On 3/30/15 12:54 PM, Martin Pieuchot wrote:
> On 30/03/15(Mon) 11:58, David Newman wrote:
>> On 3/29/15 12:38 PM, mxb wrote:
>>> Probably your PF rules.
>>> put in ‘pass quick proto icmp’.
>>
>> No joy. This did not improve on the existing ICMP rule in pf.conf.
>>
>> I think the root problem is that on both firewalls the physical and CARP
>> interface addresses are bound to lo0 instead of vic1. Here both .98
>> (CARP) and .99 (physical) should be bound to vic1 instead of lo0:
>>
>> netstat -nr -f inet | grep 12.220.174
>> default 12.220.174.97 UGS 0 4 - 8 vic1
>> 12.220.174.96/27 link#2 UC 2 0 - 4 vic1
>> 12.220.174.98 00:00:5e:00:01:dd HLl 0 0 - 1 lo0
>> 12.220.174.99 00:50:56:b2:33:0e UHLl 0 8 - 1 lo0
>>
>> hostname.vic1:
>> inet 12.220.174.99 255.255.255.224 12.220.174.127 up
>>
>> hostname.carp221:
>> inet 12.220.174.98 255.255.255.224 12.20.174.127 vhid 221 carpdev vic1
>> advskew 1 pass ******
>>
>> CARP is up and MASTER/BACKUP state changes work between boxes, but
>> neither firewall can ping other hosts or vice-versa via the CARP interface.
>>
>> How to get those interfaces to bind to vic1 instead of lo0?
>
> You cannot do that. You're mixing the words "interfaces" and "IP
> addresses" which makes things a bit complicated to understand.
OK, and thanks for this, and sorry for the high-latency response.
>
> Every IP address configured locally will have the "l" flag in
> netstat/route outputs and will be linked to lo0. They are linked to
> lo0 to be able to use them locally without send packets to the wire.
OK for the physical interfaces, eg, vic0, vic1
Not OK for the carp interfaces. On the production machines I'm
replicating here as VMs, it looks like the carp interfaces are bound to
themselves -- note that the last column is "carp21":
# netstat -nr -f inet | grep 12.20.174.98
12.20.174.98 12.20.174.98 UH 0 14853 - 4
carp21
But on the similarly configured VM, the carp interface (carp221 in this
example) is bound to the lo0 interface:
# netstat -nr -f inet | grep 12.220.174.98
12.220.174.98 00:00:5e:00:01:dd UHLl 0 0 - 1 lo0
> In the case of CARP setups the master and the backup nodes have at least
> one address in common. Which means that pinging this address from any
> of these CARP nodes should not generate packet on the wire.
OK
>
> Now if you configure an IP address of the same subnet on the parent
> interface, vic1 in your case, this interface will hold the cloning
> route ('C' in your output) and will be used to reach any other address
> of the subnet. If you don't to that, then the carp interfaces should
> hold the cloning route and their address will be used.
In both cases above, the parent and carp interfaces are configured with
IP addresses on the same subnet.
In the case of the physical (production) machines, other machines on
that subnet can ping the carp interface (the virtual IP address shared
by two machines with carp interfaces).
In the case of the VMs, a machine on that subnet cannot ping the carp
interface. I think this is because it's bound to lo0, but I don't know why.
Here again are the hostname files for the physical and carp interfaces
on the VM.
# cat hostname.vic1
inet 12.220.174.99 255.255.255.224 12.220.174.127 up
# backslash added for clarity -- it's 1 line in original
# cat hostname.carp221
inet 12.220.174.98 255.255.255.224 12.220.174.127 vhid 221 \
carpdev vic1 advskew 1 pass ******
> Does that answer your question?
In terms of how CARP works, yes. In terms of why it's bound to lo0 here,
no, sorry, I'm missing something here.
dn
