRP and it may be
necessary to pay Cisco for their use. Check a lawyer to be sure. This
is oen of the reasons why CARP was created: the people at OpenBSD
didn't like the patent issue so created a protocol that did the same
thing (even better) which was patent-free.
--
David Magda <dmagda at ee.ryerson.ca>, http://www.magda.ca/
Because the innovator has for enemies all those who have done well under
the old conditions, and lukewarm defenders in those who may do well
under the new. -- Niccolo Machiavelli, _The Prince_, Chapter VI
sam
2005-02-27 15:49:31 UTC
Permalink
Post by David Magda
Post by sam
It looks like freevrrp in freebsd only deal with redundancy control
within a machine using two network cards. How about redundant
firewalls like CARP? It looks like CARP deal with redundant
firewalls.
CARP is a way of two or more machines to share an IP: whether that IP
is used to firewalls, web servers, DNS servers, etc. is
irrelevant. It's a way for multiple machines to keep tabs on each
other, and if the one that currently has the IP stops functioning
another machine takes over.
I know it will be very different, but freevrrp seemingly can do the same
thing as you mentioned above. But with freevrrp setup, there is no need
crossover connection on a third ethernet interface cards between two
machines.
Post by David Magda
It's a more general solution then simplely firewalls (though it is
used in that way).
Post by sam
If VRRP can be setup to handle redundant firewalls, how can I setup
a VRRP for this?
For what? Redundant firewalls? That's the only thing that VRRP does
-- firewalls. That's what the letters stand for: Virtual Router
Redundancy Protocol. See RFC 3768 for details.
I thought freevrrp allows the rest of machines share one virtual IP and
virtual MAC address.
Post by David Magda
Be advised that Cisco may hold some patents to VRRP and it may be
necessary to pay Cisco for their use. Check a lawyer to be sure. This
is oen of the reasons why CARP was created: the people at OpenBSD
didn't like the patent issue so created a protocol that did the same
thing (even better) which was patent-free.
Yup, I read this messages before.
Technically, since I experienced some problem after compiled CARP into
FreeBSD kernel. The problem was when I have CARP in the kernel and
started freevrrp, and when I unplugged the ethernet cable, the console
of freeBSD gateway prints alot of "ON-CARP...." messages until the
network connection drops the entire system appeared response very
slowly, not sure whether the CPU was busy at that moment, so every key
strok I typed on the console screen response very slowly. After removed
CARP from kernel, the problem was gone. May be I shouldn't compile CARP
into kernel if I don't intend to use it.

May be freevrrp got implemented long time ago (earlier than CARP), and
used by many people already, that's why I would like to go for freevrrp
in freebsd for the time being. However when CARP gets mature in FreeBSD,
I will definitely switch to CARP.

Sam.
Greg Hennessy
2005-02-27 18:07:36 UTC
Permalink
Post by sam
I know it will be very different, but freevrrp seemingly can do the same
thing as you mentioned above. But with freevrrp setup, there is no need
crossover connection on a third ethernet interface cards between two
machines.
If you want the firewall to failover gracefully courtesy of pfsync you do.

Given VRRP and CARP share the same IP Protocol number its not exactly
surprising that you experience problems when you try using both at the same
time.

~ $ grep -i carp /etc/protocols
carp 112 CARP vrrp # Common Address Redundancy Protocol
~ $ grep -i vrrp /etc/protocols
carp 112 CARP vrrp # Common Address Redundancy Protocol


Carp is better integrated and less hassle than freevrrp. Its not hard to
setup either.

http://www.countersiege.com/doc/pfsync-carp/




greg
--
Yeah - straight from the top of my dome
As I rock, rock, rock, rock, rock the microphone
sam
2005-02-28 12:39:51 UTC
Permalink
Post by Greg Hennessy
Post by sam
I know it will be very different, but freevrrp seemingly can do the same
thing as you mentioned above. But with freevrrp setup, there is no need
crossover connection on a third ethernet interface cards between two
machines.
If you want the firewall to failover gracefully courtesy of pfsync you do.
Given VRRP and CARP share the same IP Protocol number its not exactly
surprising that you experience problems when you try using both at the same
time.
~ $ grep -i carp /etc/protocols
carp 112 CARP vrrp # Common Address Redundancy Protocol
~ $ grep -i vrrp /etc/protocols
carp 112 CARP vrrp # Common Address Redundancy Protocol
Carp is better integrated and less hassle than freevrrp. Its not hard to
setup either.
http://www.countersiege.com/doc/pfsync-carp/
do you know its efficiency and stability compared to freevrrp? I know
CARP does not have password authentication between pfsync traffic.
I will certainly switch over to CARP if it is stable and efficient like
freevrrp.

