I have a pair network gateway boxes running FreeBSD 11 and pf. Upstream runs VRRP to provide redundant links, one to each gateway. Internally I'm using CARP for failover. All works well, but I find that manually failing over the link is a bit complicated. In short I have this: em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 media: Ethernet autoselect (100baseTX <full-duplex>) status: active carp: BACKUP vhid 1 advbase 1 advskew 50 igb0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 media: Ethernet autoselect (1000baseT <full-duplex>) status: active carp: BACKUP vhid 2 advbase 1 advskew 50 igb0.2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 status: active vlan: 2 vlanpcp: 0 parent interface: igb0 carp: BACKUP vhid 3 advbase 1 advskew 50 groups: vlan That's two internal vlans and one external network. Each interface has its own vhid since that's the advice I had in the past. Now, what command can I type that I could run remotely (SSH over the em0 link) to force all the CARP addresses simultaneously to decrease the advskew and become MASTER. Alternatively I could run something on the MASTER to make it BACKUP. Everything I've done so far is one command per interface which has got me in trouble before as I manage to accidentally remove my own access to the box before I'm done. Cheers Ari please cc me. -- --------------------------> Aristedes Maniatis CEO, ish https://www.ish.com.au GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 163 bytes Desc: OpenPGP digital signature URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20170301/f1a9864d/attachment.sig>
Do you have the preemption sysctl enabled? That will fail-over all carp interfaces when any one fails. "sysctl -a | grep carp" I'm pretty sure there's also an ifconfig command to force the state as either master or backup. Check the man page. On Feb 28, 2017 5:01 PM, "Aristedes Maniatis" <ari at ish.com.au> wrote:> I have a pair network gateway boxes running FreeBSD 11 and pf. Upstream > runs VRRP to provide redundant links, one to each gateway. Internally I'm > using CARP for failover. > > All works well, but I find that manually failing over the link is a bit > complicated. In short I have this: > > em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 > mtu 1500 > media: Ethernet autoselect (100baseTX <full-duplex>) > status: active > carp: BACKUP vhid 1 advbase 1 advskew 50 > igb0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 > mtu 1500 > media: Ethernet autoselect (1000baseT <full-duplex>) > status: active > carp: BACKUP vhid 2 advbase 1 advskew 50 > igb0.2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric > 0 mtu 1500 > status: active > vlan: 2 vlanpcp: 0 parent interface: igb0 > carp: BACKUP vhid 3 advbase 1 advskew 50 > groups: vlan > > That's two internal vlans and one external network. Each interface has its > own vhid since that's the advice I had in the past. > > Now, what command can I type that I could run remotely (SSH over the em0 > link) to force all the CARP addresses simultaneously to decrease the > advskew and become MASTER. Alternatively I could run something on the > MASTER to make it BACKUP. Everything I've done so far is one command per > interface which has got me in trouble before as I manage to accidentally > remove my own access to the box before I'm done. > > Cheers > Ari > > please cc me. > > -- > --------------------------> > Aristedes Maniatis > CEO, ish > https://www.ish.com.au > GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A > >
On Tue, Feb 28, 2017 at 7:58 PM, Aristedes Maniatis <ari at ish.com.au> wrote:> Now, what command can I type that I could run remotely (SSH over the em0 > link)The first thing you might want to look at is screen / tmux. -- brandon s allbery kf8nh sine nomine associates allbery.b at gmail.com ballbery at sinenomine.net unix, openafs, kerberos, infrastructure, xmonad http://sinenomine.net
> On 1 Mar 2017, at 01:58, Aristedes Maniatis <ari at ish.com.au> wrote: > > I have a pair network gateway boxes running FreeBSD 11 and pf. Upstream runs VRRP to provide redundant links, one to each gateway. Internally I'm using CARP for failover. > > All works well, but I find that manually failing over the link is a bit complicated. In short I have this: > > em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 > media: Ethernet autoselect (100baseTX <full-duplex>) > status: active > carp: BACKUP vhid 1 advbase 1 advskew 50 > igb0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 > media: Ethernet autoselect (1000baseT <full-duplex>) > status: active > carp: BACKUP vhid 2 advbase 1 advskew 50 > igb0.2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 > status: active > vlan: 2 vlanpcp: 0 parent interface: igb0 > carp: BACKUP vhid 3 advbase 1 advskew 50 > groups: vlan > > That's two internal vlans and one external network. Each interface has its own vhid since that's the advice I had in the past. > > Now, what command can I type that I could run remotely (SSH over the em0 link) to force all the CARP addresses simultaneously to decrease the advskew and become MASTER. Alternatively I could run something on the MASTER to make it BACKUP. Everything I've done so far is one command per interface which has got me in trouble before as I manage to accidentally remove my own access to the box before I'm done.You may look into this sysctl: # sysctl -d net.inet.carp.demotion net.inet.carp.demotion: Adjust demotion factor (skew of advskew) Its value gets changed automatically if some event occurs (look into net.inet.carp.ifdown_demotion_factor, net.inet.carp.senderr_demotion_factor, net.pfsync.carp_demotion_factor), but you may also control it manually. A positive value value will increase the advskew of _all_ CARP announcements (on the wire, not visible with ifconfig IIRC) and therefore reduce the priority of the node. A negative value will of course do the opposite. Like this you can raise/lower the advskew above/below the other node and trigger a failover. net.inet.carp.preempt must be 1 on both nodes for this to have an immediate effect. Beware that net.inet.carp.demotion expects _relative_ values when altered through the sysctl interface. So 'sysctl net.inet.carp.demotion=100' will increase its current value by 100 and 'sysctl net.inet.carp.demotion=-100' will decrease its current value by 100. Markus