Thank you for all your help guys :)
I finally figured out what I was doing wrong (including one of the
problems being that I forgot to turn on one of the lab switches this
morning (not enough coffee!) ;)
For others, here is what I have done to get IPv6 working so far with one
CARP interface per subnet;
sysctl.conf;
net.inet.carp.allow=1
net.inet.carp.preempt=1
net.inet.carp.log=3
net.inet6.ip6.forwarding=1
net.inet6.ip6.redirect=0
net.inet6.ip6.accept_rtadv=0
allow carp;
pass quick proto carp from { fe80::/8 } to { ff00::/8 } keep state (no-sync)
allow ndp;
pass quick proto icmp6 from { ff00::/8 } to { ff00::/8 }
/etc/hostname.*;
cat /etc/hostname.em0
inet 18.2.32.11 255.255.255.0
inet6 a00:7e0::b 64
cat /etc/hostname.em1
inet 10.0.10.2 255.255.255.0
inet6 a00:7e0:0:a::2 64
cat /etc/hostname.carp0
inet 18.2.32.10 255.255.255.0 18.2.32.255
inet6 a00:7e0::a 64
carpdev em0 carppeer 18.2.32.12 vhid 201 pass testpass advbase 3 advskew
0 description "WAN"
cat /etc/hostname.carp1
inet 10.0.10.1 255.255.255.0 10.0.10.255
inet6 a00:7e0:0:a::1 64
carpdev em1 carppeer 10.0.10.3 vhid 1 pass testpass advbase 3 advskew 0
description "LAN"
To enable IPv6 on Cisco;
interface GigabitEthernet0/0/1
ip address 18.2.32.1 255.255.255.0
ipv6 address a00:7e0::1/64
ipv6 unicast-routing
Cheers, Andy.
On 30/08/13 11:18, Stefan Sperling wrote:
On Fri, Aug 30, 2013 at 10:08:56AM +0100, Andy wrote:
Hi guys,
Adding the inet6 as an alias didn't work for me.
When the first line is an 'inet' entry, adding an inet6 alias
results in errors when running /etc/netstart :(
I never had a need to use 'alias' for IPv6 addresses, even
when adding multiple addresses to an interface with ifconfig.
And trying;
inet 194.199.X.28 255.255.255.240 NONE
inet6 2001:660:abcd:1234::1:1 64
description "CARP server"
carpdev vlan603 vhid 62 advskew 1 carppeer 194.199.X.29 pass xxxxx
Resulted in multi-master (no flip-flopping but permanently
multi-master) even if I removed the carpdev and carppeer attributes
:(
I believe the carpdev needs an address in the same prefix as the carp
interface for things to work, because carp uses that information
to locate the carpdev for sending IPv6 multicast. Does the vlan603
interface have an IPv6 address in prefix 2001:660:abcd:1234::/64?
The config I use looks somewhat like this, and works fine for
both IPv4 and IPv6. Note that the carp peers' em interfaces
are plugged into a common switch and are not filtered by pf.
# cat hostname.em0
inet 10.2.84.33 255.255.255.0 NONE
inet6 2001:660:abcd:11::1 64
# cat /etc/hostname.carp0
inet 10.2.84.46 255.255.255.0 NONE vhid 1 pass xxx advbase 10
inet6 2001:660:abcd:11::14 64 vhid 1 pass xxx advbase 10
And on the slave:
# cat hostname.em0
inet 10.2.84.43 255.255.255.0 NONE
inet6 2001:660:abcd:11::11 64
# cat /etc/hostname.carp0
inet 10.2.84.46 255.255.255.0 NONE vhid 1 pass xxx advbase 10 advskew 200
inet6 2001:660:abcd:11::14 64 vhid 1 pass xxx advbase 10 advskew 200
Carp multicast traffic is broadcast across the entire LAN.
But it is authenticated so it cannot be spoofed (the password can
be up to 32 chars in length). I see no way around that unless someone
adds 'carppeer' support for IPv6. The carppeer option only works for
IPv4 right now, probably due to lack of time and personal itch.
ip_carp.c:carp_send_ad() would be the place to start hacking.
I have tested both of these with PF disabled just encase a rule was
messing things up.
With pf enabled, does this rule satisfy CARP and is it sensible?;
pass in quick proto carp from { fe80::/8 } to { ff00::/8 } keep
state (no-sync)
Carp sends from fe80::/8 to ff02::/8.
If you can link your firewalls via a trusted network you could
probably just 'skip' the carpdev in pf.conf.
The only way I have managed to get this to work with 5.3 is separate
carp devices, if I have to run two of course I will, but I would
really like to get it working under one for clarity.
Not sure why that worked. Hard to tell without knowing how
your other interfaces are configured.
