CARP & bridge
Nikos Vassiliadis
nvass at freemail.gr
Wed Apr 29 19:00:43 UTC 2009
Sebastiaan van Erk wrote:
> Hi,
>
> Julien Cigar wrote:
>> On Wed, 2009-04-29 at 11:37 +0200, Sebastiaan van Erk wrote:
>>> Hi,
>>>
>>> I have a bridged OpenVPN setup where the OpenVPN tap0 driver is
>>> bridged (via bridge0) to the physical em1 interface, which has a VIP
>>> via a carp1 interface:
>>>
>>> em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST>
>>> metric 0 mtu 1500
>>> options=98<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
>>> ether 00:0c:29:61:2a:55
>>> inet 10.0.80.77 netmask 0xffffff00 broadcast 10.0.80.255
>>> media: Ethernet autoselect (1000baseTX <full-duplex>)
>>> status: active
>>> bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0
>>> mtu 1500
>>> ether 9a:6a:9f:b2:65:da
>>> id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
>>> maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
>>> root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
>>> member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
>>> ifmaxaddr 0 port 11 priority 128 path cost 2000000
>>> member: em1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
>>> ifmaxaddr 0 port 2 priority 128 path cost 20000
>>> tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST>
>>> metric 0 mtu 1500
>>> ether 00:bd:48:03:00:00
>>> Opened by PID 24616
>>> carp1: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
>>> inet 10.0.80.74 netmask 0xffffff00
>>> carp: MASTER vhid 2 advbase 1 advskew 0
>>>
>>>
>>> The problem I have is that when I ping the VIP from a VPN client (on
>>> tap0), the server receives arp requests for the VIP on tap0, but it
>>> does not respond to them:
>>>
>>> # tcpdump -i tap0 -ln
>>> 11:29:13.637048 arp who-has 10.0.80.74 tell 10.0.80.6
>>>
>>> Is there any way to get the server to respond to arp requests on tap0
>>> for the VIP?
>>>
>>
>> Maybe you've to do ARP Proxy on one side ? Try to add an ARP entry in
>> the ARP table with arp (arp -s 1.2.3.4 MAC foo) ..
>
> Thanks for the suggestion.
>
> Ok, static arp works: that is, if I take the carp1 mac address and add
> it to the arp table using:
>
> arp -s 10.0.80.74 00:00:5e:00:01:02 pub
>
> The ping starts to work. I'm still a bit confused why I have to do this
> though, because I can ping the non-shared IP 10.0.80.77 from the VPN
> client (via tap0) without any static arp, and I can ping the shared VIP
> (10.0.80.74) from clients on the physical network (em1) as well without
> any static arp. It's only when the ping it has to cross the bridge that
> it's an issue.
Does it make any difference if you set the IP address on the bridge0
iface and not on the physical one?
I recall that the recommended setup is to use IP addresses on
the bridge interface and leave the members of the bridge IPless.
Nikos
More information about the freebsd-questions
mailing list