Date: Wed, 29 Apr 2009 21:43:45 +0300 From: Nikos Vassiliadis <nvass@freemail.gr> To: Sebastiaan van Erk <sebster@sebster.com>, FreeBSD Questions Mailing List <freebsd-questions@freebsd.org> Subject: Re: CARP & bridge Message-ID: <49F89FE1.6070807@freemail.gr> In-Reply-To: <49F8269E.2010201@sebster.com> References: <49F81FF2.3040302@sebster.com> <1240999037.2645.3.camel@frodon.be-bif.ulb.ac.be> <49F8269E.2010201@sebster.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Sebastiaan van Erk wrote: > Hi, > > Julien Cigar wrote: >> On Wed, 2009-04-29 at 11:37 +0200, Sebastiaan van Erk wrote: >>> Hi, >>> >>> I have a bridged OpenVPN setup where the OpenVPN tap0 driver is >>> bridged (via bridge0) to the physical em1 interface, which has a VIP >>> via a carp1 interface: >>> >>> em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> >>> metric 0 mtu 1500 >>> options=98<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM> >>> ether 00:0c:29:61:2a:55 >>> inet 10.0.80.77 netmask 0xffffff00 broadcast 10.0.80.255 >>> media: Ethernet autoselect (1000baseTX <full-duplex>) >>> status: active >>> bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 >>> mtu 1500 >>> ether 9a:6a:9f:b2:65:da >>> id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 >>> maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 >>> root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 >>> member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> >>> ifmaxaddr 0 port 11 priority 128 path cost 2000000 >>> member: em1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> >>> ifmaxaddr 0 port 2 priority 128 path cost 20000 >>> tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> >>> metric 0 mtu 1500 >>> ether 00:bd:48:03:00:00 >>> Opened by PID 24616 >>> carp1: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500 >>> inet 10.0.80.74 netmask 0xffffff00 >>> carp: MASTER vhid 2 advbase 1 advskew 0 >>> >>> >>> The problem I have is that when I ping the VIP from a VPN client (on >>> tap0), the server receives arp requests for the VIP on tap0, but it >>> does not respond to them: >>> >>> # tcpdump -i tap0 -ln >>> 11:29:13.637048 arp who-has 10.0.80.74 tell 10.0.80.6 >>> >>> Is there any way to get the server to respond to arp requests on tap0 >>> for the VIP? >>> >> >> Maybe you've to do ARP Proxy on one side ? Try to add an ARP entry in >> the ARP table with arp (arp -s 1.2.3.4 MAC foo) .. > > Thanks for the suggestion. > > Ok, static arp works: that is, if I take the carp1 mac address and add > it to the arp table using: > > arp -s 10.0.80.74 00:00:5e:00:01:02 pub > > The ping starts to work. I'm still a bit confused why I have to do this > though, because I can ping the non-shared IP 10.0.80.77 from the VPN > client (via tap0) without any static arp, and I can ping the shared VIP > (10.0.80.74) from clients on the physical network (em1) as well without > any static arp. It's only when the ping it has to cross the bridge that > it's an issue. Does it make any difference if you set the IP address on the bridge0 iface and not on the physical one? I recall that the recommended setup is to use IP addresses on the bridge interface and leave the members of the bridge IPless. Nikos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49F89FE1.6070807>