From owner-freebsd-net@freebsd.org Tue Feb 14 20:29:43 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 73B09CDFEFB for ; Tue, 14 Feb 2017 20:29:43 +0000 (UTC) (envelope-from julien@perdition.city) Received: from relay-b01.edpnet.be (relay-b01.edpnet.be [212.71.1.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "edpnet.email", Issuer "Go Daddy Secure Certificate Authority - G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1E7251F45 for ; Tue, 14 Feb 2017 20:29:42 +0000 (UTC) (envelope-from julien@perdition.city) X-ASG-Debug-ID: 1487104176-0a7ff54d952e7f10001-QdxwpM Received: from mordor.lan ([213.219.148.14]) by relay-b01.edpnet.be with ESMTP id uQ2EBRHKQOY3qgHS (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 14 Feb 2017 21:29:38 +0100 (CET) X-Barracuda-Envelope-From: julien@perdition.city X-Barracuda-Effective-Source-IP: UNKNOWN[213.219.148.14] X-Barracuda-Apparent-Source-IP: 213.219.148.14 Date: Tue, 14 Feb 2017 21:29:36 +0100 From: Julien Cigar To: Freddie Cash Cc: freebsd-net Subject: Re: carp and subnets Message-ID: <20170214202936.GF6194@mordor.lan> X-ASG-Orig-Subj: Re: carp and subnets References: <20170214154123.GE6194@mordor.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="wtjvnLv0o8UUzur2" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.7.1 (2016-10-04) X-Barracuda-Connect: UNKNOWN[213.219.148.14] X-Barracuda-Start-Time: 1487104177 X-Barracuda-Encrypted: ECDHE-RSA-AES256-GCM-SHA384 X-Barracuda-URL: https://212.71.1.221:443/cgi-mod/mark.cgi X-Barracuda-Scan-Msg-Size: 2549 X-Virus-Scanned: by bsmtpd at edpnet.be X-Barracuda-BRTS-Status: 1 X-Barracuda-Bayes: INNOCENT GLOBAL 0.5000 1.0000 0.0000 X-Barracuda-Spam-Score: 0.00 X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=6.0 tests= X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.36518 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Feb 2017 20:29:43 -0000 --wtjvnLv0o8UUzur2 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 14, 2017 at 09:03:00AM -0800, Freddie Cash wrote: > On Tue, Feb 14, 2017 at 7:41 AM, Julien Cigar wro= te: >=20 > > Hello, > > > > I have a redundant router/firewall with CARP and PF/PFSync with the > > following configuration (simplified for example): > > > > on FW1 (MASTER): > > > > ifconfig_em3=3D"inet 1.2.208.89 netmask 255.255.255.224 -tso" > > ifconfig_em3_alias0=3D"vhid 53 advskew 0 pass xx alias 1.2.208.90/32" > > > > on FW2 (BACKUP): > > > > ifconfig_em3=3D"inet 1.2.208.91 netmask 255.255.255.224 -tso" > > ifconfig_em3_alias0=3D"vhid 53 advskew 100 pass xx alias 1.2.208.90/32" > > > > on both machines I have something like this in my /etc/pf.conf: > > net_local=3D"10.209.1.0/24" > > net_prod=3D"192.168.10.0/24" > > if_wan=3D"em3" > > CARPvhid53=3D"1.2.208.90" > > nat on $if_wan from { $net_local, $net_prod } to any -> $CARPvhid53 > > > > it works great but I have a couple of questions: > > > > - is it possible to use differents subnets for the "real" ips and the > > CARP vip ? in other words: I only have three public IPs and I'd like > > to reuse two of them. I wondered of something like this would work: > > > > on FW1 (MASTER): > > > > ifconfig_em3=3D"inet 192.168.88.1 netmask 255.255.255.0 -tso" > > ifconfig_em3_alias0=3D"vhid 53 advskew 0 pass xx alias 1.2.208.90/32" > > > > on FW2 (BACKUP): > > > > ifconfig_em3=3D"inet 192.168.88.2 netmask 255.255.255.0 -tso" > > ifconfig_em3_alias0=3D"vhid 53 advskew 100 pass xx alias 1.2.208.90/32" > > > > (assuming that the switch is configured properly) > > > > - as the state table is synced between FW1 and FW2, is it possible to > > do some load-balancing on the outgoing address? > > > > Thanks! > > >=20 > =E2=80=8BWith FreeBSD 9.x and earlier, no, you can't. The CARP setup use= s the > IP/subnet of the host interface for sending the CARP messages. >=20 > With FreeBSD 10.x and above, yes, you can. The CARP setup uses the > IP/subnet of the VHID for sending CARP messages, which can be set to > anything. So long as all the member VHID interfaces are on the same subn= et > and connection. It's one of the many nice things about the new CARP stuff > on FreeBSD 10.x.=E2=80=8B excellent, thank you! >=20 > --=20 > Freddie Cash > fjwcash@gmail.com --=20 Julien Cigar Belgian Biodiversity Platform (http://www.biodiversity.be) PGP fingerprint: EEF9 F697 4B68 D275 7B11 6A25 B2BB 3710 A204 23C0 No trees were killed in the creation of this message. However, many electrons were terribly inconvenienced. --wtjvnLv0o8UUzur2 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE7vn2l0to0nV7EWolsrs3EKIEI8AFAlijaKoACgkQsrs3EKIE I8AhxRAAtVW53cC5SjQkIVBR//jiFTBwjLgp+udVaKEmirj6TXtm/WcJc+W2e9EJ +BgJCi5GeOPAfhaCVoRsIAfh38VAKRWC9qEgVOw7WKNYGCOivD37LK8Dr8EuMkaM iOCf0zDUWLduV38u/ki2oV8s1bEtXaSRtmbN3z+bkY50NUh+Uybeli9tc3EfoFM0 CGHGFBJOHmUMpJ6kBEpUJ83ajvAdV6VPztukGNLfdz2gxrTI2q3svv+91yUt50I0 YKMFYlLY3udk5fRXWvTytkey+iDl5eLBF4XH+n+yYmut6+y8iILz3vUV5WpfgsEm VUOZtHkdh98uEqjTMsmWVby4K0dSypMAtccynbjEEnzLkPper2M2zU2bkSSoxrRG /BQEc8ISzqmFGmFYihPV+0iZHOWKaga6+d+DhR3Sk92b6/OHTgzcX0yz8MsbjT2n e+WNqCNvYLCwJGEofWdIHftOarpfFogQXJJFfDCs7Y0Lv2LMqqxk3BvYpmf2ydGE Ep5llBVWCzS8/jVayNnOGWA0V0h3fAUnuZFqgsM7JrVTjl1uzESnUNdFDEgL9vyF P+Sg0Oew7AhSyAaDTmLjnNqszi+trOPkvk+28f5E+BHWJNjH93EuVv6qu6kQPK9q pQ1181XINQwZdoNYDfxFUffEWKmIawVie20g6gIbADAMRnZ4jWE= =xWLf -----END PGP SIGNATURE----- --wtjvnLv0o8UUzur2--