Date: Tue, 14 Feb 2017 21:29:36 +0100 From: Julien Cigar <julien@perdition.city> To: Freddie Cash <fjwcash@gmail.com> Cc: freebsd-net <freebsd-net@freebsd.org> Subject: Re: carp and subnets Message-ID: <20170214202936.GF6194@mordor.lan> In-Reply-To: <CAOjFWZ7ktnZrgsmoqLzR%2BntTMnO3me3xV124bVBdzz5VcY0LLg@mail.gmail.com> References: <20170214154123.GE6194@mordor.lan> <CAOjFWZ7ktnZrgsmoqLzR%2BntTMnO3me3xV124bVBdzz5VcY0LLg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--wtjvnLv0o8UUzur2
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Feb 14, 2017 at 09:03:00AM -0800, Freddie Cash wrote:
> On Tue, Feb 14, 2017 at 7:41 AM, Julien Cigar <julien@perdition.city> wro=
te:
>=20
> > Hello,
> >
> > I have a redundant router/firewall with CARP and PF/PFSync with the
> > following configuration (simplified for example):
> >
> > on FW1 (MASTER):
> >
> > ifconfig_em3=3D"inet 1.2.208.89 netmask 255.255.255.224 -tso"
> > ifconfig_em3_alias0=3D"vhid 53 advskew 0 pass xx alias 1.2.208.90/32"
> >
> > on FW2 (BACKUP):
> >
> > ifconfig_em3=3D"inet 1.2.208.91 netmask 255.255.255.224 -tso"
> > ifconfig_em3_alias0=3D"vhid 53 advskew 100 pass xx alias 1.2.208.90/32"
> >
> > on both machines I have something like this in my /etc/pf.conf:
> > net_local=3D"10.209.1.0/24"
> > net_prod=3D"192.168.10.0/24"
> > if_wan=3D"em3"
> > CARPvhid53=3D"1.2.208.90"
> > nat on $if_wan from { $net_local, $net_prod } to any -> $CARPvhid53
> >
> > it works great but I have a couple of questions:
> >
> > - is it possible to use differents subnets for the "real" ips and the
> > CARP vip ? in other words: I only have three public IPs and I'd like
> > to reuse two of them. I wondered of something like this would work:
> >
> > on FW1 (MASTER):
> >
> > ifconfig_em3=3D"inet 192.168.88.1 netmask 255.255.255.0 -tso"
> > ifconfig_em3_alias0=3D"vhid 53 advskew 0 pass xx alias 1.2.208.90/32"
> >
> > on FW2 (BACKUP):
> >
> > ifconfig_em3=3D"inet 192.168.88.2 netmask 255.255.255.0 -tso"
> > ifconfig_em3_alias0=3D"vhid 53 advskew 100 pass xx alias 1.2.208.90/32"
> >
> > (assuming that the switch is configured properly)
> >
> > - as the state table is synced between FW1 and FW2, is it possible to
> > do some load-balancing on the outgoing address?
> >
> > Thanks!
> >
>=20
> =E2=80=8BWith FreeBSD 9.x and earlier, no, you can't. The CARP setup use=
s the
> IP/subnet of the host interface for sending the CARP messages.
>=20
> With FreeBSD 10.x and above, yes, you can. The CARP setup uses the
> IP/subnet of the VHID for sending CARP messages, which can be set to
> anything. So long as all the member VHID interfaces are on the same subn=
et
> and connection. It's one of the many nice things about the new CARP stuff
> on FreeBSD 10.x.=E2=80=8B
excellent, thank you!
>=20
> --=20
> Freddie Cash
> fjwcash@gmail.com
--=20
Julien Cigar
Belgian Biodiversity Platform (http://www.biodiversity.be)
PGP fingerprint: EEF9 F697 4B68 D275 7B11 6A25 B2BB 3710 A204 23C0
No trees were killed in the creation of this message.
However, many electrons were terribly inconvenienced.
--wtjvnLv0o8UUzur2
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE7vn2l0to0nV7EWolsrs3EKIEI8AFAlijaKoACgkQsrs3EKIE
I8AhxRAAtVW53cC5SjQkIVBR//jiFTBwjLgp+udVaKEmirj6TXtm/WcJc+W2e9EJ
+BgJCi5GeOPAfhaCVoRsIAfh38VAKRWC9qEgVOw7WKNYGCOivD37LK8Dr8EuMkaM
iOCf0zDUWLduV38u/ki2oV8s1bEtXaSRtmbN3z+bkY50NUh+Uybeli9tc3EfoFM0
CGHGFBJOHmUMpJ6kBEpUJ83ajvAdV6VPztukGNLfdz2gxrTI2q3svv+91yUt50I0
YKMFYlLY3udk5fRXWvTytkey+iDl5eLBF4XH+n+yYmut6+y8iILz3vUV5WpfgsEm
VUOZtHkdh98uEqjTMsmWVby4K0dSypMAtccynbjEEnzLkPper2M2zU2bkSSoxrRG
/BQEc8ISzqmFGmFYihPV+0iZHOWKaga6+d+DhR3Sk92b6/OHTgzcX0yz8MsbjT2n
e+WNqCNvYLCwJGEofWdIHftOarpfFogQXJJFfDCs7Y0Lv2LMqqxk3BvYpmf2ydGE
Ep5llBVWCzS8/jVayNnOGWA0V0h3fAUnuZFqgsM7JrVTjl1uzESnUNdFDEgL9vyF
P+Sg0Oew7AhSyAaDTmLjnNqszi+trOPkvk+28f5E+BHWJNjH93EuVv6qu6kQPK9q
pQ1181XINQwZdoNYDfxFUffEWKmIawVie20g6gIbADAMRnZ4jWE=
=xWLf
-----END PGP SIGNATURE-----
--wtjvnLv0o8UUzur2--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170214202936.GF6194>