From owner-freebsd-net@freebsd.org Fri Nov 22 18:35:16 2019 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id AC1131BDE9B for ; Fri, 22 Nov 2019 18:35:16 +0000 (UTC) (envelope-from zarychtam@plan-b.pwste.edu.pl) Received: from plan-b.pwste.edu.pl (plan-b.pwste.edu.pl [IPv6:2001:678:618::40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "plan-b.pwste.edu.pl", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47KQ8g2ljsz44k2 for ; Fri, 22 Nov 2019 18:35:14 +0000 (UTC) (envelope-from zarychtam@plan-b.pwste.edu.pl) Received: from fomalhaut.potoki.eu ([IPv6:2001:470:71:d47:497c:944b:3cd8:5fe0]) (authenticated bits=0) by plan-b.pwste.edu.pl (8.15.2/8.15.2) with ESMTPSA id xAMIZ4N4060391 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Fri, 22 Nov 2019 19:35:04 +0100 (CET) (envelope-from zarychtam@plan-b.pwste.edu.pl) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=plan-b.pwste.edu.pl; s=plan-b-mailer; t=1574447704; bh=1zs78PIdOZOm7dIIg469LpFcW8TwbFNF7y4YQf0G0ss=; h=To:References:From:Subject:Date:In-Reply-To; b=phIW54+hyUDW3ToR2+zTQ7qdZ7pq0WEd1ei824k69z0TcaTntngxRMioGzz2V7iHt UIp1lFp+Pe4ZeKFGE0oj9TSIlldU+Ll04PJlHBDoNPwo0YkAkvdgJdr6x3VtrrCE/L CAiytHMf7/KmTQx0nnZpc4Wpzk4VtSY5uIkCOnappQz4ZeqtAbjcR815OzzCBcPbXN 17uQp4i7YMnrhtrGFul7r56Vd3m6AgsopsE/kQzYHt07zhAaEdZDXyOBRAweDpiasG g9ri3/HEFAMAxt6zxwb1/kTC2wk3nUXlDxxCoZPsAMFWf9jY8SOI/9xFjTwgQs9sUy cDT0m4T73iEVg== X-Authentication-Warning: plan-b.pwste.edu.pl: Host [IPv6:2001:470:71:d47:497c:944b:3cd8:5fe0] claimed to be fomalhaut.potoki.eu To: Kajetan Staszkiewicz , freebsd-net@freebsd.org References: From: Marek Zarychta Autocrypt: addr=zarychtam@plan-b.pwste.edu.pl; prefer-encrypt=mutual; keydata= mQENBFfi3cMBCADLecMTFXad4uDXqv3eRuB4qJJ8G9tzzFezeRnnwxOsPdytW5ES2z1ibSrR IsiImx6+PTqrAmXpTInxAi7yiZGdSiONRI4CCxKY9d1YFiNYT/2WyNXCekm9x29YeIU7x0JB Llbz0f/9HC+styBIu2H+PY/X98Clzm110CS+n/b9l1AtiGxTiVFj7/uavYAKxH6LNWnbkuc5 v8EVNc7NkEcl5h7Z9X5NEtzDxTOiBIFQ/kOT7LAtkYUPo1lqLeOM2DtWSXTXQgXl0zJI4iP1 OAu4qQYm2nXwq4b2AH9peknelvnt1mpfgDCGSKnhc26q6ibTfMwydp+tvUtQIQYpA6b9ABEB AAG0N01hcmVrIFphcnljaHRhIChQbGFuLWIpIDx6YXJ5Y2h0YW1AcGxhbi1iLnB3c3RlLmVk dS5wbD6JATcEEwEIACEFAlfi4LkCGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQHZW8 vIFppoJXdgf8D9X3VRFSNaR9lthSx/+uqas17J3FJKBo1xMQsC2a+44vzNvYJSuPGLLJ+LW2 HPVazjP/BWZJbxOYpliY4zxNRU0YCp0BLIVLibc//yax+mE42FND/+NiIZhqJscl6MLPrSwo sIwXec4XYkldkyqW/xBbBYXoIkBqdKB9j5j42Npy1IV/RizOSdmvTWY27ir8e/yGMR1RLr4F 8P5K3OWTdlGy2H2F/3J8bIPBLG6FpaIyLQw4dHSx8V02PYqDxK1cNo2kAOnU8PnZL/AGuMOH iv3MN1VYL8ehcmpBBsrZGebQJxrjY2/5IaTSgp9xHYT70kshuU6Qb97vk1mOjNZxgbkBDQRX 4t3DAQgA10h6RCXuBLMHxq5B8X/ZIlj9sgLoeyfRdDZEc9rT2KUeUJVHDsbvOFf4/7F1ovWY hJbA6GK/LUZeHHTjnbZcH1uDYQeHly4UOLxeEvhGoz4JhS2C7JzN/uRnwbdOAUbJr8rUj/IY a7gk906rktsc/Ldrxrxh7O6WO0JCh2XO/p4pDfEwwB37g4xHprSab28ECYJ9JMbtA8Sy4M55 g3+GQ28FvSlGnx48OoGXU2BZdc1vZKSQmNOlikB+9/hDX8zdYWVfDaX1TLQ8Ib4+xTUmapza mV/bxIsaZRBw+jFjLQHhTbIMfPEU+4mxFDvTdbKPruKPqVf1ydgMnPZWngowdwARAQABiQEf BBgBCAAJBQJX4t3DAhsMAAoJEB2VvLyBaaaC6qkIAJs9sDPqrqW0bYoRfzY6XjDWQ59p9tJi v8aogxacQNCfAu+WkJ8PNVUtC1dlVcG5NnZ80gXzd1rc8ueIvXlvdanUt/jZd8jbb3gaDbK3 