Thanks
Sam
Post by Greg Hennessy
greg
Eric Masson
2005-02-28 13:09:10 UTC
Permalink
sam> I know CARP does not have password authentication between pfsync
sam> traffic.

This sentence doesn't mean anything, carp & pfsync are 2 *distinct*
beasts that can work together to achieve a firewall/router failover
setup.

Carp has a password mechanism, unlike pfsync (atm, I've read about auth
support in the pipe)

So atm, you should use pfsync+carp in one of the setup described here
(private link for pfsync) :
http://www.countersiege.com/doc/pfsync-carp/

sam> I will certainly switch over to CARP if it is stable and efficient
sam> like freevrrp.

What are the referrals for such a statement ?
pfsync+carp work fine on a dozen groups of machines in one of my
client's site.

Éric Masson
--
En effet, les FAQ sont des "conseils d'utilisation"
et non des règles à respecter.
-+-BC in <http://www.le-gnu.net> Si tu veux du CU, retourne à la FAQ-+-
sam
2005-02-28 13:57:11 UTC
Permalink
Post by Eric Masson
sam> I know CARP does not have password authentication between pfsync
sam> traffic.
This sentence doesn't mean anything, carp & pfsync are 2 *distinct*
beasts that can work together to achieve a firewall/router failover
setup.
Sorry, I m still new to CARP and pfsync stuff.
Post by Eric Masson
Carp has a password mechanism, unlike pfsync (atm, I've read about auth
support in the pipe)
So atm, you should use pfsync+carp in one of the setup described here
http://www.countersiege.com/doc/pfsync-carp/
This document does not describe how to setup password mechanism for
CARP. Do you mind share your findings here?
Post by Eric Masson
sam> I will certainly switch over to CARP if it is stable and efficient
sam> like freevrrp.
What are the referrals for such a statement ?
pfsync+carp work fine on a dozen groups of machines in one of my
client's site.
Thanks for the your reference, it convinced me it should work well.
My client has about 100 machines, I think there shouldn't have any
problem with this loading.
If I install a dhcpd service in each bsd server with CARP failed-over
implemented, do you think dhcp client will still work fine when dhcpd
service is switched to another bsd server?

Thanks
Sam
Post by Eric Masson
Éric Masson
Eric Masson
2005-02-28 14:48:09 UTC
Permalink
sam> This document does not describe how to setup password mechanism
sam> for CARP. Do you mind share your findings here?

man 4 carp

sam> If I install a dhcpd service in each bsd server with CARP
sam> failed-over implemented, do you think dhcp client will still work
sam> fine when dhcpd service is switched to another bsd server?

I don't see the point in mixing carp & dhcp here. Just look at failover
capabilities in your dhcpd documentation

Éric Masson
--
D'ailleurs, je me demande a quoi cela sert de "quoter" le texte d'un
autre puisqu'un article a toujours la reference de celui auquel il
repond. Et puis, il y a dejanews.... alors....
-+- CB in: <http://www.le-gnu.net> - T'avais qu'à suivre -+-
sam
2005-02-28 15:06:45 UTC
Permalink
Post by Eric Masson
sam> This document does not describe how to setup password mechanism
sam> for CARP. Do you mind share your findings here?
man 4 carp
I have compiled carp in kernel, the without man pages for carp.
I can solve this by looking up the man pages in openbsd website.
Post by Eric Masson
sam> If I install a dhcpd service in each bsd server with CARP
sam> failed-over implemented, do you think dhcp client will still work
sam> fine when dhcpd service is switched to another bsd server?
I don't see the point in mixing carp & dhcp here. Just look at failover
capabilities in your dhcpd documentation
The reason I want to mix failover dhcpd in a failover PF firewall is to
reduce the hardware cost for my client. This pair of PF firewalls will
be installed in their internal network, so mixing it together is
probabloy ok.

Thanks for the hints
Sam
Post by Eric Masson
Éric Masson
Torfinn Ingolfsen
2005-03-01 01:49:26 UTC
Permalink
Post by sam
The reason I want to mix failover dhcpd in a failover PF firewall is to
reduce the hardware cost for my client. This pair of PF firewalls will
be installed in their internal network, so mixing it together is
probabloy ok.
You will need to keep two separate things in your mind at the same time
here (no offence implied). What Eric was telling you is that dhcpd has
it own failover mechanism. You should read up on that, and implement it
if you want failover for dhcpd. Trying to make it another way will
probably give you more headaches than solutions, as already pointed out
by Greg.

