carp over openvpn?

alexander lunyov sol289 at gmail.com
Wed Oct 26 16:18:17 UTC 2011 

Hello.

I'm trying to make work carp over openvpn in bridge mode.
I have 3 servers, VPN-IN, VPN-OUT1 and VPN-OUT2, they connected to
different ethernet networks and cannot see each other on data link
level. All servers run 8.2-RELEASE.

VPN-IN is a openvpn server in bridge mode, VPN-OUT1 and VPN-OUT2 are
openvpn clients. I configured on each server address from
10.80.90.0/24 network as alias, so address space is looking like this:

VPN-IN at bridge0: 10.80.90.63 - bridged to tap0
VPN-OUT1 at em0: 10.80.90.4 - bridged to tap0
VPN-OUT2 at em0: 10.80.90.6 - bridged to tap0

Servers have real IPs, which i masked as x.x.x.x, y.y.y.y and z.z.z.z.

When VPN-OUT1 and VPN-OUT2 connects to VPN-IN i can ping all 10.80.90.
addresses from anywhere, so the vpn is working. When i create CARP
interfaces on both VPN-OUT-s, carp0 on both is in MASTER state and
VPN-IN cannot ping carp address 10.80.90.10 (VPN-OUTs ping own
10.80.90.10 address ok).

On VPN-IN at bridge0 i see advertisements from both VPN-OUTs:
# tcpdump -i bridge0 net 10.80.90.0/24
18:34:48.505618 IP 10.80.90.4 > vrrp.mcast.net: VRRPv2, Advertisement,
vrid 1, prio 10, authtype none, intvl 1s, length 36
18:34:48.801474 IP 10.80.90.6 > vrrp.mcast.net: VRRPv2, Advertisement,
vrid 1, prio 100, authtype none, intvl 1s, length 36
18:34:49.546667 IP 10.80.90.4 > vrrp.mcast.net: VRRPv2, Advertisement,
vrid 1, prio 10, authtype none, intvl 1s, length 36
18:34:50.198569 IP 10.80.90.6 > vrrp.mcast.net: VRRPv2, Advertisement,
vrid 1, prio 100, authtype none, intvl 1s, length 36

On VPN-OUT1 at bridge0 i see advertisements from VPN-OUT2:
# tcpdump -i bridge0 net 10.80.90.0/24
00:35:39.811034 IP 10.80.90.6 > vrrp.mcast.net: VRRPv2, Advertisement,
vrid 1, prio 10, authtype none, intvl 1s, length 36
00:35:40.852178 IP 10.80.90.6 > vrrp.mcast.net: VRRPv2, Advertisement,
vrid 1, prio 10, authtype none, intvl 1s, length 36


On VPN-OUT2 at bridge0 i see advertisements from VPN-OUT1:
# tcpdump -i bridge0 net 10.80.90.0/24
00:35:39.811034 IP 10.80.90.4 > vrrp.mcast.net: VRRPv2, Advertisement,
vrid 1, prio 10, authtype none, intvl 1s, length 36
00:35:40.852178 IP 10.80.90.4 > vrrp.mcast.net: VRRPv2, Advertisement,
vrid 1, prio 10, authtype none, intvl 1s, length 36


When i try to ping carp address 10.80.90.10 from VPN-IN, I see arp
requests but nobody answers, though ARP reaches VPN-OUTs:

VPN-OUT2# tcpdump -i bridge0 net 10.80.90.0/24
07:49:30.014907 IP 10.80.90.6 > vrrp.mcast.net: VRRPv2, Advertisement,
vrid 1, prio 100, authtype none, intvl 1s, length 36
07:49:30.700133 ARP, Request who-has 10.80.90.10 tell 10.80.90.63, length 28
07:49:31.412868 IP 10.80.90.6 > vrrp.mcast.net: VRRPv2, Advertisement,
vrid 1, prio 100, authtype none, intvl 1s, length 36
07:49:31.700014 ARP, Request who-has 10.80.90.10 tell 10.80.90.63, length 28

So, why carp interfaces on VPN-OUTs  doesn't see each other
advertisements and ARP from VPN-IN?

VPN-OUT1# netstat -s -p carp
carp:
       6515137 packets received (IPv4)
       42246 packets sent (IPv4)


ifconfigs:

VPN-IN# ifconfig
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
       options=c019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
       ether 00:19:99:16:32:fd
       inet x.x.x.x netmask 0xffffff00 broadcast x.x.x.255
       media: Ethernet autoselect (100baseTX <full-duplex>)
       status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
       options=3<RXCSUM,TXCSUM>
       inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
       inet6 ::1 prefixlen 128
       inet 127.0.0.1 netmask 0xff000000
       nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST>
metric 0 mtu 1500
       options=80000<LINKSTATE>
       ether 00:bd:cd:f5:1a:00
       Opened by PID 86461
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
       ether 76:38:a6:0e:16:36
       inet 10.80.90.63 netmask 0xffffff00 broadcast 10.80.90.255
       id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
       maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
       root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
       member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
               ifmaxaddr 0 port 3 priority 128 path cost 2000000



VPN-OUT1# ifconfig
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric
0 mtu 1500
       options=2098<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
       ether 00:25:90:06:a7:ee
       inet y.y.y.y netmask 0xffffff00 broadcast y.y.y.255
       inet 10.80.90.4 netmask 0xffffff00 broadcast 10.80.90.255
       media: Ethernet autoselect (1000baseT <full-duplex>)
       status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
       options=3<RXCSUM,TXCSUM>
       inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
       inet6 ::1 prefixlen 128
       inet 127.0.0.1 netmask 0xff000000
       nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST>
metric 0 mtu 1500
       options=80000<LINKSTATE>
       ether 00:bd:98:a7:80:00
       Opened by PID 79699
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
       ether a6:be:59:84:94:7f
       id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
       maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
       root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
       member: em0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
               ifmaxaddr 0 port 1 priority 128 path cost 20000
       member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
               ifmaxaddr 0 port 4 priority 128 path cost 2000000
carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
       inet 10.80.90.10 netmask 0xffffff00
       carp: MASTER vhid 1 advbase 1 advskew 10


VPN-OUT2# ifconfig
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric
0 mtu 1500
       options=2098<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
       ether 00:25:90:00:59:1a
       inet z.z.z.z netmask 0xffffff00 broadcast z.z.z.255
       inet 10.80.90.6 netmask 0xffffff00 broadcast 10.80.90.255
       media: Ethernet autoselect (1000baseT <full-duplex>)
       status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
       options=3<RXCSUM,TXCSUM>
       inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
       inet6 ::1 prefixlen 128
       inet 127.0.0.1 netmask 0xff000000
       nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST>
metric 0 mtu 1500
       options=80000<LINKSTATE>
       ether 00:bd:2e:29:90:00
       Opened by PID 75704
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
       ether ba:37:68:2b:7d:32
       id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
       maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
       root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
       member: em0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
               ifmaxaddr 0 port 1 priority 128 path cost 20000
       member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
               ifmaxaddr 0 port 4 priority 128 path cost 2000000
carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
       inet 10.80.90.10 netmask 0xffffff00
       carp: MASTER vhid 1 advbase 1 advskew 100



p.s.: i also tried freevrrpd, and i see the same behavior - i see
advertisements from both VPN-OUTs, but they don't see each other.

p.p.s.: if i'm writing to wrong list, please, point me to the right
one where i can ask this question. i'm already post this question to
freebsd-net, but nobody answers.

--
your sweet isn't ready yet

More information about the freebsd-questions mailing list