Date: Fri, 22 Nov 2019 17:27:36 +0100 From: Kajetan Staszkiewicz <vegeta@tuxpowered.net> To: freebsd-net@freebsd.org Subject: Carp address used as source Message-ID: <bdfd5a57-171e-0032-c466-438674ccd438@tuxpowered.net>
next in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Ow0Gb6YL8rX5B4QQrfBafecH8ZCbt8UIv Content-Type: multipart/mixed; boundary="72YMLg69n4YnKWKB8WiTCoXT67znTL2PR"; protected-headers="v1" From: Kajetan Staszkiewicz <vegeta@tuxpowered.net> To: freebsd-net@freebsd.org Message-ID: <bdfd5a57-171e-0032-c466-438674ccd438@tuxpowered.net> Subject: Carp address used as source --72YMLg69n4YnKWKB8WiTCoXT67znTL2PR Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: quoted-printable Hello, I have a pair of loadbalancers using FreeBSD 11.3. They have "public" side running BGP, which is not important for this discussion and internal side - multiple VLANs where multple hosts reside which are targets for loadbalancing. Directing traffic to correct target is done using route-to target of pf. Traffic usually comes to a public IP address from public side routed via BGP. This works flawlessly. There are some loadbalanced addresses configured on internal side too. Loadbalancers present an IP address using CARP to machines in VLAN and if traffic comes to this CARP-based IP address, it gets bounced back (using route-to) to another host in this or another VLAN. This works fine when clients and servers are in VLAN. Problem happens when the loadbalancer itself tries to access such address. For example a ping to loadbalanced address looks like this from backup Loadbalancer: [15:41:22] ~/ # sudo tcpdump -pni internal4008 host 10.7.1.7 15:41:33.916816 IP 10.7.1.7 > 10.7.1.7: ICMP echo request, id 35466, seq 3, length 64 15:41:34.917712 IP 10.7.1.7 > 10.7.1.7: ICMP echo request, id 35466, seq 4, length 64 15:41:35.952626 IP 10.7.1.7 > 10.7.1.7: ICMP echo request, id 35466, seq 5, length 64 [15:52:33] ~/ # ifconfig internal4008 | grep -E 'inet |carp:' inet 10.7.0.242 netmask 0xffff0000 broadcast 10.7.255.255 inet 10.7.1.1 netmask 0xffffffff broadcast 10.7.1.1 vhid 123 inet 10.7.1.4 netmask 0xffffffff broadcast 10.7.1.4 vhid 123 inet 10.7.1.7 netmask 0xffffffff broadcast 10.7.1.7 vhid 123 inet 10.7.0.240 netmask 0xffffffff broadcast 10.7.0.240 vhid 123 inet 10.7.2.1 netmask 0xffffffff broadcast 10.7.2.1 vhid 123 carp: BACKUP vhid 123 advbase 1 advskew 100 Connections originating from loadbalancer itself use CARP address as source. Always the same address which I'm trying to reach. How can I ensure that CARP address is never used as source for connections outgoing from Loadbalancer? I've read manpage of ifconfig but I've seen only flags regarding IPv6 address choice. --=20 | pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------' --72YMLg69n4YnKWKB8WiTCoXT67znTL2PR-- --Ow0Gb6YL8rX5B4QQrfBafecH8ZCbt8UIv Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQSOEQZObv2B8mf0JbnjtFCvbXs6FAUCXdgMeAAKCRDjtFCvbXs6 FH+HAJ9cwvQ7guKWVXhJ32DVDgayxJ7vHgCg4VeG+Zz1YyQx/boZxod55F+d+rk= =tCw+ -----END PGP SIGNATURE----- --Ow0Gb6YL8rX5B4QQrfBafecH8ZCbt8UIv--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bdfd5a57-171e-0032-c466-438674ccd438>