From owner-freebsd-net@FreeBSD.ORG Tue Mar 4 22:04:30 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 77A8A1065671 for ; Tue, 4 Mar 2008 22:04:30 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from smtp.sd73.bc.ca (smtp.sd73.bc.ca [142.24.13.140]) by mx1.freebsd.org (Postfix) with ESMTP id 543AE8FC2F for ; Tue, 4 Mar 2008 22:04:30 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from localhost (localhost [127.0.0.1]) by localhost.sd73.bc.ca (Postfix) with ESMTP id 810E01A000B18 for ; Tue, 4 Mar 2008 13:51:58 -0800 (PST) X-Virus-Scanned: Debian amavisd-new at smtp.sd73.bc.ca Received: from smtp.sd73.bc.ca ([127.0.0.1]) by localhost (smtp.sd73.bc.ca [127.0.0.1]) (amavisd-new, port 10024) with LMTP id CtEY-FZbHHPS for ; Tue, 4 Mar 2008 13:51:47 -0800 (PST) Received: from coal.local (s10.sbo [192.168.0.10]) by smtp.sd73.bc.ca (Postfix) with ESMTP id 07CEA1A000B0F for ; Tue, 4 Mar 2008 13:51:47 -0800 (PST) From: Freddie Cash Organization: School District 73 To: freebsd-net@freebsd.org Date: Tue, 4 Mar 2008 13:51:45 -0800 User-Agent: KMail/1.9.7 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200803041351.46053.fjwcash@gmail.com> Subject: Understanding the interplay of ipfw, vlan, and carp X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Mar 2008 22:04:30 -0000 I'm trying to understand how ipfw, vlan, and carp play together. I've figured out how ipfw and vlan work together and have my rules written using the vlan(4) interfaces (in recv vlan100; out xmit vlan100; etc). I've figured out how ipfw and carp work together and have my rules allowing carp protocol traffic over the physical interfaces (ie allow carp from any to any via fxp0). What I'm wondering, though, is how vlan and carp work together. I have a router running FreeBSD 6.3 with three interfaces: fxp0 is connected to the Internet bge1 is connected to a server DMZ bge0 is connected to our WAN bge0 is the physical interface for our vlan setup, and there are 8 vlan interfaces created. bge0 does not have an IP, and each of the vlan interfaces is on its own subnet. I want to use carp to setup a duplicate, fail-over router. I've got carp0 configured with the public IP and it manages the connection over fxp0. fxp0 has a unique IP on each server, separate from the carp IP. I've got carp1 configured with the server DMZ IP and it manages the connection over bge1. bge1 has a unique IP on each server, separate from the carp IP. But I'm not sure how to do carp2 to manage the vlan IPs: - do I create separate carpX interface, one for each vlan? - do I create a single carpX interface and alias all the vlan IPs to it? - do I configure a single carpX interface with a separate management IP? The lack of a "carpdev" option to directly link a carp device to an interface (similar to "vlandev" for vlan(4)) is what's really tripping me up. It appears the carp(4) driver looks at all the interfaces in the box to find one with an IP in the same subnet as the carp IP and then uses that as the physical device. So it seems I'd have to use two IPs for each vlan interface: one shared IP for the carp device, one management IP for the vlan device. Which seems really complicated and not-quite-right. Maybe I'm just over-thinking things. Any pointers greatly appreciated. Thanks. -- Freddie Cash fjwcash@gmail.com