wh1yMCGBl/1fOJTyEGYv1CRojv97KK89KP5+r8x1P1iHcSrunlDNqGxTMydNCwBH23QcOM+m u4spKnJ/s0VRBkw3xoKBZfZza6fTQ4gTpAipjyk7ldOGBV+PvkKATdhK2yLwuWXhKbg/GRlD 1r5P0gxzSqfV4My+KJuc2EDcrqp1y0wOpE1m9iZqCcd0fup5f7HDsYlLWshr7NQl28f6+fQb sylq/j672BHXsdeqf/Ip9V65AQ0EV+OTdwEIAMxnGg7OO/ZAnSwiIiABA9lil1Lfa5BWTH3c l1rz4slz7Gw99G9J3bX3FiPA0vU89dgBZ2k0/UVk5cI5EsMAvwJN4bPwRsfBELQqjCKkVZr4 vUeGyvgQ2jnoK1fcEFOnCRdwFy4EJ6Y/fsZCTj4IfQpkM1W7C3KuSGPcjPDA9XCLDjjp8bbA Q9VgQ68MntAnYxMqK0S3CrHp5Pruvb0x4MfFLNwaKtWK+UnJGPT4umj8PMP6XLsFC3g+SGoP aWoYRDI297ZGx4IBWEaJq181oEC5iUQ6WREti9fNQ3TsAB3Q2CjNlkx1geSczIFJSyOHmyJZ RqAocw1sIuPopvhWtR0AEQEAAYkCRAQYAQgADwUCV+OTdwIbAgUJCWYBgAEpCRAdlby8gWmm gsBdIAQZAQgABgUCV+OTdwAKCRB1n+z//VKNLOETCAC3ggwAAQij4hkIxQFapnRuIVb5vq7D AwJ9+Ld5/zYHOj2Tfu+BPSNGzI2edqboz2w1t55UHEYzYDp2axxIfPrZrXsBV4DsjtGwzVV/ jZ9or5qTaYFDEStRkzL4mRpTyYhl/T7GgWpwOJWOih+cU7RWzjSOxiYMi4QSYlkpDUCcZew0 C3HfcxeFqpeL46zgysHC2ptjINXQ+xR2/F6dbed+l7OsvJAfkBqJoQ/48m+8ly1lbViKck7q gWw143ljaKn2qGIjZdb95zcI/CP4L45SXq8NOweACdx2NfUphLrIMbNCqLkMUJcrnruKfbnp C8OMjFJIqlu+PsW593NcZyOugEAH/0cBsDxlSauSVK4kp8ald26pcBI6igNnIMgjaxMiZBjn eoxBiKAOAO93sPnPr9/64CMMwv1T+0vU2lj8SMKOdHVrB9sW/ICGji5skE85xPEAtUkdAQN+ +c2clotujcaj9lBZKJdncKmSxY0SshEa66H+s76u+2Q3jGK6vOrdxakWYCvh2P0/l52Nd/t2 eazLFgwtk5rbo7O0MSC1GNXUsG07vtZ+zxJXFRx7PQ3ZIn0Y4HqwvXUvqgZ9EHiKy8F+ondz 9IS8/Fs81N5ieujHhSWqbaibapnpeDHvT/FWf8iXfJqWq+F7C8lGShSkmsS5AOhB4TNNH5/m ZzECJa1ql64= Subject: Re: Carp address used as source Message-ID: Date: Fri, 22 Nov 2019 19:34:58 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101 Thunderbird/68.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="wTyMLmUIywe24tjuML5rARr0fJ99CWvTx" X-Rspamd-Queue-Id: 47KQ8g2ljsz44k2 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=plan-b.pwste.edu.pl header.s=plan-b-mailer header.b=phIW54+h; dmarc=pass (policy=none) header.from=pwste.edu.pl; spf=none (mx1.freebsd.org: domain of zarychtam@plan-b.pwste.edu.pl has no SPF policy when checking 2001:678:618::40) smtp.mailfrom=zarychtam@plan-b.pwste.edu.pl X-Spamd-Result: default: False [-6.43 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[plan-b.pwste.edu.pl:s=plan-b-mailer]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; DWL_DNSWL_MED(-2.00)[pwste.edu.pl.dwl.dnswl.org : 127.0.11.2]; NEURAL_HAM_LONG(-0.98)[-0.976,0]; HAS_ATTACHMENT(0.00)[]; HAS_XAW(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[plan-b.pwste.edu.pl:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[pwste.edu.pl,none]; R_SPF_NA(0.00)[]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~]; IP_SCORE(0.45)[asn: 206006(2.17), country: PL(0.07)]; ASN(0.00)[asn:206006, ipnet:2001:678:618::/48, country:PL]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Nov 2019 18:35:16 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --wTyMLmUIywe24tjuML5rARr0fJ99CWvTx Content-Type: multipart/mixed; boundary="CdEEOMT3wvT4dueYV0W9VShd4w8VWmptJ"; protected-headers="v1" From: Marek Zarychta To: Kajetan Staszkiewicz , freebsd-net@freebsd.org Message-ID: Subject: Re: Carp address used as source References: