From owner-freebsd-net@freebsd.org Fri Nov 22 16:27:43 2019 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id AB0C01BB76B for ; Fri, 22 Nov 2019 16:27:43 +0000 (UTC) (envelope-from vegeta@tuxpowered.net) Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47KMKV53WMz3xDt for ; Fri, 22 Nov 2019 16:27:42 +0000 (UTC) (envelope-from vegeta@tuxpowered.net) Received: by mail-ed1-x532.google.com with SMTP id k14so6528813eds.4 for ; Fri, 22 Nov 2019 08:27:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tuxpowered-net.20150623.gappssmtp.com; s=20150623; h=to:from:subject:openpgp:autocrypt:message-id:date:user-agent :mime-version; bh=hMPl+7lgUQ4tvJ/vSE3ObY83GKjqsIc8OvFBsZmhobA=; b=pGRAP0IHkOtlQwNwLYYRpbnladDRCHZrB8JqV62CbcbZKOZmA7bjnVc0w2+FvjO/bp 4lwuOH6p9FETrjcPJLsQGoU4J1zAuJpkwzvTeB+RpjXjIRvgjTeQ1d8u4GcI/UQi4fYb EYR5wHv0HvtHfxS4NvnAevVr23Pk7Qe3/p+88Nfbcyar63ZC8KrAM//doabjGc/tCC/B KxrOezCsudpSBYk93EvjpOEJXxWlv5nCAjO6pGMiFMpszeUz491CTMMs+1YauV+axF6V NC6AVvNT42gTagSpGlmDpmjLf4xoVIZSZYRWvqIn37pSW0YxhccxhjjmOyK2buyjsLbP IBcw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:openpgp:autocrypt:message-id :date:user-agent:mime-version; bh=hMPl+7lgUQ4tvJ/vSE3ObY83GKjqsIc8OvFBsZmhobA=; b=I3zGwDP9OOO2Q2M1Jn+o9iUmMssyoJkgPkk8zkpcpxLSQsQcVZpSI62IeozL+OvWRs 2sl7P6JijC+i4n7caeaxqZ32XnvaLD3lz0SEPN17JTmNkmjS7RLlpIab0JW2Dm5q8/8q /L7xRv0VVU4Iw4Viu4RFxEfcQdxp7kkbGdImzEaRj81ZIQ10luy/u//n6tDNC0MIMtJw IZhyxef3HX+F8EI1as+3EhB0oNxU8cBUtengceABQJeLeTibHQJ3lKMRtzHTlkefCfYO 96DRjL3pX+Teyxi7UBcDwbfLdugjV3bwjzjBKeZIx+lXhgsG0ZM6UOjv4b/vvo9fbGqS XsUA== X-Gm-Message-State: APjAAAX/zQZpIcjNaAHBdak7tOBlyY+9nXD3I4HbR82fh56Jb84hjtdk AQAJ1yhUtGIMHU11dw24d9fPDeb67iU= X-Google-Smtp-Source: APXvYqwaXAdkW5efXHBxE9aWRjqq7Y1bAi8jbg3efBPwH8lzP0K+I6Djmrik5EzLWbZ5j5g9nqPyow== X-Received: by 2002:a17:906:f756:: with SMTP id jp22mr22330446ejb.234.1574440059155; Fri, 22 Nov 2019 08:27:39 -0800 (PST) Received: from Proton.local ([2a00:1f78:fffb:1000:1186:519d:cea5:41f6]) by smtp.gmail.com with ESMTPSA id f25sm302542edr.48.2019.11.22.08.27.37 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 22 Nov 2019 08:27:37 -0800 (PST) To: freebsd-net@freebsd.org From: Kajetan Staszkiewicz Subject: Carp address used as source Openpgp: preference=signencrypt Autocrypt: addr=vegeta@tuxpowered.net; keydata= mQGiBELvVycRBADVGZM8mHAsH+R87EBg4O+QTOkL0TjroqamohMlCdBEZgFGcGVoKA9c9Az6 e7xpk90DuaWYrzBKJ+I5drx2ddqdqejLhgNm3QZubE8Cf9cCxBAxnxBZHzmmgVJMOg93lJUQ e9L1BstntodE2xz4jSBB++Zh9eZgRqbn/EICcQmmKwCg9pQfnXRAMr4tFxhsFenxa/JCvFME AK/03irNfB8DezORCfpt7lZuwL5oRJ/TvpoCfwgVkNd6gTLMgSQpKbFytLzAAmRsE+EwVpBo