Re: problem with CARP+VLAN+OpenBSD 5.5

Thu, 16 Oct 2014 07:43:41 -0700 

On 10/15/2014 03:43 PM, Fede wrote:


I've removed "defer" from /etc/hostname.pfsync0, and I also added some
bpf device (one for every carp I have) with MAKEDEV, as you suggested.
Then, I've added "no-sync" to pf, so the running pf.conf is:

set skip on lo0
pass quick on em0 proto pfsync keep state (no-sync)
pass quick on em0
pass quick on { vlan2 vlan3 vlan4 vlan5 vlan6 vlan7 vlan1002 vlan1003 }
proto { carp pfsync } keep state (no-sync)
pass in quick
pass out quick

but my problem persists.


UPDATE
Today I've tried to put all carp interfaces in just 5 carp interfaces, using netmask "255.255.255.255" for IPs in the same broadcast domain, and the appropriate netmask for IPs outside the first ip's subnet. This way, the test systems are working fine for the moment.
This solution is working, but it will need some revision of pf.conf. Let's say that we will have fewer file to maintain...
BTW, I would like to understand where is the limit of the previous, non-working, configuration. I tried to load previous hostname.carpXX interfaces, once per time, with a reboot for every new carp activated. I wasn't able to find a pattern, because interfaces on system-2 turn into MASTER state randomly.
When a split on a carp interface occur, I can see with tcpdump that on the backup machine advertisement packets are just ignored. For example:
16:08:19.848966 CARPv2-advertise 36: vhid=133 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] 16:08:19.915796 CARPv2-advertise 36: vhid=133 advbase=1 advskew=200 demote=0 (DF) [tos 0x10] 16:08:20.898960 CARPv2-advertise 36: vhid=133 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] 16:08:21.715797 CARPv2-advertise 36: vhid=133 advbase=1 advskew=200 demote=0 (DF) [tos 0x10] 16:08:21.948972 CARPv2-advertise 36: vhid=133 advbase=1 advskew=10 demote=0 (DF) [tos 0x10]
And then, if I run a ksh /etc/nestart carpXX, the interface starts acting normal (MASTER/BACKUP) again.
At the end, I have my workaround, but it would be nice if someone could spot the misconfiguration or the problem with the faulty configuration I described. 

Thank you all for the support.

Reply via email to