Date: Thu, 17 Jul 2014 07:40:57 -0700 From: Daniel Duerr <dd@gizmocreative.com> To: Aristedes Maniatis <ari@ish.com.au> Cc: "stable >> freebsd-stable" <freebsd-stable@freebsd.org> Subject: Re: load balancer best practices Message-ID: <B6AEEF65-19ED-4282-915E-575DCEC7763F@gizmocreative.com> In-Reply-To: <53C77E00.1030609@ish.com.au> References: <53BE9A9F.4090700@ish.com.au> <CAJ-Vmok9t8-iHvheCUzwgDx1zsVguE2w0JaUVkUOANbDrEdSvw@mail.gmail.com> <53C77E00.1030609@ish.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Hey Ari, I use CARP a lot at our colo and recently migrated many of the machines = to FreeBSD 10 as well. I've had the same question as you about VHID = best practices as the docs don't really expound on this. I'd love to = hear some perspective from the authors of CARP as well. In any case, we run a pair of FreeBSD 10/pf gateways at our colo with = binat setup between several dozen internal private networks (VLANs) and = the outside WAN (pool of ~64 public IPs). Traffic between private = networks doesn't use any form of NAT, but does get routed through the = same gateways and is subject to the same filtering policies. In this = setup, we share one VHID across all of the public IPs on the WAN = interface, and we share a second VHID across all of the private gateway = IPs on the LAN interface. Everything *appears* to work just fine, and = we've heavily tested failover, etc. Whether right or wrong, it is = working for us. Daniel On Jul 17, 2014, at 12:40 AM, Aristedes Maniatis <ari@ish.com.au> wrote: > Thanks for this. However unlike Linux where it is a system property, = it looks like this option needs to be invoked inside each userland = application. So without changing code for each app I care about, it = looks like I'm creating lots of /32 CARP addresses. >=20 > Can someone shed more light on what vhid represents? What happens when = two addresses share the same vhid on the same (or different) interfaces? = Why do the examples in the FreeBSD handbook always show different vhids? >=20 > Ari >=20 >=20 > On 11/07/2014 3:26am, Adrian Chadd wrote: >> yeah, you can search for IP_BINDANY. It's a socket option. >>=20 >>=20 >> -a >>=20 >>=20 >> On 10 July 2014 06:52, Aristedes Maniatis <ari@ish.com.au> wrote: >>> With the changes in CARP as part of FreeBSD 10 I have some questions = about the best way to do some things. >>>=20 >>>=20 >>> 1. On a load balancer (haproxy) we might have the machine handling = 100 or 5000 IP addresses. It would be simplest to just define a /24 (or = more) range on the external interface (or in CARP) but then I cannot = bind to each address. >>>=20 >>> Linux has something like net.ipv4.ip_nonlocal_bind. There appears to = be nothing similar for FreeBSD. Do I need to define a /32 and alias each = address? >>>=20 >>> a. is there a cleaner way? >>> b. will that cause performance issues if I create many hundreds of = /32 aliases on the interface? >>>=20 >>>=20 >>>=20 >>> 2. If I need to define a large number of aliases in CARP I'll = quickly run out of vhids which I understand to go up to 256. What is the = real meaning of vhid in a CARP definition? Can they be shared by = different IP addresses on the load balancer pair? That is, can they all = be labelled "vhid=3D1" or is CARP limited to 256 IP addresses, each of = which has to be a /32 (see above). >>>=20 >>> All the examples in the FreeBSD manual use a different vhid for each = IP address but doesn't explain why. >>>=20 >>> a. If two addresses (aliases) share the same vhid, will that mean = they fail over together always? (That might be a good thing for me). >>> b. Will it reduce "are you alive?" network traffic between the CARP = cluster to have one vhid? >>> c. Will bad things happen if I share vhids? >>>=20 >>>=20 >>> Thanks >>> Ari >>>=20 >>>=20 >>> -- >>> --------------------------> >>> Aristedes Maniatis >>> ish >>> http://www.ish.com.au >>> Level 1, 30 Wilson Street Newtown 2042 Australia >>> phone +61 2 9550 5001 fax +61 2 9550 4001 >>> GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A >>> _______________________________________________ >>> freebsd-stable@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-stable >>> To unsubscribe, send any mail to = "freebsd-stable-unsubscribe@freebsd.org" >=20 > --=20 > --------------------------> > Aristedes Maniatis > ish > http://www.ish.com.au > Level 1, 30 Wilson Street Newtown 2042 Australia > phone +61 2 9550 5001 fax +61 2 9550 4001 > GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to = "freebsd-stable-unsubscribe@freebsd.org" =09 Daniel Duerr =95 President GIZMO Creative, Inc. PO Box 2137, Carmel Valley, California t: +1 (831) 531-2270 x103 =95 e: dd@gizmocreative.com =20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B6AEEF65-19ED-4282-915E-575DCEC7763F>