Re: VLAN + CARP ?

[Julien Cigar]

On Mon, Feb 27, 2017 at 03:37:14PM -0800, Freddie Cash wrote:
> On Mon, Feb 27, 2017 at 3:16 PM, Julien Cigar  wrote:
> 
> 
> > I wondered if it is possible to use CARP with VLAN interfaces?
> >
> 
> ​Yes, CARP-over-vLAN works well.  Used just such a setup at work for a
> couple years.
> 
> Would something like this work (on 10.3)..?:
> >
> > = /etc/rc.conf 
> >
> > vlans_em0="neta netb"
> > create_args_neta="vlan 101"
> > create_args_netb="vlan 102"
> >
> > ifconfig_em0_neta="inet 192.168.1.253/24"
> > ifconfig_em0_netb="inet 10.209.1.253/24"
> >
> > ifconfig_em0_neta_alias0="inet vhid 3 advskew 10 pass xx alias
> > 192.168.2.254/32"
> > ifconfig_em0_netb_alias0="inet vhid 4 advskew 10 pass xx alias
> > 10.209.1.254/32"
> >
> > ===
> >
> 
> ​This is the setup we used (snipped for brevity):
> 
> # em2 is the 3rd NIC port from the top of the quad-port NIC
> ifconfig_em2="up"
> vlans_em2="vlan110 vlan2000 vlan1000 vlan1010 vlan1110"
> 
> create_args_vlan1000="vlan 1000"
> ifconfig_vlan1000="vhid 9 pass nxsp4ss
> ​1​
> advskew 128 10.1.0.1/16"
> 
> create_args_vlan2000="vlan 2000"
> ifconfig_vlan2000="vhid 20 pass nxsp4ss2 advskew 128 12.24.13.97/27"
> 
> create_args_vlan1010="vlan 1010"
> ifconfig_vlan1010="vhid 21 pass nxsp4ss
> ​3
>  advskew 128 12.24.12.129/26"
> 
> create_args_vlan1110="vlan 1110"
> ifconfig_vlan1110="vhid 11 pass nxsp4ss
> ​4
>  advskew 128 12.24.10.1/26"
> 
> ​em2 had no IPs associated with it, it was just the physical interface that
> the vlans and carp traffic went over.  We also only had a single subnet per
> vlan, so only a single IP per carp instance on each vlan.  But you can do
> multiples using the alias syntax like you have.​

excellent, this is exactly what I need, thanks!

> 
> -- 
> Freddie Cash
> fjwc...@gmail.com

-- 
Julien Cigar
Belgian Biodiversity Platform (http://www.biodiversity.be)
PGP fingerprint: EEF9 F697 4B68 D275 7B11  6A25 B2BB 3710 A204 23C0
No trees were killed in the creation of this message.
However, many electrons were terribly inconvenienced.


signature.asc
Description: PGP signature

Re: VLAN + CARP ?

[Freddie Cash]

On Mon, Feb 27, 2017 at 3:16 PM, Julien Cigar  wrote:


> I wondered if it is possible to use CARP with VLAN interfaces?
>

​Yes, CARP-over-vLAN works well.  Used just such a setup at work for a
couple years.

Would something like this work (on 10.3)..?:
>
> = /etc/rc.conf 
>
> vlans_em0="neta netb"
> create_args_neta="vlan 101"
> create_args_netb="vlan 102"
>
> ifconfig_em0_neta="inet 192.168.1.253/24"
> ifconfig_em0_netb="inet 10.209.1.253/24"
>
> ifconfig_em0_neta_alias0="inet vhid 3 advskew 10 pass xx alias
> 192.168.2.254/32"
> ifconfig_em0_netb_alias0="inet vhid 4 advskew 10 pass xx alias
> 10.209.1.254/32"
>
> ===
>

​This is the setup we used (snipped for brevity):

# em2 is the 3rd NIC port from the top of the quad-port NIC
ifconfig_em2="up"
vlans_em2="vlan110 vlan2000 vlan1000 vlan1010 vlan1110"

create_args_vlan1000="vlan 1000"
ifconfig_vlan1000="vhid 9 pass nxsp4ss
​1​
advskew 128 10.1.0.1/16"

create_args_vlan2000="vlan 2000"
ifconfig_vlan2000="vhid 20 pass nxsp4ss2 advskew 128 12.24.13.97/27"

create_args_vlan1010="vlan 1010"
ifconfig_vlan1010="vhid 21 pass nxsp4ss
​3
 advskew 128 12.24.12.129/26"

create_args_vlan1110="vlan 1110"
ifconfig_vlan1110="vhid 11 pass nxsp4ss
​4
 advskew 128 12.24.10.1/26"

​em2 had no IPs associated with it, it was just the physical interface that
the vlans and carp traffic went over.  We also only had a single subnet per
vlan, so only a single IP per carp instance on each vlan.  But you can do
multiples using the alias syntax like you have.​

-- 
Freddie Cash
fjwc...@gmail.com
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

VLAN + CARP ?

