carp and subnets

[Freddie Cash]

On Tue, Feb 14, 2017 at 7:41 AM, Julien Cigar <julien at perdition.city> wrote:

> Hello,
>
> I have a redundant router/firewall with CARP and PF/PFSync with the
> following configuration (simplified for example):
>
> on FW1 (MASTER):
>
> ifconfig_em3="inet 1.2.208.89 netmask 255.255.255.224 -tso"
> ifconfig_em3_alias0="vhid 53 advskew 0 pass xx alias 1.2.208.90/32"
>
> on FW2 (BACKUP):
>
> ifconfig_em3="inet 1.2.208.91 netmask 255.255.255.224 -tso"
> ifconfig_em3_alias0="vhid 53 advskew 100 pass xx alias 1.2.208.90/32"
>
> on both machines I have something like this in my /etc/pf.conf:
> net_local="10.209.1.0/24"
> net_prod="192.168.10.0/24"
> if_wan="em3"
> CARPvhid53="1.2.208.90"
> nat on $if_wan from { $net_local, $net_prod } to any -> $CARPvhid53
>
> it works great but I have a couple of questions:
>
> - is it possible to use differents subnets for the "real" ips and the
>   CARP vip ? in other words: I only have three public IPs and I'd like
>   to reuse two of them. I wondered of something like this would work:
>
> on FW1 (MASTER):
>
> ifconfig_em3="inet 192.168.88.1 netmask 255.255.255.0 -tso"
> ifconfig_em3_alias0="vhid 53 advskew 0 pass xx alias 1.2.208.90/32"
>
> on FW2 (BACKUP):
>
> ifconfig_em3="inet 192.168.88.2 netmask 255.255.255.0 -tso"
> ifconfig_em3_alias0="vhid 53 advskew 100 pass xx alias 1.2.208.90/32"
>
> (assuming that the switch is configured properly)
>
> - as the state table is synced between FW1 and FW2, is it possible to
> do some load-balancing on the outgoing address?
>
> Thanks!
>

​With FreeBSD 9.x and earlier, no, you can't.  The CARP setup uses the
IP/subnet of the host interface for sending the CARP messages.

With FreeBSD 10.x and above, yes, you can.  The CARP setup uses the
IP/subnet of the VHID for sending CARP messages, which can be set to
anything.  So long as all the member VHID interfaces are on the same subnet
and connection.  It's one of the many nice things about the new CARP stuff
on FreeBSD 10.x.​

-- 
Freddie Cash
fjwcash at gmail.com