Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firewall Failover With pfsync And CARP

Posted by timothy on from the careful-acronym-arrangment dept.

Daniel Hartmeier writes "OpenBSD developer Ryan McBride explains the new firewall redundancy features in the upcoming OpenBSD 3.5 release in his article Firewall Failover with pfsync and CARP. CARP (Common Address Redundancy Protocol) is a free alternative to the patent-encumbered VRRP, responsible for electing masters in a firewall cluster, while pfsync syncronizes packet filter state information among nodes. The combination allows to replace single-point-of-failure firewalls with clusters of two (or more) nodes, which continue to filter ongoing and new connections when nodes fail. Additional features like arpbalance allow one to share a single IP address for multiple servers, transparently balancing load among them, and adapting to servers failing. Pre-order for OpenBSD 3.5 has started, CDs will ship May 1st."

3 of 60 comments (clear)

  1. Re:I wonder... by dhartmei · · Score: 5, Informative
    Filtering ordinary traffic (not extreme test-cases of minimal packets, average number of packets/connection) statefully at 100Mbps doesn't require much hardware. Even little Soekris boxes (embedded 486 133MHz) can do that.

    For Gbps, the limiting factor is the NIC and its driver. Some cards/drivers are reported to reach more than 70% of the maximum throughput. The reason they don't (yet) go further is not packet filtering, though.

    If you want specific names/models, the mailing list archives contain the reports.

  2. Re:I wonder... by hdw · · Score: 5, Informative

    I'm running an OpenBSD 3.4 firewall on a PII-400 with a 100Mb/s Internet feed.

    And I know that I've reached over 40Mb/s without any sign of problem with the firewall.

    So unless you're running lots of IpSec stuff or have a high rate of connects I don't think the firewall (or OpenBSD) will be the problem.

    I think the selecting a good NIC is more important. // hdw

    --
    Executive Pope (small) Kallisti Engineering
  3. Re:This is awesome by dhartmei · · Score: 5, Informative
    What CARP/pfsync does is transparent balancing on IP level. Each client connection is redirected to an arbitrary available server. This works for applications where each server can independantly handle a client request, like serving stateless HTTP or DNS from multiple servers.

    For SQL, clustering is much more involved. One client might insert data that must propagate to the other server, or locks across all servers must be obtained, etc. This cannot be done transparently on IP level, the servers themselves must support it.

    Search for replication, clustering or redundancy together with postgresql, you'll find erserver etc. Except for very special cases (like read-only databases), this way beyond IP level packet filtering ;)