sUzKt4vzmW4bllgPao14TyuVcViah27/da3fHm1HIMkjvro/ONtUivInn+5L33S0meT3KyuK ofwc1A6KucNxhv4rG7RsXuhwZZmQA/0QVni2wq7yc6t15dfCxuDCxG7yXp4pE5Dghp/MMwts leIxJ3JdHaTZ9aIrYT2Rxw8mTXUs89pDi7PCqXA2N4C+RvkoZI0Q6cWs6jHNZGiZRVzkw38r 8ctqtAlcfzlAynX5+Ym9oiNMJ/c/4fAiFrWerMR1rFWDSD56ltQHk0X0oLQsS2FqZXRhbiBT dGFzemtpZXdpY3ogPHZlZ2V0YUB0dXhwb3dlcmVkLm5ldD6IewQTEQIAOwYLCQgHAwIDFQID AxYCAQIeAQIXgAIZARYhBI4RBk5u/YHyZ/QlueO0UK9tezoUBQJcD656BQkbAXUJAAoJEOO0 UK9tezoUnsIAoK89eXWiO7x3gkfC+5mDXNnRx6ioAKCy4NE/0s8vTDA/P3yYJ2r6orDDNLkB DQRC71cpEAQAjXEOKfj9O4eYTWcifEApMYzel9+aWmhNRqqUhJuNO40UDF73biRJ0cjd8miV hZGxcqIdjnZUmxn8Okr+ta7ZU4Q2KNw7B23VKd1jzDKalaUGtCbv8pnvFdBCJwwzdhHJ2vxr e7zkGMrU4x5Od/92YZRCgX229Ic8y7muveQty4sAAwYD/A/FKDQkIu16GVOu9g8ZBLLBi1HS h2eiem/efmfZS1APR7Q5Ouf6KJMeEgBCKY9yqEp9wg97Bt93oi3zP0H1I8rLmrj5hoEE/VEj Cc4XSQ3qrthmQ9bE8fPDZIgodPG1h+dlOzDQoUxKM/YZdbKmV8VkegbAmEng9rJk90gJ+7Qt iGMEGBEIACMWIQSOEQZObv2B8mf0JbnjtFCvbXs6FAUCXDcogwUJGzo2agAKCRDjtFCvbXs6 FNsqAJ9naj/37JF2c1HjhO/4xosKOtGX/QCgn5ADg8fykMSnWmIR0GO/xq9LEzs= Message-ID: Date: Fri, 22 Nov 2019 17:27:36 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:60.0) Gecko/20100101 Thunderbird/60.9.1 MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Ow0Gb6YL8rX5B4QQrfBafecH8ZCbt8UIv" X-Rspamd-Queue-Id: 47KMKV53WMz3xDt X-Spamd-Bar: ------- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tuxpowered-net.20150623.gappssmtp.com header.s=20150623 header.b=pGRAP0IH; dmarc=none; spf=pass (mx1.freebsd.org: domain of vegeta@tuxpowered.net designates 2a00:1450:4864:20::532 as permitted sender) smtp.mailfrom=vegeta@tuxpowered.net X-Spamd-Result: default: False [-7.45 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[tuxpowered-net.20150623.gappssmtp.com:s=20150623]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; TO_MATCH_ENVRCPT_ALL(0.00)[]; HAS_ATTACHMENT(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; TO_DN_NONE(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_THREE(0.00)[3]; DMARC_NA(0.00)[tuxpowered.net]; DKIM_TRACE(0.00)[tuxpowered-net.20150623.gappssmtp.com:+]; RCVD_IN_DNSWL_NONE(0.00)[2.3.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~]; IP_SCORE(-2.85)[ip: (-9.52), ipnet: 2a00:1450::/32(-2.71), asn: 15169(-1.97), country: US(-0.05)]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Nov 2019 16:27:43 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Ow0Gb6YL8rX5B4QQrfBafecH8ZCbt8UIv Content-Type: multipart/mixed; boundary="72YMLg69n4YnKWKB8WiTCoXT67znTL2PR"; protected-headers="v1" From: Kajetan Staszkiewicz To: