load balancer best practices

Daniel Duerr dd at gizmocreative.com
Thu Jul 17 14:47:40 UTC 2014 

Hey Ari,

I use CARP a lot at our colo and recently migrated many of the machines to FreeBSD 10 as well.  I've had the same question as you about VHID best practices as the docs don't really expound on this.  I'd love to hear some perspective from the authors of CARP as well.

In any case, we run a pair of FreeBSD 10/pf gateways at our colo with binat setup between several dozen internal private networks (VLANs) and the outside WAN (pool of ~64 public IPs).  Traffic between private networks doesn't use any form of NAT, but does get routed through the same gateways and is subject to the same filtering policies.  In this setup, we share one VHID across all of the public IPs on the WAN interface, and we share a second VHID across all of the private gateway IPs on the LAN interface.  Everything *appears* to work just fine, and we've heavily tested failover, etc.  Whether right or wrong, it is working for us.

Daniel

On Jul 17, 2014, at 12:40 AM, Aristedes Maniatis <ari at ish.com.au> wrote:

> Thanks for this. However unlike Linux where it is a system property, it looks like this option needs to be invoked inside each userland application. So without changing code for each app I care about, it looks like I'm creating lots of /32 CARP addresses.
> 
> Can someone shed more light on what vhid represents? What happens when two addresses share the same vhid on the same (or different) interfaces? Why do the examples in the FreeBSD handbook always show different vhids?
> 
> Ari
> 
> 
> On 11/07/2014 3:26am, Adrian Chadd wrote:
>> yeah, you can search for IP_BINDANY. It's a socket option.
>> 
>> 
>> -a
>> 
>> 
>> On 10 July 2014 06:52, Aristedes Maniatis <ari at ish.com.au> wrote:
>>> With the changes in CARP as part of FreeBSD 10 I have some questions about the best way to do some things.
>>> 
>>> 
>>> 1. On a load balancer (haproxy) we might have the machine handling 100 or 5000 IP addresses. It would be simplest to just define a /24 (or more) range on the external interface (or in CARP) but then I cannot bind to each address.
>>> 
>>> Linux has something like net.ipv4.ip_nonlocal_bind. There appears to be nothing similar for FreeBSD. Do I need to define a /32 and alias each address?
>>> 
>>> a. is there a cleaner way?
>>> b. will that cause performance issues if I create many hundreds of /32 aliases on the interface?
>>> 
>>> 
>>> 
>>> 2. If I need to define a large number of aliases in CARP I'll quickly run out of vhids which I understand to go up to 256. What is the real meaning of vhid in a CARP definition? Can they be shared by different IP addresses on the load balancer pair? That is, can they all be labelled "vhid=1" or is CARP limited to 256 IP addresses, each of which has to be a /32 (see above).
>>> 
>>> All the examples in the FreeBSD manual use a different vhid for each IP address but doesn't explain why.
>>> 
>>> a. If two addresses (aliases) share the same vhid, will that mean they fail over together always? (That might be a good thing for me).
>>> b. Will it reduce "are you alive?" network traffic between the CARP cluster to have one vhid?
>>> c. Will bad things happen if I share vhids?
>>> 
>>> 
>>> Thanks
>>> Ari
>>> 
>>> 
>>> --
>>> -------------------------->
>>> Aristedes Maniatis
>>> ish
>>> http://www.ish.com.au
>>> Level 1, 30 Wilson Street Newtown 2042 Australia
>>> phone +61 2 9550 5001   fax +61 2 9550 4001
>>> GPG fingerprint CBFB 84B4 738D 4E87 5E5C  5EFA EF6A 7D2E 3E49 102A
>>> _______________________________________________
>>> freebsd-stable at freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
>>> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
> 
> -- 
> -------------------------->
> Aristedes Maniatis
> ish
> http://www.ish.com.au
> Level 1, 30 Wilson Street Newtown 2042 Australia
> phone +61 2 9550 5001   fax +61 2 9550 4001
> GPG fingerprint CBFB 84B4 738D 4E87 5E5C  5EFA EF6A 7D2E 3E49 102A
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"


 			 	
Daniel Duerr • President
GIZMO Creative, Inc.
PO Box 2137, Carmel Valley, California
t: +1 (831) 531-2270 x103 • e: dd at gizmocreative.com

More information about the freebsd-stable mailing list