Date: Tue, 25 Oct 2011 11:09:19 +0300 From: alexander lunyov <sol289@gmail.com> To: freebsd-net@freebsd.org Subject: carp over openvpn? Message-ID: <CABk4_A7ii-9-cUTcrVGA2-LAuWhGm4zFVXbaw3jwjpygeobjBQ@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello.
I'm trying to make work carp over openvpn in bridge mode.
I have 3 servers, VPN-IN, VPN-OUT1 and VPN-OUT2, they connected to
different ethernet networks and cannot see each other on data link
level. All servers run 8.2-RELEASE.
VPN-IN is a openvpn server in bridge mode, VPN-OUT1 and VPN-OUT2 are
openvpn clients. I configured on each server address from
10.80.90.0/24 network as alias, so address space is looking like this:
VPN-IN@bridge0: 10.80.90.63 - bridged to tap0
VPN-OUT1@em0: 10.80.90.4 - bridged to tap0
VPN-OUT2@em0: 10.80.90.6 - bridged to tap0
Servers have real IPs, which i masked as x.x.x.x, y.y.y.y and z.z.z.z.
When VPN-OUT1 and VPN-OUT2 connects to VPN-IN i can ping all 10.80.90.
addresses from anywhere, so the vpn is working. When i create CARP
interfaces on both VPN-OUT-s, carp0 on both is in MASTER state and
VPN-IN cannot ping carp address 10.80.90.10 (VPN-OUTs ping own
10.80.90.10 address ok).
On VPN-IN@bridge0 i see advertisements from both VPN-OUTs:
# tcpdump -i bridge0 net 10.80.90.0/24
18:34:48.505618 IP 10.80.90.4 > vrrp.mcast.net: VRRPv2, Advertisement,
vrid 1, prio 10, authtype none, intvl 1s, length 36
18:34:48.801474 IP 10.80.90.6 > vrrp.mcast.net: VRRPv2, Advertisement,
vrid 1, prio 100, authtype none, intvl 1s, length 36
18:34:49.546667 IP 10.80.90.4 > vrrp.mcast.net: VRRPv2, Advertisement,
vrid 1, prio 10, authtype none, intvl 1s, length 36
18:34:50.198569 IP 10.80.90.6 > vrrp.mcast.net: VRRPv2, Advertisement,
vrid 1, prio 100, authtype none, intvl 1s, length 36
On VPN-OUT1@bridge0 i see advertisements from VPN-OUT2:
# tcpdump -i bridge0 net 10.80.90.0/24
00:35:39.811034 IP 10.80.90.6 > vrrp.mcast.net: VRRPv2, Advertisement,
vrid 1, prio 10, authtype none, intvl 1s, length 36
00:35:40.852178 IP 10.80.90.6 > vrrp.mcast.net: VRRPv2, Advertisement,
vrid 1, prio 10, authtype none, intvl 1s, length 36
On VPN-OUT2@bridge0 i see advertisements from VPN-OUT1:
# tcpdump -i bridge0 net 10.80.90.0/24
00:35:39.811034 IP 10.80.90.4 > vrrp.mcast.net: VRRPv2, Advertisement,
vrid 1, prio 10, authtype none, intvl 1s, length 36
00:35:40.852178 IP 10.80.90.4 > vrrp.mcast.net: VRRPv2, Advertisement,
vrid 1, prio 10, authtype none, intvl 1s, length 36
When i try to ping carp address 10.80.90.10 from VPN-IN, I see arp
requests but nobody answers, though ARP reaches VPN-OUTs:
VPN-OUT2# tcpdump -i bridge0 net 10.80.90.0/24
07:49:30.014907 IP 10.80.90.6 > vrrp.mcast.net: VRRPv2, Advertisement,
vrid 1, prio 100, authtype none, intvl 1s, length 36
07:49:30.700133 ARP, Request who-has 10.80.90.10 tell 10.80.90.63, length 28
07:49:31.412868 IP 10.80.90.6 > vrrp.mcast.net: VRRPv2, Advertisement,
vrid 1, prio 100, authtype none, intvl 1s, length 36
07:49:31.700014 ARP, Request who-has 10.80.90.10 tell 10.80.90.63, length 28
So, why carp interfaces on VPN-OUTs doesn't see each other
advertisements and ARP from VPN-IN?
VPN-OUT1# netstat -s -p carp
carp:
6515137 packets received (IPv4)
42246 packets sent (IPv4)
ifconfigs:
VPN-IN# ifconfig
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=c019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
ether 00:19:99:16:32:fd
inet x.x.x.x netmask 0xffffff00 broadcast x.x.x.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST>
metric 0 mtu 1500
options=80000<LINKSTATE>
ether 00:bd:cd:f5:1a:00
Opened by PID 86461
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 76:38:a6:0e:16:36
inet 10.80.90.63 netmask 0xffffff00 broadcast 10.80.90.255
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 3 priority 128 path cost 2000000
VPN-OUT1# ifconfig
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric
0 mtu 1500
options=2098<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
ether 00:25:90:06:a7:ee
inet y.y.y.y netmask 0xffffff00 broadcast y.y.y.255
inet 10.80.90.4 netmask 0xffffff00 broadcast 10.80.90.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST>
metric 0 mtu 1500
options=80000<LINKSTATE>
ether 00:bd:98:a7:80:00
Opened by PID 79699
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether a6:be:59:84:94:7f
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: em0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 1 priority 128 path cost 20000
member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 4 priority 128 path cost 2000000
carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
inet 10.80.90.10 netmask 0xffffff00
carp: MASTER vhid 1 advbase 1 advskew 10
VPN-OUT2# ifconfig
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric
0 mtu 1500
options=2098<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
ether 00:25:90:00:59:1a
inet z.z.z.z netmask 0xffffff00 broadcast z.z.z.255
inet 10.80.90.6 netmask 0xffffff00 broadcast 10.80.90.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST>
metric 0 mtu 1500
options=80000<LINKSTATE>
ether 00:bd:2e:29:90:00
Opened by PID 75704
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether ba:37:68:2b:7d:32
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: em0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 1 priority 128 path cost 20000
member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 4 priority 128 path cost 2000000
carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
inet 10.80.90.10 netmask 0xffffff00
carp: MASTER vhid 1 advbase 1 advskew 100
p.s.: i also tried freevrrpd, and i see the same behavior - i see
advertisements from both VPN-OUTs, but they don't see each other.
p.p.s.: if i'm writing to wrong list, please, point me to the right
one where i can ask this question.
--
your sweet isn't ready yet
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CABk4_A7ii-9-cUTcrVGA2-LAuWhGm4zFVXbaw3jwjpygeobjBQ>