Date: Tue, 4 Mar 2008 13:51:45 -0800 From: Freddie Cash <fjwcash@gmail.com> To: freebsd-net@freebsd.org Subject: Understanding the interplay of ipfw, vlan, and carp Message-ID: <200803041351.46053.fjwcash@gmail.com>
next in thread | raw e-mail | index | archive | help
I'm trying to understand how ipfw, vlan, and carp play together. I've figured out how ipfw and vlan work together and have my rules written using the vlan(4) interfaces (in recv vlan100; out xmit vlan100; etc). I've figured out how ipfw and carp work together and have my rules allowing carp protocol traffic over the physical interfaces (ie allow carp from any to any via fxp0). What I'm wondering, though, is how vlan and carp work together. I have a router running FreeBSD 6.3 with three interfaces: fxp0 is connected to the Internet bge1 is connected to a server DMZ bge0 is connected to our WAN bge0 is the physical interface for our vlan setup, and there are 8 vlan interfaces created. bge0 does not have an IP, and each of the vlan interfaces is on its own subnet. I want to use carp to setup a duplicate, fail-over router. I've got carp0 configured with the public IP and it manages the connection over fxp0. fxp0 has a unique IP on each server, separate from the carp IP. I've got carp1 configured with the server DMZ IP and it manages the connection over bge1. bge1 has a unique IP on each server, separate from the carp IP. But I'm not sure how to do carp2 to manage the vlan IPs: - do I create separate carpX interface, one for each vlan? - do I create a single carpX interface and alias all the vlan IPs to it? - do I configure a single carpX interface with a separate management IP? The lack of a "carpdev" option to directly link a carp device to an interface (similar to "vlandev" for vlan(4)) is what's really tripping me up. It appears the carp(4) driver looks at all the interfaces in the box to find one with an IP in the same subnet as the carp IP and then uses that as the physical device. So it seems I'd have to use two IPs for each vlan interface: one shared IP for the carp device, one management IP for the vlan device. Which seems really complicated and not-quite-right. Maybe I'm just over-thinking things. Any pointers greatly appreciated. Thanks. -- Freddie Cash fjwcash@gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200803041351.46053.fjwcash>