Understanding the interplay of ipfw, vlan, and carp

Freddie Cash fjwcash at gmail.com
Tue Mar 4 14:04:30 PST 2008 

I'm trying to understand how ipfw, vlan, and carp play together.

I've figured out how ipfw and vlan work together and have my rules written 
using the vlan(4) interfaces (in recv vlan100; out xmit vlan100; etc).

I've figured out how ipfw and carp work together and have my rules 
allowing carp protocol traffic over the physical interfaces (ie allow 
carp from any to any via fxp0).

What I'm wondering, though, is how vlan and carp work together.

I have a router running FreeBSD 6.3 with three interfaces:
  fxp0 is connected to the Internet
  bge1 is connected to a server DMZ
  bge0 is connected to our WAN

bge0 is the physical interface for our vlan setup, and there are 8 vlan 
interfaces created.  bge0 does not have an IP, and each of the vlan 
interfaces is on its own subnet.

I want to use carp to setup a duplicate, fail-over router.

I've got carp0 configured with the public IP and it manages the connection 
over fxp0.  fxp0 has a unique IP on each server, separate from the carp 
IP.

I've got carp1 configured with the server DMZ IP and it manages the 
connection over bge1.  bge1 has a unique IP on each server, separate from 
the carp IP.

But I'm not sure how to do carp2 to manage the vlan IPs:
  - do I create separate carpX interface, one for each vlan?
  - do I create a single carpX interface and alias all the vlan IPs to it?
  - do I configure a single carpX interface with a separate management IP?

The lack of a "carpdev" option to directly link a carp device to an 
interface (similar to "vlandev" for vlan(4)) is what's really tripping me 
up.  It appears the carp(4) driver looks at all the interfaces in the box 
to find one with an IP in the same subnet as the carp IP and then uses 
that as the physical device.

So it seems I'd have to use two IPs for each vlan interface:  one shared 
IP for the carp device, one management IP for the vlan device.  Which 
seems really complicated and not-quite-right.  Maybe I'm just 
over-thinking things.

Any pointers greatly appreciated.  Thanks.

-- 
Freddie Cash
fjwcash at gmail.com

More information about the freebsd-net mailing list