Date: Sun, 13 Feb 2022 11:17:42 +0100 From: Harry Schmalzbauer <freebsd@omnilan.de> To: Andrea Venturoli <ml@netfence.it>, freebsd-net@freebsd.org Subject: Re: Some strangeness with CARP Message-ID: <2ad44687-c7c9-9e0c-00f0-25b4c7798bfa@omnilan.de> In-Reply-To: <594e3d18-9645-3b3f-7a41-87c586fb93ad@netfence.it> References: <594e3d18-9645-3b3f-7a41-87c586fb93ad@netfence.it>
next in thread | previous in thread | raw e-mail | index | archive | help
Am 12.02.2022 um 12:53 schrieb Andrea Venturoli: > Hello. > > I've set up a network with CARP and I think I'm seeing something strange. > > What follows is a simplified setup (the real one involves lagg and > vlan, but this should not matter). > > I have a Zyxel managed switch, > two "servers": > - A 192.168.0.1 > - B 192.168.0.2 > and two "clients" > - C 192.168.0.10 > - D 192.168.0.11 > > Now let's add the "shared" CARP IP 192.168.0.3 (vhid 1) to server A > and server B and start sniffing on C and D. > > If C or D talks with A or B using their own IP > (192.168.0.1/192.168.0.2) the other client does not see that traffic > (as is to be expected on a switched network). > However if any client talks with the CARP IP (192.168.0.3) every node > on the LAN can sniff that traffic! > > I tracked this down to the switch not learning the MAC address > 00:00:5e:00:01:01 (which is what CARP vhid 1 uses), so every outgoing > packet is broadcast to the whole network. > Is this normal??? > > > > Changing to any other VHID (I tried 2, 4 and 10) does not show the > same problem, as 00:00:5e:00:01:xx will show up in the switch MAC > database. > > I'm scrapping my head trying to find an explanation, but so far I > could only think the switch is misbehaving. > Or am I missing some info and there's a reason for this? Hi, if source address of the SYN-ACK reply between [C|D] -> carpIP is .3/0:0:5e:00:01:01, I'd blame the switch too (mac adress learning limit set for the port(s) in question?!?). But maybe [A|B] respond with wrong source MAC address, depending on the VHID? Probably not possible at all - don't know our stack that deep. Worth and easy to check nevertheless. good hunting, -harry
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2ad44687-c7c9-9e0c-00f0-25b4c7798bfa>