CARP & bridge

Nikos Vassiliadis nvass at freemail.gr
Wed Apr 29 19:00:43 UTC 2009 

Sebastiaan van Erk wrote:
> Hi,
> 
> Julien Cigar wrote:
>> On Wed, 2009-04-29 at 11:37 +0200, Sebastiaan van Erk wrote:
>>> Hi,
>>>
>>> I have a bridged OpenVPN setup where the OpenVPN tap0 driver is 
>>> bridged (via bridge0) to the physical em1 interface, which has a VIP 
>>> via a carp1 interface:
>>>
>>> em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> 
>>> metric 0 mtu 1500
>>>     options=98<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
>>>     ether 00:0c:29:61:2a:55
>>>     inet 10.0.80.77 netmask 0xffffff00 broadcast 10.0.80.255
>>>     media: Ethernet autoselect (1000baseTX <full-duplex>)
>>>     status: active
>>> bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 
>>> mtu 1500
>>>     ether 9a:6a:9f:b2:65:da
>>>     id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
>>>     maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
>>>     root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
>>>     member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
>>>             ifmaxaddr 0 port 11 priority 128 path cost 2000000
>>>     member: em1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
>>>             ifmaxaddr 0 port 2 priority 128 path cost 20000
>>> tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> 
>>> metric 0 mtu 1500
>>>     ether 00:bd:48:03:00:00
>>>     Opened by PID 24616
>>> carp1: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
>>>     inet 10.0.80.74 netmask 0xffffff00
>>>     carp: MASTER vhid 2 advbase 1 advskew 0
>>>
>>>
>>> The problem I have is that when I ping the VIP from a VPN client (on 
>>> tap0), the server receives arp requests for the VIP on tap0, but it 
>>> does not respond to them:
>>>
>>> # tcpdump -i tap0 -ln
>>> 11:29:13.637048 arp who-has 10.0.80.74 tell 10.0.80.6
>>>
>>> Is there any way to get the server to respond to arp requests on tap0 
>>> for the VIP?
>>>
>>
>> Maybe you've to do ARP Proxy on one side ? Try to add an ARP entry in
>> the ARP table with arp (arp -s 1.2.3.4 MAC foo) ..
> 
> Thanks for the suggestion.
> 
> Ok, static arp works: that is, if I take the carp1 mac address and add 
> it to the arp table using:
> 
>  arp -s 10.0.80.74 00:00:5e:00:01:02 pub
> 
> The ping starts to work. I'm still a bit confused why I have to do this 
> though, because I can ping the non-shared IP 10.0.80.77 from the VPN 
> client (via tap0) without any static arp, and I can ping the shared VIP 
> (10.0.80.74) from clients on the physical network (em1) as well without 
> any static arp. It's only when the ping it has to cross the bridge that 
> it's an issue.

Does it make any difference if you set the IP address on the bridge0
iface and not on the physical one?

I recall that the recommended setup is to use IP addresses on
the bridge interface and leave the members of the bridge IPless.

Nikos

More information about the freebsd-questions mailing list