Re: CARP & bridge
Hi, Sebastiaan van Erk wrote: So I don't really *NEED* the CARP ip address over the bridge (the static arp works, so I have a working solution, albeit an ugly one; an ARP request generates a reply from every member of the redundant cluster). Just a guess, you could try adding the VIP/32 to the tap interface, instead of the static arp thing. Don't know if it will work, it is just a guess, which looks - to me - like a cleaner configuration. At least it's rc.conf friendly. Just my 0.2 euros, Nikos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: CARP & bridge
Hi, Nikos Vassiliadis wrote: Sebastiaan van Erk wrote: Thanks for the suggestion. I tried it, but unfortunately the carp device never leaves the INIT state when I put the ip on the bridge. :-( I did find some similar problem here: http://www.freebsd.org/cgi/query-pr.cgi?pr=125816 I just noticed that. On -CURRENT carp tells you that's not supported: bridge0: carp is not supported for this interface type OTOH why do you even have to use the VIP from the remote side of the bridge? The only reason I can think of, for doing such a thing, is to get *all* traffic from the remote location through a "single" redundant router, the one with the VIP. Is this the case? It is indeed a "single" redundant router, though the traffic from the other side of the bridge (the OpenVPN clients) generally don't need to be routed redudantantly. The OpenVPN clients use OpenVPN's redundancy (multiple "remote xxx.xxx.xxx.xxx" lines), and thus use the non-redundant IP address of the OpenVPN client they're connected to as gateway (which is fine, because if the server dies OpenVPN connects to a different server anyway)... So I don't really *NEED* the CARP ip address over the bridge (the static arp works, so I have a working solution, albeit an ugly one; an ARP request generates a reply from every member of the redundant cluster). I guess it's just not a supported configuration yet and it's not my stupidity (in this case anyway ;-)) that's the problem. Nikos Regards, Sebastiaan smime.p7s Description: S/MIME Cryptographic Signature
Re: CARP & bridge
Sebastiaan van Erk wrote: Thanks for the suggestion. I tried it, but unfortunately the carp device never leaves the INIT state when I put the ip on the bridge. :-( I did find some similar problem here: http://www.freebsd.org/cgi/query-pr.cgi?pr=125816 I just noticed that. On -CURRENT carp tells you that's not supported: bridge0: carp is not supported for this interface type OTOH why do you even have to use the VIP from the remote side of the bridge? The only reason I can think of, for doing such a thing, is to get *all* traffic from the remote location through a "single" redundant router, the one with the VIP. Is this the case? Nikos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: CARP & bridge
Hi, Nikos Vassiliadis wrote: Sebastiaan van Erk wrote: Julien Cigar wrote: Maybe you've to do ARP Proxy on one side ? Try to add an ARP entry in the ARP table with arp (arp -s 1.2.3.4 MAC foo) .. Thanks for the suggestion. Ok, static arp works: that is, if I take the carp1 mac address and add it to the arp table using: arp -s 10.0.80.74 00:00:5e:00:01:02 pub The ping starts to work. I'm still a bit confused why I have to do this though, because I can ping the non-shared IP 10.0.80.77 from the VPN client (via tap0) without any static arp, and I can ping the shared VIP (10.0.80.74) from clients on the physical network (em1) as well without any static arp. It's only when the ping it has to cross the bridge that it's an issue. Does it make any difference if you set the IP address on the bridge0 iface and not on the physical one? I recall that the recommended setup is to use IP addresses on the bridge interface and leave the members of the bridge IPless. Nikos Thanks for the suggestion. I tried it, but unfortunately the carp device never leaves the INIT state when I put the ip on the bridge. :-( I did find some similar problem here: http://www.freebsd.org/cgi/query-pr.cgi?pr=125816 Regards, Sebastiaan smime.p7s Description: S/MIME Cryptographic Signature
