"That which is overdesigned, too highly specific, anticipates outcome; the anticipation of outcome guarantees, if not failure, the absence of grace."
-- William Gibson, All Tomorrow's Parties
Redundant awesomeness with OpenBSD, CARP+pfsync.

Friday I installed OBSD 3.9 on two Dell 1850s and configured CARP and pfsync. It was amazingly trivial. If you need failover systems of pretty much any sort, this is the way to go.

To quote the OpenBSD FAQ page:

CARP is the Common Address Redundancy Protocol. Its primary purpose is to allow multiple hosts on the same network segment to share an IP address. CARP is a secure, free alternative to the Virtual Router Redundancy Protocol and the Hot Standby Router Protocol.

It takes about five minutes to set up, and about fifteen minutes playing "plug/unplug the systems and watch the ifconfig state change, tee-hee!". Kind of like that episode of the Simpsons where Homer keeps pulling on the pig's tail.

"Curly! Straight! Curly! Straight!"

Only CARP just does what it does instead of biting your face off like a certain piggy.

pfsync is, simply, a way to sync your firewall state tables to a group of hosts on a trusted network of some sort. So when your primary firewall/proxy/whatever dies, and a backup kicks in, your users don't notice anything -- they don't lose their sessions. Quite awesome.

Firewall Failover with pfsync and CARP

PF: Firewall Redundancy with CARP and pfsync

The PF page there is pretty much all you need. Getting it working is maddenly easy and it Just Works.

May 30, 2006 9:37 PM