[Julien Cigar]

Hello,

I wondered if it is possible to use CARP with VLAN interfaces?

Would something like this work (on 10.3)..?:

= /etc/rc.conf 

vlans_em0="neta netb"
create_args_neta="vlan 101"
create_args_netb="vlan 102"

ifconfig_em0_neta="inet 192.168.1.253/24"
ifconfig_em0_netb="inet 10.209.1.253/24"

ifconfig_em0_neta_alias0="inet vhid 3 advskew 10 pass xx alias 192.168.2.254/32"
ifconfig_em0_netb_alias0="inet vhid 4 advskew 10 pass xx alias 10.209.1.254/32"

===

Thanks!

Julien


-- 
Julien Cigar
Belgian Biodiversity Platform (http://www.biodiversity.be)
PGP fingerprint: EEF9 F697 4B68 D275 7B11  6A25 B2BB 3710 A204 23C0
No trees were killed in the creation of this message.
However, many electrons were terribly inconvenienced.


signature.asc
Description: PGP signature

Re: kern/187451: [vlan] [carp] Some vlans in bridge + carp result in hung server

[linimon]

Old Synopsis: Some vlans in bride + carp result hung server
New Synopsis: [vlan] [carp] Some vlans in bridge + carp result in hung server

Responsible-Changed-From-To: freebsd-bugs->freebsd-net
Responsible-Changed-By: linimon
Responsible-Changed-When: Wed Apr 16 01:15:19 UTC 2014
Responsible-Changed-Why: 
reclassify.

http://www.freebsd.org/cgi/query-pr.cgi?pr=187451
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: SOLVED (was Re: Problem clarification (was: Problems with vlan + carp + alias))

[Peter Jeremy]

On 2008-Jun-27 22:59:56 +0200, Giulio Ferro <[EMAIL PROTECTED]> wrote:
>Peter Jeremy wrote:
>> The kernel should send out gratuitous ARP requests whenever you assign
>> an address to an interface.  You could confirm that this is happening
>> by tcpdumping the interface whilst you add aliases.
>>   
>I have bad news for you all: this doesn't seem to happen for alias
>interfaces.  I've just tried to replicate what happened days
>ago. I've verified that only the base (non alias) interface sends
>proper is-at messages. The aliases don't

I'm not seeing this on physical interfaces.  I can't immediately verify
this on VLAN interfaces but could at work next week.

Adding 192.168.123.253 as an alias on FreeBSD 7.0-STABLE (mid May):
08:21:39.899113 00:0f:b0:74:9c:a3 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), 
length 42: arp who-has 192.168.123.253 tell 192.168.123.253

Adding 192.168.123.253 as an alias on FreeBSD 6.3-PRERELEASE:
08:24:21.077266 00:12:0e:20:2b:ad > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), 
length 42: arp who-has 192.168.123.253 tell 192.168.123.253

-- 
Peter Jeremy
Please excuse any delays as the result of my ISP's inability to implement
an MTA that is either RFC2821-compliant or matches their claimed behaviour.


pgpmwFmgmkYdF.pgp
Description: PGP signature

Re: SOLVED (was Re: Problem clarification (was: Problems with vlan + carp + alias))

[Giulio Ferro]

Peter Jeremy wrote:

On 2008-Jun-26 22:06:11 +0200, Giulio Ferro <[EMAIL PROTECTED]> wrote:
  

I guess what I could do was to "poison" their arp cache for each
address with a "is-at" message. Is there a way to force the sending
of these messages for all the addresses of an interface?



The kernel should send out gratuitous ARP requests whenever you assign
an address to an interface.  You could confirm that this is happening
by tcpdumping the interface whilst you add aliases.

Rummaging around in ports, you might find net/arping or net/p5-Net-ARP
useful if you want to manually generate gratuitous ARP requests.

  
I have bad news for you all: this doesn't seem to happen for alias 
interfaces.
I've just tried to replicate what happened days ago. I've verified that 
only the
base (non alias) interface sends proper is-at messages. The aliases 
don't


I could't either ping from one of those addresses or ping to one of them 
until

I isssued:
arping -S aliased-address router-address

The router didn't know the mac addresses had changed until then...

Can anyone confirm this?
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: SOLVED (was Re: Problem clarification (was: Problems with vlan + carp + alias))

[Steve Bertrand]

Peter Jeremy wrote:

On 2008-Jun-26 22:06:11 +0200, Giulio Ferro <[EMAIL PROTECTED]> wrote:

I guess what I could do was to "poison" their arp cache for each
address with a "is-at" message. Is there a way to force the sending
of these messages for all the addresses of an interface?


The kernel should send out gratuitous ARP requests whenever you assign
an address to an interface.  You could confirm that this is happening
by tcpdumping the interface whilst you add aliases.

