CARP paquets dropped by the switch

[mike99]

I'm working on OpenBSD firewalls with CARP load-balancing and the switch seem to drop the CARP advertisement paquets.

OpenBSD 1 LAN = 192.168.102.2/24
OpenBSD 2 LAN = 192.168.102.3/24
OpenBSD carp0 pseudo-interface bonded to the LAN on each BSD router share 192.168.102.1/24
VLAN are configured fine since 192.168.102.2 and 192.168.102.3 can ping each other but carp interface is master / master on each group when it should be master / salve on the first and slave / master on the second. It's meen that CARP is not able to comunicate. If I plug them directly at each other without passing through the switch, CARP state are fine ( master / slave and slave / master).

If I look the port stat where the BSD LAN is plug, I see both receive Size Counters Rx 64-127 Bytes and Rx Drops increase at the same rate around 1 by seconds while CARP advertisement paquet is set to 1 seconds. I changed advertise to 30 seconds and those stats increase a lot slower.
CARP balancing is in ip mode that use a multicast mac-address. I will try in ip-stealth mode instead that will hiden the mac-address instead and force the switch to broadcast on every port of the same VLAN.

[mike99]

In ip mode, if I ping each others, I see the mac-address of the device in the mac table but I don't see the carp0 multicast mac address.

[mike99]

In ip-stealth mode, it seem to work since the state are now master/slave and slave/master.

Mac-address use by the carp0 interface on both router in ip mode:
lladdr 01:00:5e:00:01:01

On the mac-address of the second switch:
00-00-5e-00-01-01 12 4002 ICANN, IANA Department Unknown

On the switch that show the mac-address, I still see the rx paquets droped increase around every seconds.

[mike99]

I forgetted, firmware 1.3.3r5. No log both for the switch or linux. Multicast is activated on every ports.

[mike99]

Even with ip-stealth, the're strange biavior. With hidden mac address, traffic should be broadcast on every port of the VLAN until the switch learn the mac-address of the device with the associated IP address but it's not the case. With tcpdump, I see the traffic hit only one of the the BSD, never never never never randomly,never both at same time like unknown mac-address traffic should.

OpenBSD em4 carp0 192.168.102.1/24 - WS12-250A port 12 VLAN 4002 untag / port 13-14 VLAN 4002 tag
############################### WS24-400A VLAN 4002 port 25,26 tag ------------------------------------- My PC on port 20 untag 4002
OpenBSD em4 carp0 192.168.102.1/24 - WS12-250A port 12 VLAN untag (BSD) / port 13-14 VLAN 4002 tag
The trafic pass through VLAN 4002.
It's the better shema I can do since we can make several space and can upload image.

SFP 13 and 14 or 25 and 26 are all linked between them for high availibility with RSTP enabled on those ports.

[Eric Stern]

Do you have IGMP snooping enabled?

https://doc.pfsense.org/index.php/CARP_ ... r_2_Issues

[mike99]

Thanks Eric for the answer, I will try it tomorrow.

[mike99]

Do you have IGMP snooping enabled?

No, it was disabled. I tryed with it enabled and disabled with the same result. In IP mode, CARP advertisement are always drop. I have also test with several switch including HP Procurve 2530-24G, a D-Link unmanaged switch and a Mikrotik RB750UP in the switch side of the router (pass the whole day on it ). Every other switchs have the same behaviors except for the Mikrotik working fine in IP mode (won't block CARP advertisements).

It would be great if it could work with Netonix, else I would need to put 2 Tik switch between the BSDs and the Netonix . Is the're any way to find out why it's block (only while not hidding the mac-address) so I could try to find a way to work around this ?

Thanks

[sirhc]

Eric is working on v1.3.3rcX right now. When he is finished working with me on this over the next few days maybe he can work with you to figure this out.

[Eric Stern]

Even with IGMP snooping disabled there is still a chance it could be interfering. You can try this
edit /etc/init.d/vtss_appl
remove the -i option on line 9 (this enabled igmp snooping)
run "/etc/init.d/vtss_appl restart"

And then test again.