freebsd-net@freebsd.org Message-ID: Subject: Carp address used as source --72YMLg69n4YnKWKB8WiTCoXT67znTL2PR Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: quoted-printable Hello, I have a pair of loadbalancers using FreeBSD 11.3. They have "public" side running BGP, which is not important for this discussion and internal side - multiple VLANs where multple hosts reside which are targets for loadbalancing. Directing traffic to correct target is done using route-to target of pf. Traffic usually comes to a public IP address from public side routed via BGP. This works flawlessly. There are some loadbalanced addresses configured on internal side too. Loadbalancers present an IP address using CARP to machines in VLAN and if traffic comes to this CARP-based IP address, it gets bounced back (using route-to) to another host in this or another VLAN. This works fine when clients and servers are in VLAN. Problem happens when the loadbalancer itself tries to access such address. For example a ping to loadbalanced address looks like this from backup Loadbalancer: [15:41:22] ~/ # sudo tcpdump -pni internal4008 host 10.7.1.7 15:41:33.916816 IP 10.7.1.7 > 10.7.1.7: ICMP echo request, id 35466, seq 3, length 64 15:41:34.917712 IP 10.7.1.7 > 10.7.1.7: ICMP echo request, id 35466, seq 4, length 64 15:41:35.952626 IP 10.7.1.7 > 10.7.1.7: ICMP echo request, id 35466, seq 5, length 64 [15:52:33] ~/ # ifconfig internal4008 | grep -E 'inet |carp:' inet 10.7.0.242 netmask 0xffff0000 broadcast 10.7.255.255 inet 10.7.1.1 netmask 0xffffffff broadcast 10.7.1.1 vhid 123 inet 10.7.1.4 netmask 0xffffffff broadcast 10.7.1.4 vhid 123 inet 10.7.1.7 netmask 0xffffffff broadcast 10.7.1.7 vhid 123 inet 10.7.0.240 netmask 0xffffffff broadcast 10.7.0.240 vhid 123 inet 10.7.2.1 netmask 0xffffffff broadcast 10.7.2.1 vhid 123 carp: BACKUP vhid 123 advbase 1 advskew 100 Connections originating from loadbalancer itself use CARP address as source. Always the same address which I'm trying to reach. How can I ensure that CARP address is never used as source for connections outgoing from Loadbalancer? I've read manpage of ifconfig but I've seen only flags regarding IPv6 address choice. --=20 | pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------' --72YMLg69n4YnKWKB8WiTCoXT67znTL2PR-- --Ow0Gb6YL8rX5B4QQrfBafecH8ZCbt8UIv Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQSOEQZObv2B8mf0JbnjtFCvbXs6FAUCXdgMeAAKCRDjtFCvbXs6 FH+HAJ9cwvQ7guKWVXhJ32DVDgayxJ7vHgCg4VeG+Zz1YyQx/boZxod55F+d+rk= =tCw+ -----END PGP SIGNATURE----- --Ow0Gb6YL8rX5B4QQrfBafecH8ZCbt8UIv--