Rummaging around in ports, you might find net/arping or net/p5-Net-ARP
useful if you want to manually generate gratuitous ARP requests.


ping -S src_addr should do the trick too, however, that obviously 
doesn't scale very well, so it's probably only best to test with..


Steve

___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: SOLVED (was Re: Problem clarification (was: Problems with vlan + carp + alias))

[Peter Jeremy]

On 2008-Jun-26 22:06:11 +0200, Giulio Ferro <[EMAIL PROTECTED]> wrote:
> I guess what I could do was to "poison" their arp cache for each
>address with a "is-at" message. Is there a way to force the sending
>of these messages for all the addresses of an interface?

The kernel should send out gratuitous ARP requests whenever you assign
an address to an interface.  You could confirm that this is happening
by tcpdumping the interface whilst you add aliases.

Rummaging around in ports, you might find net/arping or net/p5-Net-ARP
useful if you want to manually generate gratuitous ARP requests.

-- 
Peter Jeremy
Please excuse any delays as the result of my ISP's inability to implement
an MTA that is either RFC2821-compliant or matches their claimed behaviour.


pgpzclAQNBmMO.pgp
Description: PGP signature

Re: SOLVED (was Re: Problem clarification (was: Problems with vlan + carp + alias))

[Giulio Ferro]

Steve Bertrand wrote:

Thank you Giulio (is it Gio?)

No, it's Giulio (english Julius) :-)




For some reason when I
plugged in the new firewall, only the base non-aliased address was 
updated in
the ISP switch arp cache (if someone can throw a guess at why, I'm 
eager to listen).


Well, you need to know what type of switch they had upstream, and why 
they weren't updating their ARP cache dynamically properly. Perhaps 
because their cache ttl was too long (due to the type of hardware, or 
administrative setting).



The strange thing is that they actually updated their arp entry for the base
(non aliased) address, but not the others.

I guess what I could do was to "poison" their arp cache for each address 
with

a "is-at" message. Is there a way to force the sending of these messages for
all the addresses of an interface?

I almost have to assume it wasn't a Cisco... only because I would have 
expected different behavior (less administrative setting) (this is my 
personal experience...I'm not trying to favour a brand in any way).


Perhaps you could ask them to provide the command they issued to 
determine how they found the problem. Better yet, ask what type of 
device your box is connected to at their end of the VLAN.


It was me who finally realized what the problem was. All I asked them to 
do was to
reset the arp cache of the interface, and I guess they did that by ios 
(or cli or

whatever), not something I could do without logging in into their switch...



If you can find out what device they have at their end, it may almost 
be possible to non-destructively, and non-corruptively 'force' them to 
clear arp-cache remotely, and at the same time provide advice to the 
non-unscrupulous people who may run into this in the future.
I guess I could have used utilities like ettercap to set their arp table 
right, and this
is what another person should do, if they have no other way to operate 
that change...




I'd be just as interested to know what they had at their end for 
hardware, as I have been waiting to hear what your resolution was 
throughout your time consuming troubleshooting...
Thanks for your support :-) I've seen many cisco devices in that farm, 
so I guess

that's the answer.
I image (since I don't really know) that every ip interface should
periodically issue "who-has" messages for the directly-connected 
addresses, so maybe

the problem would have solved itself, but I didn't really know how long
that would have taken, and I couldn't stop the services provided by my 
customer

too long...

Anyway all is well as it ends well..

Giulio.
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: SOLVED (was Re: Problem clarification (was: Problems with vlan + carp + alias))

[Steve Bertrand]

Giulio Ferro wrote:
I finally got the problem, and it had nothing to do either with vlans or 
with carp.


The firewall I was setting up was meant to replace an existing freebsd 
firewall

which didn't use vlans (it had a lot of nics).
The problem was that the network port where our ISP brings the internet 
connection

still had the old aliased mac addresses in its arp cache.


Thank you Giulio (is it Gio?)... for replying everyone with a definitive 
conclusion. Thats fantastic for the followers of the thread, but the 
archives as well.


For some 
reason when I
plugged in the new firewall, only the base non-aliased address was 
updated in
the ISP switch arp cache (if someone can throw a guess at why, I'm eager 
to listen).


Well, you need to know what type of switch they had upstream, and why 
they weren't updating their ARP cache dynamically properly. Perhaps 
because their cache ttl was too long (due to the type of hardware, or 
administrative setting).


I almost have to assume it wasn't a Cisco... only because I would have 
expected different behavior (less administrative setting) (this is my 
personal experience...I'm not trying to favour a brand in any way).


Perhaps you could ask them to provide the command they issued to 
determine how they found the problem. Better yet, ask what type of 
device your box is connected to at their end of the VLAN.


If you can find out what device they have at their end, it may almost be 
possible to non-destructively, and non-corruptively 'force' them to 
clear arp-cache remotely, and at the same time provide advice to the 
non-unscrupulous people who may run into this in the future.