Re: CARP & bridge
Sebastiaan van Erk wrote: Hi, Julien Cigar wrote: On Wed, 2009-04-29 at 11:37 +0200, Sebastiaan van Erk wrote: Hi, I have a bridged OpenVPN setup where the OpenVPN tap0 driver is bridged (via bridge0) to the physical em1 interface, which has a VIP via a carp1 interface: em1: flags=8943 metric 0 mtu 1500 options=98 ether 00:0c:29:61:2a:55 inet 10.0.80.77 netmask 0xff00 broadcast 10.0.80.255 media: Ethernet autoselect (1000baseTX ) status: active bridge0: flags=8843 metric 0 mtu 1500 ether 9a:6a:9f:b2:65:da id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: tap0 flags=143 ifmaxaddr 0 port 11 priority 128 path cost 200 member: em1 flags=143 ifmaxaddr 0 port 2 priority 128 path cost 2 tap0: flags=8943 metric 0 mtu 1500 ether 00:bd:48:03:00:00 Opened by PID 24616 carp1: flags=49 metric 0 mtu 1500 inet 10.0.80.74 netmask 0xff00 carp: MASTER vhid 2 advbase 1 advskew 0 The problem I have is that when I ping the VIP from a VPN client (on tap0), the server receives arp requests for the VIP on tap0, but it does not respond to them: # tcpdump -i tap0 -ln 11:29:13.637048 arp who-has 10.0.80.74 tell 10.0.80.6 Is there any way to get the server to respond to arp requests on tap0 for the VIP? Maybe you've to do ARP Proxy on one side ? Try to add an ARP entry in the ARP table with arp (arp -s 1.2.3.4 MAC foo) .. Thanks for the suggestion. Ok, static arp works: that is, if I take the carp1 mac address and add it to the arp table using: arp -s 10.0.80.74 00:00:5e:00:01:02 pub The ping starts to work. I'm still a bit confused why I have to do this though, because I can ping the non-shared IP 10.0.80.77 from the VPN client (via tap0) without any static arp, and I can ping the shared VIP (10.0.80.74) from clients on the physical network (em1) as well without any static arp. It's only when the ping it has to cross the bridge that it's an issue. Does it make any difference if you set the IP address on the bridge0 iface and not on the physical one? I recall that the recommended setup is to use IP addresses on the bridge interface and leave the members of the bridge IPless. Nikos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: CARP & bridge
On Wed, 2009-04-29 at 11:37 +0200, Sebastiaan van Erk wrote: > Hi, > > I have a bridged OpenVPN setup where the OpenVPN tap0 driver is bridged > (via bridge0) to the physical em1 interface, which has a VIP via a carp1 > interface: > > em1: flags=8943 metric 0 > mtu 1500 > options=98 > ether 00:0c:29:61:2a:55 > inet 10.0.80.77 netmask 0xff00 broadcast 10.0.80.255 > media: Ethernet autoselect (1000baseTX ) > status: active > bridge0: flags=8843 metric 0 mtu > 1500 > ether 9a:6a:9f:b2:65:da > id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 > maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 > root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 > member: tap0 flags=143 > ifmaxaddr 0 port 11 priority 128 path cost 200 > member: em1 flags=143 > ifmaxaddr 0 port 2 priority 128 path cost 2 > tap0: flags=8943 metric > 0 mtu 1500 > ether 00:bd:48:03:00:00 > Opened by PID 24616 > carp1: flags=49 metric 0 mtu 1500 > inet 10.0.80.74 netmask 0xff00 > carp: MASTER vhid 2 advbase 1 advskew 0 > > > The problem I have is that when I ping the VIP from a VPN client (on > tap0), the server receives arp requests for the VIP on tap0, but it does > not respond to them: > > # tcpdump -i tap0 -ln > 11:29:13.637048 arp who-has 10.0.80.74 tell 10.0.80.6 > > Is there any way to get the server to respond to arp requests on tap0 > for the VIP? > Maybe you've to do ARP Proxy on one side ? Try to add an ARP entry in the ARP table with arp (arp -s 1.2.3.4 MAC foo) .. > This is all on FreeBSD 7.1 with OpenVPN 2.0.6 (both client and server). > > Regards, > Sebastiaan > -- Julien Cigar Belgian Biodiversity Platform http://www.biodiversity.be Université Libre de Bruxelles (ULB) Campus de la Plaine CP 257 Bâtiment NO, Bureau 4 N4 115C (Niveau 4) Boulevard du Triomphe, entrée ULB 2 B-1050 Bruxelles Mail: jci...