Date: Fri, 22 Nov 2019 19:34:58 +0100 From: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> To: Kajetan Staszkiewicz <vegeta@tuxpowered.net>, freebsd-net@freebsd.org Subject: Re: Carp address used as source Message-ID: <b38f12ad-ae40-cb3a-33ca-6c69c6407659@plan-b.pwste.edu.pl> In-Reply-To: <bdfd5a57-171e-0032-c466-438674ccd438@tuxpowered.net> References: <bdfd5a57-171e-0032-c466-438674ccd438@tuxpowered.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --wTyMLmUIywe24tjuML5rARr0fJ99CWvTx Content-Type: multipart/mixed; boundary="CdEEOMT3wvT4dueYV0W9VShd4w8VWmptJ"; protected-headers="v1" From: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> To: Kajetan Staszkiewicz <vegeta@tuxpowered.net>, freebsd-net@freebsd.org Message-ID: <b38f12ad-ae40-cb3a-33ca-6c69c6407659@plan-b.pwste.edu.pl> Subject: Re: Carp address used as source References: <bdfd5a57-171e-0032-c466-438674ccd438@tuxpowered.net> In-Reply-To: <bdfd5a57-171e-0032-c466-438674ccd438@tuxpowered.net> --CdEEOMT3wvT4dueYV0W9VShd4w8VWmptJ Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable W dniu 22.11.2019 o=C2=A017:27, Kajetan Staszkiewicz pisze: > Hello, >=20 > I have a pair of loadbalancers using FreeBSD 11.3. They have "public" > side running BGP, which is not important for this discussion and > internal side - multiple VLANs where multple hosts reside which are > targets for loadbalancing. Directing traffic to correct target is done > using route-to target of pf. Traffic usually comes to a public IP > address from public side routed via BGP. This works flawlessly. There > are some loadbalanced addresses configured on internal side too. > Loadbalancers present an IP address using CARP to machines in VLAN and > if traffic comes to this CARP-based IP address, it gets bounced back > (using route-to) to another host in this or another VLAN. >=20 > This works fine when clients and servers are in VLAN. Problem happens > when the loadbalancer itself tries to access such address. >=20 > For example a ping to loadbalanced address looks like this from backup > Loadbalancer: >=20 > [15:41:22] ~/ # sudo tcpdump -pni internal4008 host 10.7.1.7 > 15:41:33.916816 IP 10.7.1.7 > 10.7.1.7: ICMP echo request, id 35466, se= q > 3, length 64 > 15:41:34.917712 IP 10.7.1.7 > 10.7.1.7: ICMP echo request, id 35466, se= q > 4, length 64 > 15:41:35.952626 IP 10.7.1.7 > 10.7.1.7: ICMP echo request, id 35466, se= q > 5, length 64 >=20 >=20 > [15:52:33] ~/ # ifconfig internal4008 | grep -E 'inet |carp:' > inet 10.7.0.242 netmask 0xffff0000 broadcast 10.7.255.255 > inet 10.7.1.1 netmask 0xffffffff broadcast 10.7.1.1 vhid 123 > inet 10.7.1.4 netmask 0xffffffff broadcast 10.7.1.4 vhid 123 > inet 10.7.1.7 netmask 0xffffffff broadcast 10.7.1.7 vhid 123 > inet 10.7.0.240 netmask 0xffffffff broadcast 10.7.0.240 vhid 123 > inet 10.7.2.1 netmask 0xffffffff broadcast 10.7.2.1 vhid 123 > carp: BACKUP vhid 123 advbase 1 advskew 100 >=20 > Connections originating from loadbalancer itself use CARP address as > source. Always the same address which I'm trying to reach. How can I > ensure that CARP address is never used as source for connections > outgoing from Loadbalancer? I've read manpage of ifconfig but I've seen= > only flags regarding IPv6 address choice. >=20 I believe this behavior can be changed by configuring carp interfaces with the same subnet mask as parent interface which is /16 in your case. Best regards, --=20 Marek Zarychta --CdEEOMT3wvT4dueYV0W9VShd4w8VWmptJ-- --wTyMLmUIywe24tjuML5rARr0fJ99CWvTx Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEMOqvKm6wKvS1/ZeCdZ/s//1SjSwFAl3YKlgACgkQdZ/s//1S jSzWkgf6A9V2ggh3N7NF6S8T9B7tVbZ/BhY/wYWxCz1W8Jfniegs7d15MYaJYvmB bMRaSulYauE60LQe8Sg28NY+D110We/rB+I70OIFhk+eBUjcn2xnkUt8XTqNGUnU X153TpmV8TsWUDGS2qnrxZIh1AHgg6g8c2Bk844pJqutMPJE+/3QYL3abIrSwOvU ylVOb3mm+zmy5ju/mPne3JJI1rihP+vcRagHopSflgkGCSz9a/U+8QL/TrI8NHun l0z5OD0VFm2wY717l943q7Tz3aLXYp81N36+GUilgcyE/yB0GapRCIvEJ3KUHnl1 FDBhRfhJo51aTdbgVKaZMsqVwuEHQg== =wrl5 -----END PGP SIGNATURE----- --wTyMLmUIywe24tjuML5rARr0fJ99CWvTx--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b38f12ad-ae40-cb3a-33ca-6c69c6407659>