I'd be just as interested to know what they had at their end for 
hardware, as I have been waiting to hear what your resolution was 
throughout your time consuming troubleshooting...


Steve
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

SOLVED (was Re: Problem clarification (was: Problems with vlan + carp + alias))

[Giulio Ferro]

I finally got the problem, and it had nothing to do either with vlans or 
with carp.


The firewall I was setting up was meant to replace an existing freebsd 
firewall

which didn't use vlans (it had a lot of nics).
The problem was that the network port where our ISP brings the internet 
connection
still had the old aliased mac addresses in its arp cache. For some 
reason when I
plugged in the new firewall, only the base non-aliased address was 
updated in
the ISP switch arp cache (if someone can throw a guess at why, I'm eager 
to listen).
The ISP router was still looking for the aliased addresses with the old 
macs, so it
didn't find them. Moreover, I inadvertently put the vlan internet 
interface in
promiscuous mode, so with tcpdump I also picked up those packets with 
wrong mac

address which weren't meant for me.

To make the story short, I called the technical customer care of the ISP 
and I
requested them to reset the arp cache of the port. Done that, everything 
worked

without a glitch.

The new firewall is now up and running in production with vlan + carp. 
Everything

seems fine.
Thanks to everybody who answered my plea... :-)


Giulio Ferro wrote:

After some more tests I've finally realized that the problem is with
vlan and alias. I've taken carp out of the picture.


(Please read my previous message on the topic to understand the scenario,
I've reported it below)

Here is what matters in /etc/rc.conf:

---
...
ifconfig_bce0="inet 192.168.26.1 netmask 255.255.255.0"
...
ifconfig_vlan128="inet x.y.z.132 netmask 255.255.255.224 vlan 128 
vlandev bce0"

ifconfig_vlan128_alias0="x.y.z.133 netmask 255.255.255.255"
ifconfig_vlan128_alias1="x.y.z.134 netmask 255.255.255.255"
ifconfig_vlan128_alias2="x.y.z.135 netmask 255.255.255.255"
ifconfig_vlan128_alias3="x.y.z.136 netmask 255.255.255.255"
ifconfig_vlan128_alias4="x.y.z.137 netmask 255.255.255.255"
ifconfig_vlan128_alias5="x.y.z.138 netmask 255.255.255.255"
ifconfig_vlan128_alias6="x.y.z.139 netmask 255.255.255.255"
ifconfig_vlan128_alias7="x.y.z.140 netmask 255.255.255.255"
ifconfig_vlan128_alias8="x.y.z.141 netmask 255.255.255.255"
...
defaultrouter="x.y.z.129"
---

netstat -rn
---
defaultx.y.z.129UGS 0 9869 vlan12
x.y.z.128/27 link#11UC  00 vlan12
x.y.z.12900:00:0c:07:ac:0a  UHLW2   52 vlan12   1107
x.y.z.13000:d0:03:8a:9b:fc  UHLW10 vlan12   1147
x.y.z.13100:d0:03:8a:9b:fd  UHLW10 vlan12   1144
x.y.z.133/32 link#11UC  00 vlan12
x.y.z.134/32 link#11UC  00 vlan12
x.y.z.135/32 link#11UC  00 vlan12
x.y.z.136/32 link#11UC  00 vlan12
x.y.z.137/32 link#11UC  00 vlan12
x.y.z.138/32 link#11UC  00 vlan12
x.y.z.139/32 link#11UC  00 vlan12
x.y.z.140/32 link#11UC  00 vlan12
x.y.z.141/32 link#11UC  00 vlan12
---

ifconfig vlan128
---
vlan128: flags=8843 metric 0 
mtu 1500

   options=3
   ether 00:1e:c9:ad:fa:c9
   inet x.y.z.132 netmask 0xffe0 broadcast x.y.z.159
   inet x.y.z.133 netmask 0x broadcast x.y.z.133
   inet x.y.z.134 netmask 0x broadcast x.y.z.134
   inet x.y.z.135 netmask 0x broadcast x.y.z.135
   inet x.y.z.136 netmask 0x broadcast x.y.z.136
   inet x.y.z.137 netmask 0x broadcast x.y.z.137
   inet x.y.z.138 netmask 0x broadcast x.y.z.138
   inet x.y.z.139 netmask 0x broadcast x.y.z.139
   inet x.y.z.140 netmask 0x broadcast x.y.z.140
   inet x.y.z.141 netmask 0x broadcast x.y.z.141
   media: Ethernet autoselect (1000baseTX )
   status: active
   vlan: 128 parent interface: bce0
---

Tests:
No problem when I try to ping the default gateway from my fw
No problem when I ping my fw from an external internet address

Problems:
- I cannot ping the router from one of the aliased address:
   ping -S x.y.z.133 x.y.z.129
- I cannot ping the aliased addresses from an external internet address

Note : I can see the packets with tcpdump travelling from and to the 
aliased

address. It seems the interface won't process them for some reason.

This seems suspiciously like a bug to me...


