Date: Tue, 14 Feb 2017 09:03:00 -0800 From: Freddie Cash <fjwcash@gmail.com> To: Julien Cigar <julien@perdition.city> Cc: freebsd-net <freebsd-net@freebsd.org> Subject: Re: carp and subnets Message-ID: <CAOjFWZ7ktnZrgsmoqLzR%2BntTMnO3me3xV124bVBdzz5VcY0LLg@mail.gmail.com> In-Reply-To: <20170214154123.GE6194@mordor.lan> References: <20170214154123.GE6194@mordor.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Feb 14, 2017 at 7:41 AM, Julien Cigar <julien@perdition.city> wrote=
:
> Hello,
>
> I have a redundant router/firewall with CARP and PF/PFSync with the
> following configuration (simplified for example):
>
> on FW1 (MASTER):
>
> ifconfig_em3=3D"inet 1.2.208.89 netmask 255.255.255.224 -tso"
> ifconfig_em3_alias0=3D"vhid 53 advskew 0 pass xx alias 1.2.208.90/32"
>
> on FW2 (BACKUP):
>
> ifconfig_em3=3D"inet 1.2.208.91 netmask 255.255.255.224 -tso"
> ifconfig_em3_alias0=3D"vhid 53 advskew 100 pass xx alias 1.2.208.90/32"
>
> on both machines I have something like this in my /etc/pf.conf:
> net_local=3D"10.209.1.0/24"
> net_prod=3D"192.168.10.0/24"
> if_wan=3D"em3"
> CARPvhid53=3D"1.2.208.90"
> nat on $if_wan from { $net_local, $net_prod } to any -> $CARPvhid53
>
> it works great but I have a couple of questions:
>
> - is it possible to use differents subnets for the "real" ips and the
> CARP vip ? in other words: I only have three public IPs and I'd like
> to reuse two of them. I wondered of something like this would work:
>
> on FW1 (MASTER):
>
> ifconfig_em3=3D"inet 192.168.88.1 netmask 255.255.255.0 -tso"
> ifconfig_em3_alias0=3D"vhid 53 advskew 0 pass xx alias 1.2.208.90/32"
>
> on FW2 (BACKUP):
>
> ifconfig_em3=3D"inet 192.168.88.2 netmask 255.255.255.0 -tso"
> ifconfig_em3_alias0=3D"vhid 53 advskew 100 pass xx alias 1.2.208.90/32"
>
> (assuming that the switch is configured properly)
>
> - as the state table is synced between FW1 and FW2, is it possible to
> do some load-balancing on the outgoing address?
>
> Thanks!
>
=E2=80=8BWith FreeBSD 9.x and earlier, no, you can't. The CARP setup uses =
the
IP/subnet of the host interface for sending the CARP messages.
With FreeBSD 10.x and above, yes, you can. The CARP setup uses the
IP/subnet of the VHID for sending CARP messages, which can be set to
anything. So long as all the member VHID interfaces are on the same subnet
and connection. It's one of the many nice things about the new CARP stuff
on FreeBSD 10.x.=E2=80=8B
--=20
Freddie Cash
fjwcash@gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOjFWZ7ktnZrgsmoqLzR%2BntTMnO3me3xV124bVBdzz5VcY0LLg>