Carp address used as source

Marek Zarychta zarychtam at plan-b.pwste.edu.pl
Fri Nov 22 18:35:16 UTC 2019 

W dniu 22.11.2019 o 17:27, Kajetan Staszkiewicz pisze:
> Hello,
> 
> I have a pair of loadbalancers using FreeBSD 11.3. They have "public"
> side running BGP, which is not important for this discussion and
> internal side - multiple VLANs where multple hosts reside which are
> targets for loadbalancing. Directing traffic to correct target is done
> using route-to target of pf. Traffic usually comes to a public IP
> address from public side routed via BGP. This works flawlessly. There
> are some loadbalanced addresses configured on internal side too.
> Loadbalancers present an IP address using CARP to machines in VLAN and
> if traffic comes to this CARP-based IP address, it gets bounced back
> (using route-to) to another host in this or another VLAN.
> 
> This works fine when clients and servers are in VLAN. Problem happens
> when the loadbalancer itself tries to access such address.
> 
> For example a ping to loadbalanced address looks like this from backup
> Loadbalancer:
> 
> [15:41:22]  ~/ # sudo tcpdump -pni internal4008 host 10.7.1.7
> 15:41:33.916816 IP 10.7.1.7 > 10.7.1.7: ICMP echo request, id 35466, seq
> 3, length 64
> 15:41:34.917712 IP 10.7.1.7 > 10.7.1.7: ICMP echo request, id 35466, seq
> 4, length 64
> 15:41:35.952626 IP 10.7.1.7 > 10.7.1.7: ICMP echo request, id 35466, seq
> 5, length 64
> 
> 
> [15:52:33] ~/ # ifconfig internal4008 | grep -E 'inet |carp:'
> 	inet 10.7.0.242 netmask 0xffff0000 broadcast 10.7.255.255
> 	inet 10.7.1.1 netmask 0xffffffff broadcast 10.7.1.1 vhid 123
> 	inet 10.7.1.4 netmask 0xffffffff broadcast 10.7.1.4 vhid 123
> 	inet 10.7.1.7 netmask 0xffffffff broadcast 10.7.1.7 vhid 123
> 	inet 10.7.0.240 netmask 0xffffffff broadcast 10.7.0.240 vhid 123
> 	inet 10.7.2.1 netmask 0xffffffff broadcast 10.7.2.1 vhid 123
> 	carp: BACKUP vhid 123 advbase 1 advskew 100
> 
> Connections originating from loadbalancer itself use CARP address as
> source. Always the same address which I'm trying to reach. How can I
> ensure that CARP address is never used as source for connections
> outgoing from Loadbalancer? I've read manpage of ifconfig but I've seen
> only flags regarding IPv6 address choice.
> 

I believe this behavior can be changed by configuring carp interfaces
with the same subnet mask as parent interface which is /16 in your case.

Best regards,

-- 
Marek Zarychta

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20191122/ae22c790/attachment.sig>

More information about the freebsd-net mailing list