From owner-freebsd-questions@FreeBSD.ORG Wed Oct 26 16:18:17 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CDD731065674 for ; Wed, 26 Oct 2011 16:18:17 +0000 (UTC) (envelope-from sol289@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 9F34F8FC12 for ; Wed, 26 Oct 2011 16:18:17 +0000 (UTC) Received: by iaky10 with SMTP id y10so3005187iak.13 for ; Wed, 26 Oct 2011 09:18:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; bh=zJGWUl7Weze0QgYnhg+5ld7H4RRU/Q6xsgXnqI3nxiE=; b=jWvqusPHKHU2Q+lIYL+RaVktEz4TFaJH1gBGq+uSf1OKaxxWEybkmCHAxTIrdmOtWL TZkkZ5zzvDU4AyRBrlCuezkcHopmFbvUvUTQgEn9U3Z4219Fi2Rz+UXAyTzCg7ku0VMf pBW/FNSp7l8m3TozPxbp2wvCiOsSoADnAvTLY= Received: by 10.42.154.194 with SMTP id r2mr52710144icw.50.1319644055060; Wed, 26 Oct 2011 08:47:35 -0700 (PDT) MIME-Version: 1.0 Received: by 10.50.47.131 with HTTP; Wed, 26 Oct 2011 08:47:15 -0700 (PDT) From: alexander lunyov Date: Wed, 26 Oct 2011 19:47:15 +0400 Message-ID: To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=UTF-8 Subject: carp over openvpn? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2011 16:18:17 -0000 Hello. I'm trying to make work carp over openvpn in bridge mode. I have 3 servers, VPN-IN, VPN-OUT1 and VPN-OUT2, they connected to different ethernet networks and cannot see each other on data link level. All servers run 8.2-RELEASE. VPN-IN is a openvpn server in bridge mode, VPN-OUT1 and VPN-OUT2 are openvpn clients. I configured on each server address from 10.80.90.0/24 network as alias, so address space is looking like this: VPN-IN@bridge0: 10.80.90.63 - bridged to tap0 VPN-OUT1@em0: 10.80.90.4 - bridged to tap0 VPN-OUT2@em0: 10.80.90.6 - bridged to tap0 Servers have real IPs, which i masked as x.x.x.x, y.y.y.y and z.z.z.z. When VPN-OUT1 and VPN-OUT2 connects to VPN-IN i can ping all 10.80.90. addresses from anywhere, so the vpn is working. When i create CARP interfaces on both VPN-OUT-s, carp0 on both is in MASTER state and VPN-IN cannot ping carp address 10.80.90.10 (VPN-OUTs ping own 10.80.90.10 address ok). On VPN-IN@bridge0 i see advertisements from both VPN-OUTs: # tcpdump -i bridge0 net 10.80.90.0/24 18:34:48.505618 IP 10.80.90.4 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 1, prio 10, authtype none, intvl 1s, length 36 18:34:48.801474 IP 10.80.90.6 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 1, prio 100, authtype none, intvl 1s, length 36 18:34:49.546667 IP 10.80.90.4 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 1, prio 10, authtype none, intvl 1s, length 36 18:34:50.198569 IP 10.80.90.6 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 1, prio 100, authtype none, intvl 1s, length 36 On VPN-OUT1@bridge0 i see advertisements from VPN-OUT2: # tcpdump -i bridge0 net 10.80.90.0/24 00:35:39.811034 IP 10.80.90.6 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 1, prio 10, authtype none, intvl 1s, length 36 00:35:40.852178 IP 10.80.90.6 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 1, prio 10, authtype none, intvl 1s, length 36 On VPN-OUT2@bridge0 i see advertisements from VPN-OUT1: # tcpdump -i bridge0 net 10.80.90.0/24 00:35:39.811034 IP 10.80.90.4 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 1, prio 10, authtype none, intvl 1s, length 36 00:35:40.852178 IP 10.80.90.4 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 1, prio 10, authtype none, intvl 1s, length 36 When i try to ping carp