Good luck.
--
Torfinn Ingolfsen,
Norway
sam
2005-03-01 06:23:11 UTC
Permalink
Post by Torfinn Ingolfsen
Post by sam
The reason I want to mix failover dhcpd in a failover PF firewall is
to reduce the hardware cost for my client. This pair of PF firewalls
will be installed in their internal network, so mixing it together is
probabloy ok.
You will need to keep two separate things in your mind at the same time
here (no offence implied). What Eric was telling you is that dhcpd has
it own failover mechanism. You should read up on that, and implement it
if you want failover for dhcpd. Trying to make it another way will
probably give you more headaches than solutions, as already pointed out
by Greg.
Yup, I realised this is the problem if combined two things into one, due
to the firewall failover is not sync with the dhcpd failover, totally
two different things.

Thanks
Sam
Post by Torfinn Ingolfsen
Good luck.
Greg Hennessy
2005-02-28 15:58:37 UTC
Permalink
Post by sam
If I install a dhcpd service in each bsd server with CARP failed-over
implemented, do you think dhcp client will still work fine when dhcpd
service is switched to another bsd server?
Unless you come up with a mechanism to replicate the DHCP lease database
between primary and standby, it will break things regardless of what
network failover method you choose.



greg
--
Yeah - straight from the top of my dome
As I rock, rock, rock, rock, rock the microphone
Greg Hennessy
2005-02-28 15:58:37 UTC
Permalink
Post by sam
Post by Greg Hennessy
If you want the firewall to failover gracefully courtesy of pfsync you do.
Given VRRP and CARP share the same IP Protocol number its not exactly
surprising that you experience problems when you try using both at the same
time.
~ $ grep -i carp /etc/protocols
carp 112 CARP vrrp # Common Address Redundancy Protocol
~ $ grep -i vrrp /etc/protocols
carp 112 CARP vrrp # Common Address Redundancy Protocol
Carp is better integrated and less hassle than freevrrp. Its not hard to
setup either.
http://www.countersiege.com/doc/pfsync-carp/
do you know its efficiency and stability compared to freevrrp?
It works and works well
Post by sam
I know
CARP does not have password authentication between pfsync traffic.
As Eric says, two completely different things, carp does have
authentication.



greg
--
Yeah - straight from the top of my dome
As I rock, rock, rock, rock, rock the microphone
sam
2005-03-01 06:32:32 UTC
Permalink
Post by Greg Hennessy
Post by sam
Post by Greg Hennessy
If you want the firewall to failover gracefully courtesy of pfsync you do.
Given VRRP and CARP share the same IP Protocol number its not exactly
surprising that you experience problems when you try using both at the same
time.
~ $ grep -i carp /etc/protocols
carp 112 CARP vrrp # Common Address Redundancy Protocol
~ $ grep -i vrrp /etc/protocols
carp 112 CARP vrrp # Common Address Redundancy Protocol
Carp is better integrated and less hassle than freevrrp. Its not hard to
setup either.
http://www.countersiege.com/doc/pfsync-carp/
do you know its efficiency and stability compared to freevrrp?
It works and works well
Post by sam
I know
CARP does not have password authentication between pfsync traffic.
As Eric says, two completely different things, carp does have
authentication.
freevrrp does have authentication as well. From the comparison between
HSRP and VRRP, the concept are identical. I m not sure how many ppl
prefer HSRP over VRRP in Cisco's world. But from my own experience,
freevrrp does not use a dedicated ethernet port (with crossover cable)
for the detection of failover. How would this affect the rest of the
failover operation? May be freevrrp still use icmp to discover the
whether the other vrrp server still up or down. Does CRAP use the same
mechanism?

One bad thing with freevrrp is the initial setup of freevrrp gave me a
very bad impression, while setting up carp is very smooth. With
freevrrp, I don't know why one of the virtual IP on an ethernet port is
not reachable. CARP has no such "mystery" problem.

Sam.
Post by Greg Hennessy
greg
Greg Hennessy
2005-03-01 09:44:33 UTC
Permalink
Post by sam
Post by Greg Hennessy
As Eric says, two completely different things, carp does have
authentication.
freevrrp does have authentication as well. From the comparison between
HSRP and VRRP, the concept are identical. I m not sure how many ppl
prefer HSRP over VRRP in Cisco's world.
One doesnt have much choice with Crisco given HSRP is the only game in town
with their kit.
Post by sam
But from my own experience,
freevrrp does not use a dedicated ethernet port (with crossover cable)
for the detection of failover.
You're getting mixed up with PFSync again.



Greg
--
Yeah - straight from the top of my dome
As I rock, rock, rock, rock, rock the microphone
Eric Masson
2005-03-01 10:03:27 UTC
Permalink
Greg> One doesnt have much choice with Crisco given HSRP is the only
Greg> game in town with their kit.

Meeep, since ios 12.2, if chosen platform supports it, you can use vrrp.

