-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 4/19/2012 11:17 AM, Matt Hamilton wrote: > David Goldsmith <dgoldsmith <at> sans.org> writes: > >> I believe the "inet" option is missing a 3rd component. After >> the CARP IP and the netmask, you also need the 'last' IP for the >> subnet, in your case it would be 213.133.66.71 (on both >> servers). >> >> On our servers, we have something like: >> >> inet 10.3.2.1 255.255.255.0 10.3.2.255 > > > I have never needed to manually configure the broadcast address > before on unix. Indeed according to ifconfig vlan119 it has > correctly worked it out: > > carp119: > flags=28843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6> mtu > 1500 lladdr 00:00:5e:00:01:77 priority: 0 carp: MASTER carpdev > vlan119 vhid 119 advbase 1 advskew 10 groups: carp status: master > inet 213.133.66.67 netmask 0xfffffff8 broadcast 213.133.66.71 > > I have now removed the trunking to see if that affected it, but no > joy. So I now have:
My suggestion of the third argument was for the carp interface, not for the vlan interface. If you look at http://www.openbsd.org/faq/pf/carp.html/#carpconfig , you see they show 'ipaddress netmask mask' as the last three elements and they do not have brackets around any of them indicating that they are optional configuration settings > bnx0: flags=28843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6> > mtu 1500 lladdr 00:10:18:d2:d3:ec priority: 0 media: Ethernet > autoselect (1000baseT full-duplex) status: active > > vlan119: > flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,NOINET6> > > mtu 1500 > lladdr 00:10:18:d2:d3:ec description: Scottles Server priority: 0 > vlan: 119 priority: 0 parent interface: bnx0 groups: vlan status: > active inet 213.133.66.65 netmask 0xfffffff8 broadcast > 213.133.66.71 > > carp119: > flags=28843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6> mtu > 1500 lladdr 00:00:5e:00:01:77 priority: 0 carp: MASTER carpdev > vlan119 vhid 119 advbase 1 advskew 10 groups: carp status: master > inet 213.133.66.67 netmask 0xfffffff8 broadcast 213.133.66.71 > > > I still see the number of IPv4 packets sent increasing according > to netstat -s -p carp, but according to both tcpdump and netstat > there are no packets being transmitted on the vlan119 or bnx0 > interfaces. > > If I remove the vlan part and just have the carp interface on top > of bnx0 then I see carp packets on bnx0 with tcpdump as I'd expect. > So clearly there is a serious bug somewhere about sending carp > packets over vlan interfaces. :( > > -Matt We've got carp running over 20+ VLAN interfaces themselves tied to LACP trunk interfaces on OpenBSB 4.9 firewalls. What are your CARP related sysctl settings currently? # sysctl -a | grep carp net.inet.carp.allow=1 net.inet.carp.preempt=1 net.inet.carp.log=1 Since you said you have PF disabled, it should not be an issue of missing a rule to allow the CARP protocol traffic like: pass quick proto carp all keep state Just checking, but are the switch ports configured appropriately? If you are running multiple VLANs, are the switch ports set in trunk mode and are all the VLANs you are using on the firewall allowed to traverse the attached switch ports? - -- David Goldsmith Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+QPu8ACgkQ417vU8/9QfnDPwCgjWIVLj3IrewbDvRaGO3/kRfv WQwAn35Su243JTVmFUx3tmOs16R3fpy5 =PoMA -----END PGP SIGNATURE-----