address 10.80.90.10 from VPN-IN, I see arp requests but nobody answers, though ARP reaches VPN-OUTs: VPN-OUT2# tcpdump -i bridge0 net 10.80.90.0/24 07:49:30.014907 IP 10.80.90.6 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 1, prio 100, authtype none, intvl 1s, length 36 07:49:30.700133 ARP, Request who-has 10.80.90.10 tell 10.80.90.63, length 28 07:49:31.412868 IP 10.80.90.6 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 1, prio 100, authtype none, intvl 1s, length 36 07:49:31.700014 ARP, Request who-has 10.80.90.10 tell 10.80.90.63, length 28 So, why carp interfaces on VPN-OUTs doesn't see each other advertisements and ARP from VPN-IN? VPN-OUT1# netstat -s -p carp carp: 6515137 packets received (IPv4) 42246 packets sent (IPv4) ifconfigs: VPN-IN# ifconfig bge0: flags=8843 metric 0 mtu 1500 options=c019b ether 00:19:99:16:32:fd inet x.x.x.x netmask 0xffffff00 broadcast x.x.x.255 media: Ethernet autoselect (100baseTX ) status: active lo0: flags=8049 metric 0 mtu 16384 options=3 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 nd6 options=3 tap0: flags=8943 metric 0 mtu 1500 options=80000 ether 00:bd:cd:f5:1a:00 Opened by PID 86461 bridge0: flags=8843 metric 0 mtu 1500 ether 76:38:a6:0e:16:36 inet 10.80.90.63 netmask 0xffffff00 broadcast 10.80.90.255 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: tap0 flags=143 ifmaxaddr 0 port 3 priority 128 path cost 2000000 VPN-OUT1# ifconfig em0: flags=8943 metric 0 mtu 1500 options=2098 ether 00:25:90:06:a7:ee inet y.y.y.y netmask 0xffffff00 broadcast y.y.y.255 inet 10.80.90.4 netmask 0xffffff00 broadcast 10.80.90.255 media: Ethernet autoselect (1000baseT ) status: active lo0: flags=8049 metric 0 mtu 16384 options=3 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 nd6 options=3 tap0: flags=8943 metric 0 mtu 1500 options=80000 ether 00:bd:98:a7:80:00 Opened by PID 79699 bridge0: flags=8843 metric 0 mtu 1500 ether a6:be:59:84:94:7f id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: em0 flags=143 ifmaxaddr 0 port 1 priority 128 path cost 20000 member: tap0 flags=143 ifmaxaddr 0 port 4 priority 128 path cost 2000000 carp0: flags=49 metric 0 mtu 1500 inet 10.80.90.10 netmask 0xffffff00 carp: MASTER vhid 1 advbase 1 advskew 10 VPN-OUT2# ifconfig em0: flags=8943 metric 0 mtu 1500 options=2098 ether 00:25:90:00:59:1a inet z.z.z.z netmask 0xffffff00 broadcast z.z.z.255 inet 10.80.90.6 netmask 0xffffff00 broadcast 10.80.90.255 media: Ethernet autoselect (1000baseT ) status: active lo0: flags=8049 metric 0 mtu 16384 options=3 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 nd6 options=3 tap0: flags=8943 metric 0 mtu 1500 options=80000 ether 00:bd:2e:29:90:00 Opened by PID 75704 bridge0: flags=8843 metric 0 mtu 1500 ether ba:37:68:2b:7d:32 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: em0 flags=143 ifmaxaddr 0 port 1 priority 128 path cost 20000 member: tap0 flags=143 ifmaxaddr 0 port 4 priority 128 path cost 2000000 carp0: flags=49 metric 0 mtu 1500 inet 10.80.90.10 netmask 0xffffff00 carp: MASTER vhid 1 advbase 1 advskew 100 p.s.: i also tried freevrrpd, and i see the same behavior - i see advertisements from both VPN-OUTs, but they don't see each other. p.p.s.: if i'm writing to wrong list, please, point me to the right one where i can ask this question. i'm already post this question to freebsd-net, but nobody answers. -- your sweet isn't ready yet