carp and subnets

Julien Cigar julien at perdition.city
Tue Feb 14 20:29:43 UTC 2017 

On Tue, Feb 14, 2017 at 09:03:00AM -0800, Freddie Cash wrote:
> On Tue, Feb 14, 2017 at 7:41 AM, Julien Cigar <julien at perdition.city> wrote:
> 
> > Hello,
> >
> > I have a redundant router/firewall with CARP and PF/PFSync with the
> > following configuration (simplified for example):
> >
> > on FW1 (MASTER):
> >
> > ifconfig_em3="inet 1.2.208.89 netmask 255.255.255.224 -tso"
> > ifconfig_em3_alias0="vhid 53 advskew 0 pass xx alias 1.2.208.90/32"
> >
> > on FW2 (BACKUP):
> >
> > ifconfig_em3="inet 1.2.208.91 netmask 255.255.255.224 -tso"
> > ifconfig_em3_alias0="vhid 53 advskew 100 pass xx alias 1.2.208.90/32"
> >
> > on both machines I have something like this in my /etc/pf.conf:
> > net_local="10.209.1.0/24"
> > net_prod="192.168.10.0/24"
> > if_wan="em3"
> > CARPvhid53="1.2.208.90"
> > nat on $if_wan from { $net_local, $net_prod } to any -> $CARPvhid53
> >
> > it works great but I have a couple of questions:
> >
> > - is it possible to use differents subnets for the "real" ips and the
> >   CARP vip ? in other words: I only have three public IPs and I'd like
> >   to reuse two of them. I wondered of something like this would work:
> >
> > on FW1 (MASTER):
> >
> > ifconfig_em3="inet 192.168.88.1 netmask 255.255.255.0 -tso"
> > ifconfig_em3_alias0="vhid 53 advskew 0 pass xx alias 1.2.208.90/32"
> >
> > on FW2 (BACKUP):
> >
> > ifconfig_em3="inet 192.168.88.2 netmask 255.255.255.0 -tso"
> > ifconfig_em3_alias0="vhid 53 advskew 100 pass xx alias 1.2.208.90/32"
> >
> > (assuming that the switch is configured properly)
> >
> > - as the state table is synced between FW1 and FW2, is it possible to
> > do some load-balancing on the outgoing address?
> >
> > Thanks!
> >
> 
> ​With FreeBSD 9.x and earlier, no, you can't.  The CARP setup uses the
> IP/subnet of the host interface for sending the CARP messages.
> 
> With FreeBSD 10.x and above, yes, you can.  The CARP setup uses the
> IP/subnet of the VHID for sending CARP messages, which can be set to
> anything.  So long as all the member VHID interfaces are on the same subnet
> and connection.  It's one of the many nice things about the new CARP stuff
> on FreeBSD 10.x.​

excellent, thank you!

> 
> -- 
> Freddie Cash
> fjwcash at gmail.com

-- 
Julien Cigar
Belgian Biodiversity Platform (http://www.biodiversity.be)
PGP fingerprint: EEF9 F697 4B68 D275 7B11  6A25 B2BB 3710 A204 23C0
No trees were killed in the creation of this message.
However, many electrons were terribly inconvenienced.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20170214/bd8bc9ce/attachment.sig>

More information about the freebsd-net mailing list