From owner-freebsd-questions@FreeBSD.ORG Wed Apr 29 19:00:42 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EACFC106564A for ; Wed, 29 Apr 2009 19:00:42 +0000 (UTC) (envelope-from nvass@freemail.gr) Received: from smtp.freemail.gr (smtp.freemail.gr [81.171.104.132]) by mx1.freebsd.org (Postfix) with ESMTP id 894F78FC1B for ; Wed, 29 Apr 2009 19:00:42 +0000 (UTC) (envelope-from nvass@freemail.gr) Received: from [169.254.0.4] (ipa59.85.91.tellas.gr [91.140.85.59]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.freemail.gr (Postfix) with ESMTP id 10F1B3381DE; Wed, 29 Apr 2009 21:44:03 +0300 (EEST) Message-ID: <49F89FE1.6070807@freemail.gr> Date: Wed, 29 Apr 2009 21:43:45 +0300 From: Nikos Vassiliadis User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: Sebastiaan van Erk , FreeBSD Questions Mailing List References: <49F81FF2.3040302@sebster.com> <1240999037.2645.3.camel@frodon.be-bif.ulb.ac.be> <49F8269E.2010201@sebster.com> In-Reply-To: <49F8269E.2010201@sebster.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: CARP & bridge X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Apr 2009 19:00:43 -0000 Sebastiaan van Erk wrote: > Hi, > > Julien Cigar wrote: >> On Wed, 2009-04-29 at 11:37 +0200, Sebastiaan van Erk wrote: >>> Hi, >>> >>> I have a bridged OpenVPN setup where the OpenVPN tap0 driver is >>> bridged (via bridge0) to the physical em1 interface, which has a VIP >>> via a carp1 interface: >>> >>> em1: flags=8943 >>> metric 0 mtu 1500 >>> options=98 >>> ether 00:0c:29:61:2a:55 >>> inet 10.0.80.77 netmask 0xffffff00 broadcast 10.0.80.255 >>> media: Ethernet autoselect (1000baseTX ) >>> status: active >>> bridge0: flags=8843 metric 0 >>> mtu 1500 >>> ether 9a:6a:9f:b2:65:da >>> id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 >>> maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 >>> root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 >>> member: tap0 flags=143 >>> ifmaxaddr 0 port 11 priority 128 path cost 2000000 >>> member: em1 flags=143 >>> ifmaxaddr 0 port 2 priority 128 path cost 20000 >>> tap0: flags=8943 >>> metric 0 mtu 1500 >>> ether 00:bd:48:03:00:00 >>> Opened by PID 24616 >>> carp1: flags=49 metric 0 mtu 1500 >>> inet 10.0.80.74 netmask 0xffffff00 >>> carp: MASTER vhid 2 advbase 1 advskew 0 >>> >>> >>> The problem I have is that when I ping the VIP from a VPN client (on >>> tap0), the server receives arp requests for the VIP on tap0, but it >>> does not respond to them: >>> >>> # tcpdump -i tap0 -ln >>> 11:29:13.637048 arp who-has 10.0.80.74 tell 10.0.80.6 >>> >>> Is there any way to get the server to respond to arp requests on tap0 >>> for the VIP? >>> >> >> Maybe you've to do ARP Proxy on one side ? Try to add an ARP entry in >> the ARP table with arp (arp -s 1.2.3.4 MAC foo) .. > > Thanks for the suggestion. > > Ok, static arp works: that is, if I take the carp1 mac address and add > it to the arp table using: > > arp -s 10.0.80.74 00:00:5e:00:01:02 pub > > The ping starts to work. I'm still a bit confused why I have to do this > though, because I can ping the non-shared IP 10.0.80.77 from the VPN > client (via tap0) without any static arp, and I can ping the shared VIP > (10.0.80.74) from clients on the physical network (em1) as well without > any static arp. It's only when the ping it has to cross the bridge that > it's an issue. Does it make any difference if you set the IP address on the bridge0 iface and not on the physical one? I recall that the recommended setup is to use IP addresses on the bridge interface and leave the members of the bridge IPless. Nikos