-- 


(p

Problem clarification (was: Problems with vlan + carp + alias)

[Giulio Ferro]

After some more tests I've finally realized that the problem is with
vlan and alias. I've taken carp out of the picture.


(Please read my previous message on the topic to understand the scenario,
I've reported it below)

Here is what matters in /etc/rc.conf:

---
...
ifconfig_bce0="inet 192.168.26.1 netmask 255.255.255.0"
...
ifconfig_vlan128="inet x.y.z.132 netmask 255.255.255.224 vlan 128 
vlandev bce0"

ifconfig_vlan128_alias0="x.y.z.133 netmask 255.255.255.255"
ifconfig_vlan128_alias1="x.y.z.134 netmask 255.255.255.255"
ifconfig_vlan128_alias2="x.y.z.135 netmask 255.255.255.255"
ifconfig_vlan128_alias3="x.y.z.136 netmask 255.255.255.255"
ifconfig_vlan128_alias4="x.y.z.137 netmask 255.255.255.255"
ifconfig_vlan128_alias5="x.y.z.138 netmask 255.255.255.255"
ifconfig_vlan128_alias6="x.y.z.139 netmask 255.255.255.255"
ifconfig_vlan128_alias7="x.y.z.140 netmask 255.255.255.255"
ifconfig_vlan128_alias8="x.y.z.141 netmask 255.255.255.255"
...
defaultrouter="x.y.z.129"
---

netstat -rn
---
defaultx.y.z.129UGS 0 9869 vlan12
x.y.z.128/27 link#11UC  00 vlan12
x.y.z.12900:00:0c:07:ac:0a  UHLW2   52 vlan12   1107
x.y.z.13000:d0:03:8a:9b:fc  UHLW10 vlan12   1147
x.y.z.13100:d0:03:8a:9b:fd  UHLW10 vlan12   1144
x.y.z.133/32 link#11UC  00 vlan12
x.y.z.134/32 link#11UC  00 vlan12
x.y.z.135/32 link#11UC  00 vlan12
x.y.z.136/32 link#11UC  00 vlan12
x.y.z.137/32 link#11UC  00 vlan12
x.y.z.138/32 link#11UC  00 vlan12
x.y.z.139/32 link#11UC  00 vlan12
x.y.z.140/32 link#11UC  00 vlan12
x.y.z.141/32 link#11UC  00 vlan12
---

ifconfig vlan128
---
vlan128: flags=8843 metric 0 mtu 
1500

   options=3
   ether 00:1e:c9:ad:fa:c9
   inet x.y.z.132 netmask 0xffe0 broadcast x.y.z.159
   inet x.y.z.133 netmask 0x broadcast x.y.z.133
   inet x.y.z.134 netmask 0x broadcast x.y.z.134
   inet x.y.z.135 netmask 0x broadcast x.y.z.135
   inet x.y.z.136 netmask 0x broadcast x.y.z.136
   inet x.y.z.137 netmask 0x broadcast x.y.z.137
   inet x.y.z.138 netmask 0x broadcast x.y.z.138
   inet x.y.z.139 netmask 0x broadcast x.y.z.139
   inet x.y.z.140 netmask 0x broadcast x.y.z.140
   inet x.y.z.141 netmask 0x broadcast x.y.z.141
   media: Ethernet autoselect (1000baseTX )
   status: active
   vlan: 128 parent interface: bce0
---

Tests:
No problem when I try to ping the default gateway from my fw
No problem when I ping my fw from an external internet address

Problems:
- I cannot ping the router from one of the aliased address:
   ping -S x.y.z.133 x.y.z.129
- I cannot ping the aliased addresses from an external internet address

Note : I can see the packets with tcpdump travelling from and to the aliased
address. It seems the interface won't process them for some reason.

This seems suspiciously like a bug to me...


--
(previous message on vlan + carp +alias)
--


Primeroz lists wrote:
What is tcpdump showing for ping on 192.168.10.11 
<http://192.168.10.11> ? can you see echo reply exiting vlan10 
interface ?


what if you try from your server to "ping -S 192.168.10.11 
<http://192.168.10.11> 192.168.10.254 <http://192.168.10.254>" ?





First of all I'm sorry for the late reply. Yesterday I could do some more
in-depth test to analyze this strange behavior of my firewall.

The 192.168.10.0/24 range I used in the previous example isn't the real
one, I just used it for simplicity´s sake.
The true range, the one which has been assigned by the ISP to my customer
is: x.y.z.128/27. (x.y.z corresponds to a true public IP address)

I've deactivated the firewall, so we have one less thing to worry about:
/etc/rc.d/pf stop
This is a pure network configuration issue.