Éric Masson
--
70% de frjv sont des newbies ? Et une fois qu'ils ne le sont plus que
font-ils ? Ils quittent frjv parce que c'est trop à chier ? Parce que
s'ils y restent et gardent leur comportement, ça devient des neuneux.
-+- XB in: <http://www.le-gnu.net> - Tu seras un neuneu mon fils -+-
Greg Hennessy
2005-03-01 11:42:01 UTC
Permalink
Post by Eric Masson
Greg> One doesnt have much choice with Crisco given HSRP is the only
Greg> game in town with their kit.
Meeep, since ios 12.2, if chosen platform supports it, you can use vrrp.
Everyday a school day :-)
--
Yeah - straight from the top of my dome
As I rock, rock, rock, rock, rock the microphone
Eric Masson
2005-03-01 12:04:49 UTC
Permalink
Greg> Everyday a school day :-)

Sure :)

Éric Masson
--
ça reste finalement une décision personnelle, sans contraintes
externes, puisqu'il n'y a rien à prouver dans ce domaine aux
variables exogènes de contrôle
-+- JPJ - <http://www.le-gnu.net> - Neuneu se pousse du col -+-
Steinar Haug
2005-03-01 10:33:46 UTC
Permalink
[Greg Hennessy]

| One doesnt have much choice with Crisco given HSRP is the only game in town
| with their kit.

Cisco implements VRRP one a few platforms and IOS releases - but certainly
not all.

Steinar Haug, Nethelp consulting, ***@nethelp.no
Greg Hennessy
2005-03-01 11:42:01 UTC
Permalink
Post by Steinar Haug
[Greg Hennessy]
| One doesnt have much choice with Crisco given HSRP is the only game in town
| with their kit.
Cisco implements VRRP one a few platforms and IOS releases - but certainly
not all.
As I said, everyday a school day :-)
--
Yeah - straight from the top of my dome
As I rock, rock, rock, rock, rock the microphone
Lowell Gilbert
2005-03-01 14:18:39 UTC
Permalink
Post by sam
freevrrp does have authentication as well.
The VRRP standard was updated a year ago (RFC 3768), and
authentication was removed from it, because experience showed that it
didn't do any good. [Which makes sense; who cares whether the servers
authenticate to each other if a rogue server can spoof the MAC address
anyway; the authentication isn't really protecting anything.]
Post by sam
I m not sure how many ppl
prefer HSRP over VRRP in Cisco's world. But from my own experience,
freevrrp does not use a dedicated ethernet port (with crossover cable)
for the detection of failover. How would this affect the rest of the
failover operation? May be freevrrp still use icmp to discover the
whether the other vrrp server still up or down.
I would assume that freevrrp uses VRRP to keep track of the other
server. VRRP is IP protocol type 112.

Although there is no official definition of the CARP protocol, it's
somewhat similar (which leads me to think that OpenBSD are kidding
themselves about avoiding the VRRP patents by creating CARP instead).
Either way, it's primarily useful in keeping your gateway and DNS
server (which are configured by IP address, and cannot be configured
by domain name) reachable. CARP includes examples about keeping your
mail server available, but that can be accomplished by switching over
the IP address *without* playing games with a MAC address. [On
non-broadcast media, it's a little more useful, but the
O.P. specifically mentioned Ethernet.]
David Magda
2005-03-02 20:35:03 UTC
Permalink
Post by Lowell Gilbert
The VRRP standard was updated a year ago (RFC 3768), and
authentication was removed from it, because experience showed that
it didn't do any good. [Which makes sense; who cares whether the
servers authenticate to each other if a rogue server can spoof the
MAC address anyway; the authentication isn't really protecting
anything.]
CARP has shared secret authentication FWIW. Whether this
is important or not is up to the OP.
Post by Lowell Gilbert
I would assume that freevrrp uses VRRP to keep track of the other
server. VRRP is IP protocol type 112.
Since IANA / IETF won't give CARP its own protocol number it also
uses 112 (by default, you can change this by editing /etc/protocol
file).
Post by Lowell Gilbert
accomplished by switching over the IP address *without* playing
games with a MAC address. [On non-broadcast media, it's a little
more useful, but the O.P. specifically mentioned Ethernet.]
CARP does not do anything with the MAC address -- it is completely at
the network level. Each host keeps its MAC; only the IP moves from
one host to another. Since there is no fiddling with the MAC there
may be some delay in failover since ARP caches have to be updated to
reflect the new location of the IP.
--
David Magda <dmagda at ee.ryerson.ca>, http://www.magda.ca/
Because the innovator has for enemies all those who have done well under
the old conditions, and lukewarm defenders in those who may do well
under the new. -- Niccolo Machiavelli, _The Prince_, Chapter VI
Loading...