From owner-freebsd-net@freebsd.org Tue Feb 14 17:03:02 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 30CE8CDFC68 for ; Tue, 14 Feb 2017 17:03:02 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from mail-qk0-x22b.google.com (mail-qk0-x22b.google.com [IPv6:2607:f8b0:400d:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DB3ED114B for ; Tue, 14 Feb 2017 17:03:01 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: by mail-qk0-x22b.google.com with SMTP id p22so36632274qka.0 for ; Tue, 14 Feb 2017 09:03:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=8+Q1ZqEf3Zdmklu0aXooozEvBCMIsU/gVqXXkZXiDiE=; b=mlQFj6YLxrzG0/hMTKvlLpc2aJaKQi9sxaffpKzqC8vhs60BkczqXmnSpwiizDq4kH 4TGInuWW33Aky45ydRWU+PcQGXbCOhrQwc/+0ccgYCJWpwR1YcHDaeN1O5HaUluFnsdB gqQIukULXVB2Oda45/QAtziG9TT7bbv53W6MhJE90FhEZJ+UqXoywB5q8NKhLuJ7BGKz T/O+goi8GKpng9RyOa/vBOKYOu3mu4I4+Inl2rMpFnvDNNAfy9e/9Bg35+wf7/EKc1EL YqWj0szP+3HZfNb+gfNhPHoLUzEA+nsMb3g3qBqgagqdjwVEUzXNBNK5jNC5ZbRPKQqz k9/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=8+Q1ZqEf3Zdmklu0aXooozEvBCMIsU/gVqXXkZXiDiE=; b=caRfHzEa8Csl4T+ySMJ2dBV08UYQAUitcuet8m0Ao4Vv1J0K6SljbBzalKQgjwqAsC YN3E0E5ScXSVyOc3hALdoj/P2EfYL2BogTGUMFkbN8EqurBMQKg5Q2qhTV5gpGFFOR+5 ftPCyOQAMmjFYGnm/1yGQU6GtXWg261Zney0YR7ZhyNonV8Tvqb+4Tod9jz4FtBRtCn/ PjO+MU6T/eWljDaYWXF5ev2yHf+qgHCCGbv5070IfUZ9MAlBpoFKdl+WKPdy3xjp1O5S mJ/H24Rp9RXgfky4MOMjCBPbPUzipwfS1gChbPp5y0V2IwRg+FfWgFr9LBXkAmshG8EW AnwQ== X-Gm-Message-State: AMke39kPfR3GlynKBwEc/neI2Ikhc6wpm5bG7aOWIU7gAlf1FT7SDrnKnqhf+P5l4b2Za8qM8cUOuC3w0EpAtg== X-Received: by 10.55.95.131 with SMTP id t125mr31364161qkb.279.1487091780957; Tue, 14 Feb 2017 09:03:00 -0800 (PST) MIME-Version: 1.0 Received: by 10.140.28.202 with HTTP; Tue, 14 Feb 2017 09:03:00 -0800 (PST) In-Reply-To: <20170214154123.GE6194@mordor.lan> References: <20170214154123.GE6194@mordor.lan> From: Freddie Cash Date: Tue, 14 Feb 2017 09:03:00 -0800 Message-ID: Subject: Re: carp and subnets To: Julien Cigar Cc: freebsd-net Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Feb 2017 17:03:02 -0000 On Tue, Feb 14, 2017 at 7:41 AM, Julien Cigar wrote= : > Hello, > > I have a redundant router/firewall with CARP and PF/PFSync with the > following configuration (simplified for example): > > on FW1 (MASTER): > > ifconfig_em3=3D"inet 1.2.208.89 netmask 255.255.255.224 -tso" > ifconfig_em3_alias0=3D"vhid 53 advskew 0 pass xx alias 1.2.208.90/32" > > on FW2 (BACKUP): > > ifconfig_em3=3D"inet 1.2.208.91 netmask 255.255.255.224 -tso" > ifconfig_em3_alias0=3D"vhid 53 advskew 100 pass xx alias 1.2.208.90/32" > > on both machines I have something like this in my /etc/pf.conf: > net_local=3D"10.209.1.0/24" > net_prod=3D"192.168.10.0/24" > if_wan=3D"em3" > CARPvhid53=3D"1.2.208.90" > nat on $if_wan from { $net_local, $net_prod } to any -> $CARPvhid53 > > it works great but I have a couple of questions: > > - is it possible to use differents subnets for the "real" ips and the > CARP vip ? in other words: I only have three public IPs and I'd like > to reuse two of them. I wondered of something like this would work: > > on FW1 (MASTER): > > ifconfig_em3=3D"inet 192.168.88.1 netmask 255.255.255.0 -tso" > ifconfig_em3_alias0=3D"vhid 53 advskew 0 pass xx alias 1.2.208.90/32" > > on FW2 (BACKUP): > > ifconfig_em3=3D"inet 192.168.88.2 netmask 255.255.255.0 -tso" > ifconfig_em3_alias0=3D"vhid 53 advskew 100 pass xx alias 1.2.208.90/32" > > (assuming that the switch is configured properly) > > - as the state table is synced between FW1 and FW2, is it possible to > do some load-balancing on the outgoing address? > > Thanks! > =E2=80=8BWith FreeBSD 9.x and earlier, no, you can't. The CARP setup uses = the IP/subnet of the host interface for sending the CARP messages. With FreeBSD 10.x and above, yes, you can. The CARP setup uses the IP/subnet of the VHID for sending CARP messages, which can be set to anything. So long as all the member VHID interfaces are on the same subnet and connection. It's one of the many nice things about the new CARP stuff on FreeBSD 10.x.=E2=80=8B --=20 Freddie Cash fjwcash@gmail.com