Here is the relevant part in /etc/rc.conf:
---
...
ifconfig_bce0="inet 192.168.26.1 netmask 255.255.255.0"
...
cloned_interfaces="vlan5 vlan25 vlan30

Re: Problems with vlan + carp + alias

[Giulio Ferro]

Primeroz lists wrote:
What is tcpdump showing for ping on 192.168.10.11 
 ? can you see echo reply exiting vlan10 
interface ?


what if you try from your server to "ping -S 192.168.10.11 
 192.168.10.254 " ?





First of all I'm sorry for the late reply. Yesterday I could do some more
in-depth test to analyze this strange behavior of my firewall.

The 192.168.10.0/24 range I used in the previous example isn't the real
one, I just used it for simplicity´s sake.
The true range, the one which has been assigned by the ISP to my customer
is: x.y.z.128/27. (x.y.z corresponds to a true public IP address)

I've deactivated the firewall, so we have one less thing to worry about:
/etc/rc.d/pf stop
This is a pure network configuration issue.

Here is the relevant part in /etc/rc.conf:
---
...
ifconfig_bce0="inet 192.168.26.1 netmask 255.255.255.0"
...
cloned_interfaces="vlan5 vlan25 vlan30 vlan40 vlan128 carp5 carp25 
carp30 carp40 carp128"

...
ifconfig_vlan128="inet x.y.z.157 netmask 255.255.255.224 vlan 128 
vlandev bce0"

...
ifconfig_carp128="vhid 128 pass qweq x.y.z.132 netmask 255.255.255.255"
ifconfig_carp128_alias0="x.y.z.133 netmask 255.255.255.255"
ifconfig_carp128_alias1="x.y.z.134 netmask 255.255.255.255"
ifconfig_carp128_alias2="x.y.z.135 netmask 255.255.255.255"
ifconfig_carp128_alias3="x.y.z.136 netmask 255.255.255.255"
ifconfig_carp128_alias4="x.y.z.137 netmask 255.255.255.255"
ifconfig_carp128_alias5="x.y.z.138 netmask 255.255.255.255"
ifconfig_carp128_alias6="x.y.z.139 netmask 255.255.255.255"
ifconfig_carp128_alias7="x.y.z.140 netmask 255.255.255.255"
ifconfig_carp128_alias8="x.y.z.141 netmask 255.255.255.255"
...
defaultrouter="x.y.z.129"
---

On my managed switch I've set 2 ports:
1) the one where the bce0 interface is plugged in : mode trunk with all 
the vlans above

2) the one where the ISP internet is plugged in : mode access with vlan 128

I've also set the ip interface of my switch to x.y.z.155 vlan 128


Here is the relevant part of netstat -rn on my machine
---
defaultx.y.z.129UGS 013966 vlan12
x.y.z/27 link#11UC  00 vlan12
x.y.z.132x.y.z.132UH  00 carp12
x.y.z.133x.y.z.133UH  00 carp12
x.y.z.134x.y.z.134UH  00 carp12
x.y.z.135x.y.z135UH  00 carp12
x.y.z.136x.y.z.136UH  00 carp12
x.y.z.137x.y.z.137UH  00 carp12
x.y.z.138x.y.z.138UH  00 carp12
x.y.z.139x.y.z.139UH  00 carp12
x.y.z.140x.y.z.140UH  00 carp12
x.y.z.141x.y.z.141UH  00 carp12
x.y.z.15500:1e:c9:90:4a:c0  UHLW18 vlan12   1183

---



Here come the tests.
1) From the firewall : basic
I can ping both the default gateway (x.y.z.129) and the switch interface 
(x.y.z.155)

I can ping a generic internet address (a.b.c.d)
With tcpdump I can see the packets leaving as x.y.z.157 and coming with 
the same

address

2) from the switch : basic
I can ping the firewall's vlan address (x.y.z.157)
I can ping _ALL_ the carp interfaces, base and alias:
   ping x.y.z.157 -> OK
   ping x.y.z.132 -> OK
   ping x.y.z.133 -> OK
   ...
   ping x.y.z.141 -> OK

3) from the internet : basic
From an external internet address I can ping the vlan address:
   ping x.y.z.157 -> OK

4) from the firewall : advanced
From the firewall I can ping the switch address from one of the carp
base and aliased address:
   ping -S x.y.z.132 x.y.z.155 -> OK
   ping -S x.y.z.133 x.y.z.155 -> OK

I _cannot_ ping the default router from one of the carp addresses:
   ping -S x.y.z.132 x.y.z.129 -> NOT OK
   ping -S x.y.z.133 x.y.z.129 -> NOT OK
By using tcpdump on the vlan128 interface I can see the packets
_BOTH_ leaving and coming from the carp addresses. It just seems
that the carp interfaces can't process the packets properly.

5) from the internet : advanced
From an external internet address I _cannot_ ping the carp addresses
(x.y.z.132 and up)
As above, I can see the incoming packets with
tcpdump -i vlan128 -n icmp


Ok, that was long. I hope someone can help to shed light into this, to see
whether this is a bug or not.
I stress again that the _same_ configuration works as it should on a 
physical

(non-vlan) interface.

