Re: CARP & bridge

Wed, 29 Apr 2009 03:06:44 -0700 

Hi,

Julien Cigar wrote:

On Wed, 2009-04-29 at 11:37 +0200, Sebastiaan van Erk wrote:

Hi,
I have a bridged OpenVPN setup where the OpenVPN tap0 driver is bridged (via bridge0) to the physical em1 interface, which has a VIP via a carp1 interface:
em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 
        options=98<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:0c:29:61:2a:55
        inet 10.0.80.77 netmask 0xffffff00 broadcast 10.0.80.255
        media: Ethernet autoselect (1000baseTX <full-duplex>)
        status: active
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 
        ether 9a:6a:9f:b2:65:da
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 11 priority 128 path cost 2000000
        member: em1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 2 priority 128 path cost 20000
tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 
        ether 00:bd:48:03:00:00
        Opened by PID 24616
carp1: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
        inet 10.0.80.74 netmask 0xffffff00
        carp: MASTER vhid 2 advbase 1 advskew 0
The problem I have is that when I ping the VIP from a VPN client (on tap0), the server receives arp requests for the VIP on tap0, but it does not respond to them: 

# tcpdump -i tap0 -ln
11:29:13.637048 arp who-has 10.0.80.74 tell 10.0.80.6
Is there any way to get the server to respond to arp requests on tap0 for the VIP? 



Maybe you've to do ARP Proxy on one side ? Try to add an ARP entry in
the ARP table with arp (arp -s 1.2.3.4 MAC foo) ..


Thanks for the suggestion.
Ok, static arp works: that is, if I take the carp1 mac address and add it to the arp table using: 

 arp -s 10.0.80.74 00:00:5e:00:01:02 pub
The ping starts to work. I'm still a bit confused why I have to do this though, because I can ping the non-shared IP 10.0.80.77 from the VPN client (via tap0) without any static arp, and I can ping the shared VIP (10.0.80.74) from clients on the physical network (em1) as well without any static arp. It's only when the ping it has to cross the bridge that it's an issue. 

Regards,
Sebastiaan

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to