In-Reply-To: --CdEEOMT3wvT4dueYV0W9VShd4w8VWmptJ Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable W dniu 22.11.2019 o=C2=A017:27, Kajetan Staszkiewicz pisze: > Hello, >=20 > I have a pair of loadbalancers using FreeBSD 11.3. They have "public" > side running BGP, which is not important for this discussion and > internal side - multiple VLANs where multple hosts reside which are > targets for loadbalancing. Directing traffic to correct target is done > using route-to target of pf. Traffic usually comes to a public IP > address from public side routed via BGP. This works flawlessly. There > are some loadbalanced addresses configured on internal side too. > Loadbalancers present an IP address using CARP to machines in VLAN and > if traffic comes to this CARP-based IP address, it gets bounced back > (using route-to) to another host in this or another VLAN. >=20 > This works fine when clients and servers are in VLAN. Problem happens > when the loadbalancer itself tries to access such address. >=20 > For example a ping to loadbalanced address looks like this from backup > Loadbalancer: >=20 > [15:41:22] ~/ # sudo tcpdump -pni internal4008 host 10.7.1.7 > 15:41:33.916816 IP 10.7.1.7 > 10.7.1.7: ICMP echo request, id 35466, se= q > 3, length 64 > 15:41:34.917712 IP 10.7.1.7 > 10.7.1.7: ICMP echo request, id 35466, se= q > 4, length 64 > 15:41:35.952626 IP 10.7.1.7 > 10.7.1.7: ICMP echo request, id 35466, se= q > 5, length 64 >=20 >=20 > [15:52:33] ~/ # ifconfig internal4008 | grep -E 'inet |carp:' > inet 10.7.0.242 netmask 0xffff0000 broadcast 10.7.255.255 > inet 10.7.1.1 netmask 0xffffffff broadcast 10.7.1.1 vhid 123 > inet 10.7.1.4 netmask 0xffffffff broadcast 10.7.1.4 vhid 123 > inet 10.7.1.7 netmask 0xffffffff broadcast 10.7.1.7 vhid 123 > inet 10.7.0.240 netmask 0xffffffff broadcast 10.7.0.240 vhid 123 > inet 10.7.2.1 netmask 0xffffffff broadcast 10.7.2.1 vhid 123 > carp: BACKUP vhid 123 advbase 1 advskew 100 >=20 > Connections originating from loadbalancer itself use CARP address as > source. Always the same address which I'm trying to reach. How can I > ensure that CARP address is never used as source for connections > outgoing from Loadbalancer? I've read manpage of ifconfig but I've seen= > only flags regarding IPv6 address choice. >=20 I believe this behavior can be changed by configuring carp interfaces with the same subnet mask as parent interface which is /16 in your case. Best regards, --=20 Marek Zarychta --CdEEOMT3wvT4dueYV0W9VShd4w8VWmptJ-- --wTyMLmUIywe24tjuML5rARr0fJ99CWvTx Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEMOqvKm6wKvS1/ZeCdZ/s//1SjSwFAl3YKlgACgkQdZ/s//1S jSzWkgf6A9V2ggh3N7NF6S8T9B7tVbZ/BhY/wYWxCz1W8Jfniegs7d15MYaJYvmB bMRaSulYauE60LQe8Sg28NY+D110We/rB+I70OIFhk+eBUjcn2xnkUt8XTqNGUnU X153TpmV8TsWUDGS2qnrxZIh1AHgg6g8c2Bk844pJqutMPJE+/3QYL3abIrSwOvU ylVOb3mm+zmy5ju/mPne3JJI1rihP+vcRagHopSflgkGCSz9a/U+8QL/TrI8NHun l0z5OD0VFm2wY717l943q7Tz3aLXYp81N36+GUilgcyE/yB0GapRCIvEJ3KUHnl1 FDBhRfhJo51aTdbgVKaZMsqVwuEHQg== =wrl5 -----END PGP SIGNATURE----- --wTyMLmUIywe24tjuML5rARr0fJ99CWvTx--