___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Problems with vlan + carp + alias

[Primeroz lists]

What is tcpdump showing for ping on 192.168.10.11 ? can you see echo reply
exiting vlan10 interface ?

what if you try from your server to "ping -S 192.168.10.11 192.168.10.254" ?



 Hi Primeroz, thanks for your answer.
> I set all the carp interfaces, both base and alias, to the 
> 255.255.255.255netmask
> as you suggested.
> This is my netstat now:
>
> ...
> 192.168.10.0/24 link#11UC  00 vlan10
> 192.168.10.254link#11UHLW20 vlan10
> 192.168.10.10   192.168.10.10UH  00 carp10
> 192.168.10.11  192.168.10.11UH  00 carp10
> 192.168.10.12  192.168.10.12UH  00 carp10
> ...
>
> As you see, the 192.168.10.0/24 is routed through the vlan10 interface,
> and this should be correct.
>
> As before, I can ping 192.168.10.10, but not 192.168.10.11 and above.
>
> Could this be a bug of carp with alias interfaces?
>
> Thanks again.
> Giulio.
>
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Problems with vlan + carp + alias

[Giulio Ferro]

Primeroz lists wrote:

Hi ,

I think you should setup ALL the carp address as alias/32 , like this:

ifconfig_carp10="vhid 10 pass qweq 192.168.10.10 
 netmask 255.255.255.255 "
ifconfig_carp10_alias0="192.168.10.11  netmask 
255.255.255.255 "

...
ifconfig_carp10_aliasN="192.168.10.N netmask 255.255.255.255 
"


and then please verify your routing table for everythin on 192.168.10

netstat -rn | grep 192.168.10

What you should have is

192.168.10/24 .. vlan10
192.168.10.10   carp10
...
192.168.10.N  carp10

this is because the NETWORK range should be routed always through the 
parent interface (vlan10 in this  case) while all the carp addresses 
has to be threated as alias.


if you check now probably you will find that the 192.168.10/24 is 
routed through your carp interface ... and that's wrong.


Ciao
Francesco


Hi Primeroz, thanks for your answer.
I set all the carp interfaces, both base and alias, to the 
255.255.255.255 netmask

as you suggested.
This is my netstat now:

...
192.168.10.0/24 link#11UC  00 vlan10
192.168.10.254link#11UHLW20 vlan10
192.168.10.10   192.168.10.10UH  00 carp10
192.168.10.11  192.168.10.11UH  00 carp10
192.168.10.12  192.168.10.12UH  00 carp10
...

As you see, the 192.168.10.0/24 is routed through the vlan10 interface, 
and this should be correct.


As before, I can ping 192.168.10.10, but not 192.168.10.11 and above.

Could this be a bug of carp with alias interfaces?

Thanks again.
Giulio.
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Problems with vlan + carp + alias

[Primeroz lists]

Hi ,

I think you should setup ALL the carp address as alias/32 , like this:

ifconfig_carp10="vhid 10 pass qweq 192.168.10.10 netmask
255.255.255.255
"
ifconfig_carp10_alias0="192.168.10.11 netmask
255.255.255.255
"
...
ifconfig_carp10_aliasN="192.168.10.N netmask 255.255.255.255"

and then please verify your routing table for everythin on 192.168.10

netstat -rn | grep 192.168.10

What you should have is

192.168.10/24 .. vlan10
192.168.10.10  carp10
...
192.168.10.N  carp10

this is because the NETWORK range should be routed always through the parent
interface (vlan10 in this  case) while all the carp addresses has to be
threated as alias.

if you check now probably you will find that the 192.168.10/24 is routed
through your carp interface ... and that's wrong.

Ciao
Francesco

On Thu, Jun 19, 2008 at 10:37 AM, Giulio Ferro <[EMAIL PROTECTED]> wrote:

> Han Hwei Woo wrote:
>
>> Hi Giulio,
>>
>> Since the IP's are on the same subnet, you should try using a netmask of
>> 255.255.255.255 on the aliases.
>>
>>
> Hi Han,
> Sorry no, changing the mask to 255.255.255.255 of the aliases doesn't
> change the situation.
> Anyway exactly the same configuration works with non-vlan physical
> interfaces.
>
> Note: I can ping the aliased addresses on the local machine; I can't ping
> those addresses from
> other machine on the same vlan.
>
>
> Giulio.
>
> ___
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"
>
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Problems with vlan + carp + alias

[Giulio Ferro]

Han Hwei Woo wrote:

Hi Giulio,

Since the IP's are on the same subnet, you should try using a netmask 
of 255.255.255.255 on the aliases.




Hi Han,
Sorry no, changing the mask to 255.255.255.255 of the aliases doesn't 
change the situation.
Anyway exactly the same configuration works with non-vlan physical 
interfaces.


Note: I can ping the aliased addresses on the local machine; I can't 
ping those addresses from

other machine on the same vlan.


