Understanding the interplay of ipfw, vlan, and carp

Max Laier max at love2party.net
Thu Jun 5 00:56:59 UTC 2008 

On Wednesday 04 June 2008 10:14:43 Peter Jeremy wrote:
> On 2008-Mar-04 23:20:26 +0100, Max Laier <max at love2party.net> wrote:
> >You could try the attached patch.  It adds carpdev support.  You'll
> > have to recompile ifconfig to make use of it.
>
> I have just tried it and found that it does precisely the opposite of
> what I want :-(
>
> My situation: At work, I have a NAT box that is used to translate
> between our corporate intranet and my department's test models.  There
> is (basically) 1:1 NAT and I use proxy-ARP on the intranet side (though
> I have gateway IPs on the internal side).  I am trying to convert this
> to use CARP for failover.
>
> My external interface config currently looks like:
>  ifconfig vlan10 10.10.10.1 vlandev fxp0 vlan 10
>  arp -s 10.10.10.2 auto pub
>  arp -s 10.10.10.3 auto pub
>  arp -s 10.10.10.4 auto pub
>  arp -s 10.10.10.5 auto pub
>
> Ideally, I want to attach a carp device to vlan10 so I can do
>  ifconfig vlan10 10.10.10.1 vlandev fxp0 vlan 10
>  ifconfig carp10 vhid 10 carpdev vlan10
>  arp -s 10.10.10.2 00:00:5e:00:01:0a pub
>  arp -s 10.10.10.3 00:00:5e:00:01:0a pub
>  arp -s 10.10.10.4 00:00:5e:00:01:0a pub
>  arp -s 10.10.10.5 00:00:5e:00:01:0a pub
> ie the IP address remains with the specific box (the backup box has
> its own IP address).  Unfortunately, the current carpdev code doesn't
> work this way: It lets me not assign an IP address to vlan10 but I
> still have to assign an IP address to carp10 (and it uses the latter
> address rather than the former address in the carp advertisements).
>
> Does what I want make sense to you and can you see any way it could be
> integrated into your carpdev patches.

Sorry, I don't quite understand what you are after here.  Can you give a 
network layout and more details on the objective?

> Note that one downside of your carpdev patches is that (AFAIK) it is
> no longer possible to identify which host sent the packet: The source
> and destination MAC addresses, as well as the destination IP address
> are all defined by CARP.  Once you change the source IP address to be
> the shared address there's nothing to identify which host sent it.

That's the point of CARP: *Transparent* address failover.  In order to 
provide that you have to hide the identity of the actual host.  If you 
want to talk to the individual hosts you have to assign them an IP of 
their own and if you do that you don't need the carpdev patch.

> Finally, can anyone point me to a protocol specification for CARP.
> The only documentation I can find in either FreeBSD or OpenBSD is
> basically limited to "it's like VRRP but different to avoid the CISCO
> patent on HSRP".

Take a look at: http://www.countersiege.com/doc/pfsync-carp/  Really good 
pictures to get the gist of it.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

More information about the freebsd-net mailing list