From owner-freebsd-stable@FreeBSD.ORG Thu Jul 17 14:47:40 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F0F8E310 for ; Thu, 17 Jul 2014 14:47:39 +0000 (UTC) Received: from esp.ouido.net (esp.ouido.net [198.107.153.37]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "icebox.sendio.com", Issuer "icebox.sendio.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id CD9692E50 for ; Thu, 17 Jul 2014 14:47:39 +0000 (UTC) X-Sendio-Return-Path: dd@gizmocreative.com X-Sendio-Delivered: Thu, 17 Jul 2014 07:47:39 -0700 Received: (sendio-qmail 19105 invoked from network); 17 Jul 2014 14:40:58 -0000 X-Sendio-SenderIP: 172.24.6.3 X-Sendio-RemoteSenderIP: 172.24.6.3 X-Sendio-MessageID: 1405608058.19100.1 Received: from unknown (HELO cloud.gizmocreative.com) (172.24.6.3) by esp.ouido.net with SMTP; 17 Jul 2014 14:40:58 -0000 Received: from localhost (localhost [127.0.0.1]) by cloud.gizmocreative.com (Postfix) with ESMTP id 2A28625A04D7; Thu, 17 Jul 2014 07:40:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at gizmocreative.com Received: from cloud.gizmocreative.com ([127.0.0.1]) by localhost (cloud.gizmocreative.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JYxVc_7jXhnw; Thu, 17 Jul 2014 07:40:46 -0700 (PDT) Received: from c160-dhcp.localdomain (unknown [76.72.147.60]) by cloud.gizmocreative.com (Postfix) with ESMTPSA id E52FE25A04C4; Thu, 17 Jul 2014 07:40:45 -0700 (PDT) Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Subject: Re: load balancer best practices From: Daniel Duerr In-Reply-To: <53C77E00.1030609@ish.com.au> Date: Thu, 17 Jul 2014 07:40:57 -0700 Message-Id: References: <53BE9A9F.4090700@ish.com.au> <53C77E00.1030609@ish.com.au> To: Aristedes Maniatis X-Mailer: Apple Mail (2.1878.6) Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18 Cc: "stable >> freebsd-stable" X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jul 2014 14:47:40 -0000 Hey Ari, I use CARP a lot at our colo and recently migrated many of the machines = to FreeBSD 10 as well. I've had the same question as you about VHID = best practices as the docs don't really expound on this. I'd love to = hear some perspective from the authors of CARP as well. In any case, we run a pair of FreeBSD 10/pf gateways at our colo with = binat setup between several dozen internal private networks (VLANs) and = the outside WAN (pool of ~64 public IPs). Traffic between private = networks doesn't use any form of NAT, but does get routed through the = same gateways and is subject to the same filtering policies. In this = setup, we share one VHID across all of the public IPs on the WAN = interface, and we share a second VHID across all of the private gateway = IPs on the LAN interface. Everything *appears* to work just fine, and = we've heavily tested failover, etc. Whether right or wrong, it is = working for us. Daniel On Jul 17, 2014, at 12:40 AM, Aristedes Maniatis wrote: > Thanks for this. However unlike Linux where it is a system property, = it looks like this option needs to be invoked inside each userland = application. So without changing code for each app I care about, it = looks like I'm creating lots of /32 CARP addresses. >=20 > Can someone shed more light on what vhid represents? What happens when = two addresses share the same vhid on the same (or different) interfaces? = Why do the examples in the FreeBSD handbook always show different vhids? >=20 > Ari >=20 >=20 > On 11/07/2014 3:26am, Adrian Chadd wrote: >> yeah, you can search for IP_BINDANY. It's a socket option. >>=20 >>=20 >> -a >>=20 >>=20 >> On 10 July 2014 06:52, Aristedes Maniatis wrote: >>> With the changes in CARP as part of FreeBSD 10 I have some questions = about the best way to do some things. >>>=20 >>>=20 >>> 1. On a load balancer (haproxy) we might have the machine handling = 100 or 5000 IP addresses. It would be simplest to just define a /24 (or = more) range on the external interface (or in CARP) but then I cannot = bind to each address. >>>=20 >>> Linux has something like net.ipv4.ip_nonlocal_bind. There appears to = be nothing similar for FreeBSD. Do I need to define a /32 and alias each = address? >>>=20 >>> a. is there a cleaner way? >>> b. will that cause performance issues if I create many hundreds of = /32 aliases on the interface? >>>=20 >>>=20 >>>=20 >>> 2. If I need to define a large number of aliases in CARP I'll = quickly run out of vhids which I understand to go up to 256. What is the = real meaning of vhid in a CARP definition? Can they be shared by = different IP addresses on the load balancer pair? That is, can they all = be labelled "vhid=3D1" or is CARP limited to 256 IP addresses, each of = which has to be a /32 (see above). >>>=20 >>> All the examples in the FreeBSD manual use a different vhid for each = IP address but doesn't explain why. >>>=20 >>> a. If two addresses (aliases) share the same vhid, will that mean = they fail over together always? (That might be a good thing for me). >>> b. Will it reduce "are you alive?" network traffic between the CARP = cluster to have one vhid? >>> c. Will bad things happen if I share vhids? >>>=20 >>>=20 >>> Thanks >>> Ari >>>=20 >>>=20 >>> -- >>> --------------------------> >>> Aristedes Maniatis >>> ish >>> http://www.ish.com.au >>> Level 1, 30 Wilson Street Newtown 2042 Australia >>> phone +61 2 9550 5001 fax +61 2 9550 4001 >>> GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A >>> _______________________________________________ >>> freebsd-stable@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-stable >>> To unsubscribe, send any mail to = "freebsd-stable-unsubscribe@freebsd.org" >=20 > --=20 > --------------------------> > Aristedes Maniatis > ish > http://www.ish.com.au > Level 1, 30 Wilson Street Newtown 2042 Australia > phone +61 2 9550 5001 fax +61 2 9550 4001 > GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to = "freebsd-stable-unsubscribe@freebsd.org" =09 Daniel Duerr =95 President GIZMO Creative, Inc. PO Box 2137, Carmel Valley, California t: +1 (831) 531-2270 x103 =95 e: dd@gizmocreative.com =20