Giulio.
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Problems with vlan + carp + alias

[Han Hwei Woo]

Hi Giulio,

Since the IP's are on the same subnet, you should try using a netmask of 
255.255.255.255 on the aliases.



Cheers,
Han Hwei Woo


Giulio Ferro wrote:
Scenario : freebsd 7.0 stable amd64 (compiled today), bce network 
interface


Simply put, I'm trying to create multiple aliases on the same carp 
interface.

I did this without vlans (on physical interfaces) and it always worked.

Here's what I do:

---rc.conf
...
ifconfig_bce0="inet 192.168.1.1 netmask 255.255.255.0"
ifconfig_vlan10="inet 192.168.10.1 netmask 255.255.255.0 vlan 10 
vlandev bce0"


ifconfig_carp10="vhid 10 pass qweq 192.168.10.10 netmask 255.255.255.0"
ifconfig_carp10_alias0="192.168.10.11 netmask 255.255.255.0"
ifconfig_carp10_alias1="192.168.10.12 netmask 255.255.255.0"
ifconfig_carp10_alias2="192.168.10.13 netmask 255.255.255.0"
ifconfig_carp10_alias3="192.168.10.14 netmask 255.255.255.0"
ifconfig_carp10_alias4="192.168.10.15 netmask 255.255.255.0"
ifconfig_carp10_alias5="192.168.10.16 netmask 255.255.255.0"
ifconfig_carp10_alias6="192.168.10.17 netmask 255.255.255.0"
ifconfig_carp10_alias7="192.168.10.18 netmask 255.255.255.0"
ifconfig_carp10_alias8="192.168.10.19 netmask 255.255.255.0"
ifconfig_carp10_alias9="192.168.10.20 netmask 255.255.255.0"
...
---

First of all, whenever I try to reload a carp configuration by
/etc/rc.d/netif restart the system goes kernel panic. I always have
to restart the server to load the new configuration. This is not
the core of the problem, however.

If I issue a
ifconfig carp10
I can see all the aliases and the interface is in MASTER state.

When I try to ping these addresses from another machine in the same
vlan (10), I can only ping the vlan base address (192.168.10.10) and the
first aliased address (192.168.10.11). All other aliases don't respond to
external pings.

If I try to inspect incoming packets with tcpdump :
tcpdump -i vlan10 -n icmp
I can see the packets coming in, but the other aliased addresses seem 
inactive.


What is interesting is that an arp request actually takes places and 
is answered
(all aliased ifs have the same mac address), but nobody respond to the 
ping

but the first alias and the vlan base address.

Does someone have any ideas?




___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"




___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Problems with vlan + carp + alias

[Giulio Ferro]

Scenario : freebsd 7.0 stable amd64 (compiled today), bce network interface

Simply put, I'm trying to create multiple aliases on the same carp 
interface.

I did this without vlans (on physical interfaces) and it always worked.

Here's what I do:

---rc.conf
...
ifconfig_bce0="inet 192.168.1.1 netmask 255.255.255.0"
ifconfig_vlan10="inet 192.168.10.1 netmask 255.255.255.0 vlan 10 vlandev 
bce0"


ifconfig_carp10="vhid 10 pass qweq 192.168.10.10 netmask 255.255.255.0"
ifconfig_carp10_alias0="192.168.10.11 netmask 255.255.255.0"
ifconfig_carp10_alias1="192.168.10.12 netmask 255.255.255.0"
ifconfig_carp10_alias2="192.168.10.13 netmask 255.255.255.0"
ifconfig_carp10_alias3="192.168.10.14 netmask 255.255.255.0"
ifconfig_carp10_alias4="192.168.10.15 netmask 255.255.255.0"
ifconfig_carp10_alias5="192.168.10.16 netmask 255.255.255.0"
ifconfig_carp10_alias6="192.168.10.17 netmask 255.255.255.0"
ifconfig_carp10_alias7="192.168.10.18 netmask 255.255.255.0"
ifconfig_carp10_alias8="192.168.10.19 netmask 255.255.255.0"
ifconfig_carp10_alias9="192.168.10.20 netmask 255.255.255.0"
...
---

First of all, whenever I try to reload a carp configuration by
/etc/rc.d/netif restart the system goes kernel panic. I always have
to restart the server to load the new configuration. This is not
the core of the problem, however.

If I issue a
ifconfig carp10
I can see all the aliases and the interface is in MASTER state.

When I try to ping these addresses from another machine in the same
vlan (10), I can only ping the vlan base address (192.168.10.10) and the
first aliased address (192.168.10.11). All other aliases don't respond to
external pings.

If I try to inspect incoming packets with tcpdump :
tcpdump -i vlan10 -n icmp
I can see the packets coming in, but the other aliased addresses seem 
inactive.


What is interesting is that an arp request actually takes places and is 
answered

(all aliased ifs have the same mac address), but nobody respond to the ping
but the first alias and the vlan base address.

Does someone have any ideas?




___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"