@ulb.ac.be @biobel: http://biobel.biodiversity.be/person/show/471 Tel : 02 650 57 52 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: CARP & bridge
Hi, Julien Cigar wrote: On Wed, 2009-04-29 at 11:37 +0200, Sebastiaan van Erk wrote: Hi, I have a bridged OpenVPN setup where the OpenVPN tap0 driver is bridged (via bridge0) to the physical em1 interface, which has a VIP via a carp1 interface: em1: flags=8943 metric 0 mtu 1500 options=98 ether 00:0c:29:61:2a:55 inet 10.0.80.77 netmask 0xff00 broadcast 10.0.80.255 media: Ethernet autoselect (1000baseTX ) status: active bridge0: flags=8843 metric 0 mtu 1500 ether 9a:6a:9f:b2:65:da id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: tap0 flags=143 ifmaxaddr 0 port 11 priority 128 path cost 200 member: em1 flags=143 ifmaxaddr 0 port 2 priority 128 path cost 2 tap0: flags=8943 metric 0 mtu 1500 ether 00:bd:48:03:00:00 Opened by PID 24616 carp1: flags=49 metric 0 mtu 1500 inet 10.0.80.74 netmask 0xff00 carp: MASTER vhid 2 advbase 1 advskew 0 The problem I have is that when I ping the VIP from a VPN client (on tap0), the server receives arp requests for the VIP on tap0, but it does not respond to them: # tcpdump -i tap0 -ln 11:29:13.637048 arp who-has 10.0.80.74 tell 10.0.80.6 Is there any way to get the server to respond to arp requests on tap0 for the VIP? Maybe you've to do ARP Proxy on one side ? Try to add an ARP entry in the ARP table with arp (arp -s 1.2.3.4 MAC foo) .. Thanks for the suggestion. Ok, static arp works: that is, if I take the carp1 mac address and add it to the arp table using: arp -s 10.0.80.74 00:00:5e:00:01:02 pub The ping starts to work. I'm still a bit confused why I have to do this though, because I can ping the non-shared IP 10.0.80.77 from the VPN client (via tap0) without any static arp, and I can ping the shared VIP (10.0.80.74) from clients on the physical network (em1) as well without any static arp. It's only when the ping it has to cross the bridge that it's an issue. Regards, Sebastiaan smime.p7s Description: S/MIME Cryptographic Signature
CARP & bridge
Hi, I have a bridged OpenVPN setup where the OpenVPN tap0 driver is bridged (via bridge0) to the physical em1 interface, which has a VIP via a carp1 interface: em1: flags=8943 metric 0 mtu 1500 options=98 ether 00:0c:29:61:2a:55 inet 10.0.80.77 netmask 0xff00 broadcast 10.0.80.255 media: Ethernet autoselect (1000baseTX ) status: active bridge0: flags=8843 metric 0 mtu 1500 ether 9a:6a:9f:b2:65:da id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: tap0 flags=143 ifmaxaddr 0 port 11 priority 128 path cost 200 member: em1 flags=143 ifmaxaddr 0 port 2 priority 128 path cost 2 tap0: flags=8943 metric 0 mtu 1500 ether 00:bd:48:03:00:00 Opened by PID 24616 carp1: flags=49 metric 0 mtu 1500 inet 10.0.80.74 netmask 0xff00 carp: MASTER vhid 2 advbase 1 advskew 0 The problem I have is that when I ping the VIP from a VPN client (on tap0), the server receives arp requests for the VIP on tap0, but it does not respond to them: # tcpdump -i tap0 -ln 11:29:13.637048 arp who-has 10.0.80.74 tell 10.0.80.6 Is there any way to get the server to respond to arp requests on tap0 for the VIP? This is all on FreeBSD 7.1 with OpenVPN 2.0.6 (both client and server). Regards, Sebastiaan smime.p7s Description: S/MIME Cryptographic Signature