我有两个数据中心,每个数据中心都有两个以 CARP 故障转移模式运行的 pfSense 2.1.5 服务器。
我在两个数据中心之间建立了一个 OpenVPN 共享密钥隧道,指向远程 CARP 公共 IP 地址。每个站点都运行客户端和服务器,因此它们是双向连接的。
在内部,我让远程网关指向防火墙上的内部 CARP 地址,因此如果一个防火墙出现故障,其后面的服务器可以通过任一防火墙出去。
一切正常,我能够在两个站点之间正常通信……持续约 30 秒。在固定时间间隔内,两者之间的连接将断开,除了 PING 之外,其他所有操作均会断开。例如,两者之间的映射驱动器将超时,数据库连接将断开等,但是我始终可以稳定地成功 ping。
这让我很抓狂。我不确定是 OpenVPN、CARP 还是两者的某种组合导致了这个问题。如果此配置能更好地支持 IPSEC,我愿意切换到 IPSEC。
网络配置:
DATACENTER 1:
10.1.1.x => INTERNAL NETWORK
10.1.1.2 => pfSense 1
55.55.55.66 => pfSense 1 WAN address
10.1.1.3 => pfSense 2
55.55.55.67 => pfSense 2 WAN address
55.55.55.68 => PUBLIC, CARP address
10.1.1.4 => Internal CARP address (gateway for all servers behind the firewall)
10.1.253.x => CARP private subnet (for heartbeats)
DATACENTER 2:
192.168.1.x => INTERNAL NETWORK
192.168.1.2 => pfSense 1
88.88.88.66 => pfSense 1 WAN address
192.168.1.3 => pfSense 2
88.88.88.67 => pfSense 2 WAN address
88.88.88.68 => PUBLIC, CARP address
192.168.1.4 => Internal CARP address (gateway for all servers behind the firewall)
168.168.253.x => CARP private subnet (for heartbeats)
数据中心 1 OpenVPN 配置:
SERVER
Server Mode: Peer to Peer (Shared Key)
Protocol: UDP
Interface: 55.55.55.68 (this is the public CARP address)
IPv4 Tunnel Network: 10.0.8.1/30
IPv4 Local Network: 10.1.1.0/24
IPv4 Remote Network: 192.168.1.0/24
Concurrent Connections: 24
CLIENT
Protocol: UDP
Interface: WAN
Server Host: 88.88.88.68 (public CARP address at other datacenter)
Port 1194
IPv4 Tunnel Network: 10.0.9.1/30
IPv4 Remote Network: 192.168.1.0/24
数据中心 2
SERVER
Server Mode: Peer to Peer (Shared Key)
Protocol: UDP
Interface: 88.88.88.68 (this is the public CARP address)
IPv4 Tunnel Network: 10.0.9.1/30
IPv4 Local Network: 192.168.1.0.0/24
IPv4 Remote Network: 10.1.1.0/24
Concurrent Connections: 32
CLIENT
Protocol: UDP
Interface: WAN
Server Host: 55.55.55.68 (public CARP address at other datacenter)
Port 1194
IPv4 Tunnel Network: 10.0.8.1/30
IPv4 Remote Network: 10.1.1.0/24