Carp address used as source

Kajetan Staszkiewicz vegeta at tuxpowered.net
Fri Nov 22 16:27:43 UTC 2019 

Hello,

I have a pair of loadbalancers using FreeBSD 11.3. They have "public"
side running BGP, which is not important for this discussion and
internal side - multiple VLANs where multple hosts reside which are
targets for loadbalancing. Directing traffic to correct target is done
using route-to target of pf. Traffic usually comes to a public IP
address from public side routed via BGP. This works flawlessly. There
are some loadbalanced addresses configured on internal side too.
Loadbalancers present an IP address using CARP to machines in VLAN and
if traffic comes to this CARP-based IP address, it gets bounced back
(using route-to) to another host in this or another VLAN.

This works fine when clients and servers are in VLAN. Problem happens
when the loadbalancer itself tries to access such address.

For example a ping to loadbalanced address looks like this from backup
Loadbalancer:

[15:41:22]  ~/ # sudo tcpdump -pni internal4008 host 10.7.1.7
15:41:33.916816 IP 10.7.1.7 > 10.7.1.7: ICMP echo request, id 35466, seq
3, length 64
15:41:34.917712 IP 10.7.1.7 > 10.7.1.7: ICMP echo request, id 35466, seq
4, length 64
15:41:35.952626 IP 10.7.1.7 > 10.7.1.7: ICMP echo request, id 35466, seq
5, length 64


[15:52:33] ~/ # ifconfig internal4008 | grep -E 'inet |carp:'
	inet 10.7.0.242 netmask 0xffff0000 broadcast 10.7.255.255
	inet 10.7.1.1 netmask 0xffffffff broadcast 10.7.1.1 vhid 123
	inet 10.7.1.4 netmask 0xffffffff broadcast 10.7.1.4 vhid 123
	inet 10.7.1.7 netmask 0xffffffff broadcast 10.7.1.7 vhid 123
	inet 10.7.0.240 netmask 0xffffffff broadcast 10.7.0.240 vhid 123
	inet 10.7.2.1 netmask 0xffffffff broadcast 10.7.2.1 vhid 123
	carp: BACKUP vhid 123 advbase 1 advskew 100

Connections originating from loadbalancer itself use CARP address as
source. Always the same address which I'm trying to reach. How can I
ensure that CARP address is never used as source for connections
outgoing from Loadbalancer? I've read manpage of ifconfig but I've seen
only flags regarding IPv6 address choice.

-- 
| pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS |
|  Kajetan Staszkiewicz  | jabber,email: vegeta()tuxpowered net  |
|        Vegeta          | www: http://vegeta.tuxpowered.net     |
`------------------------^---------------------------------------'

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20191122/c41f1047/attachment.sig>

More information about the freebsd-net mailing list