Date: Tue, 14 Feb 2017 16:41:24 +0100 From: Julien Cigar <julien@perdition.city> To: freebsd-net@freebsd.org Subject: carp and subnets Message-ID: <20170214154123.GE6194@mordor.lan>
next in thread | raw e-mail | index | archive | help
--tVmo9FyGdCe4F4YN
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hello,
I have a redundant router/firewall with CARP and PF/PFSync with the
following configuration (simplified for example):
on FW1 (MASTER):
ifconfig_em3=3D"inet 1.2.208.89 netmask 255.255.255.224 -tso"
ifconfig_em3_alias0=3D"vhid 53 advskew 0 pass xx alias 1.2.208.90/32"
on FW2 (BACKUP):
ifconfig_em3=3D"inet 1.2.208.91 netmask 255.255.255.224 -tso"
ifconfig_em3_alias0=3D"vhid 53 advskew 100 pass xx alias 1.2.208.90/32"
on both machines I have something like this in my /etc/pf.conf:
net_local=3D"10.209.1.0/24"
net_prod=3D"192.168.10.0/24"
if_wan=3D"em3"=20
CARPvhid53=3D"1.2.208.90"
nat on $if_wan from { $net_local, $net_prod } to any -> $CARPvhid53
it works great but I have a couple of questions:
- is it possible to use differents subnets for the "real" ips and the
CARP vip ? in other words: I only have three public IPs and I'd like
to reuse two of them. I wondered of something like this would work:
on FW1 (MASTER):
ifconfig_em3=3D"inet 192.168.88.1 netmask 255.255.255.0 -tso"
ifconfig_em3_alias0=3D"vhid 53 advskew 0 pass xx alias 1.2.208.90/32"
on FW2 (BACKUP):
ifconfig_em3=3D"inet 192.168.88.2 netmask 255.255.255.0 -tso"
ifconfig_em3_alias0=3D"vhid 53 advskew 100 pass xx alias 1.2.208.90/32"
(assuming that the switch is configured properly)
- as the state table is synced between FW1 and FW2, is it possible to=20
do some load-balancing on the outgoing address?
Thanks!
Julien
--=20
Julien Cigar
Belgian Biodiversity Platform (http://www.biodiversity.be)
PGP fingerprint: EEF9 F697 4B68 D275 7B11 6A25 B2BB 3710 A204 23C0
No trees were killed in the creation of this message.
However, many electrons were terribly inconvenienced.
--tVmo9FyGdCe4F4YN
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE7vn2l0to0nV7EWolsrs3EKIEI8AFAlijJR8ACgkQsrs3EKIE
I8DU8g//dzT/db3YIxZrcynVyHh/jRDfkGEM1ENP4kpg/nQ+VISsiNvWAf2WwGQE
iwY7OByyZr8eCKINnH+cdmtyUjWnaNP3hECZBMtdoltjykwhJo7/GHajjccRhrGc
PudljwVL4z2/mLjFnuzqsmdVv9UO0FEga6Yj7chGNeFxPYqX8KM2SCDc1MC4pavO
tc/0V+T7Zxm/QOWBSQq6WFsedYQo3KMY66XQwCXYWATO/GI16uphDjVvRdTu7Q3c
S+4AR3BWMHnV6Ea+ZGAWlQIZmnPmgBEwpoeMeiceGkpTx6xz6sd10HSFxSqRqtzF
Kap13IJQF4SEuJb2QmmSdZXCFmtXwujVmj4+9jygOAUN5y5hpFCIYOwcGmMl9+qj
gkL2WSU8hF5Sbv8je6mHG+ObpfDpYW6yza3uCzTNrr16kqMqIYDb/hyMhXl7Kt5G
RwCyUo9BlsisX1Kyj2gD7WLTW7Yid2qsYh2aMkUSfLzxX0u5vUGLoZnLsJh59FvZ
U1HDFEmKPs6Eeb7o6snS98cFH9OCsCKprs2b/t4F8avl7DEheuCTGdF+e/9E5slq
YJiqvoZY9FMX2KFYNqoYjlAPr+2hdGXYIA7L7ey0FKwYF1m8QQFCZUtCOJANxAez
KUqaDodEpXbQ61YPGWI1qdtPG9JvkLpUYy8hjhbmSo6pUPn9roU=
=OFti
-----END PGP SIGNATURE-----
--tVmo9FyGdCe4F4YN--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170214154123.GE6194>