I'm working on OpenBSD firewalls with CARP load-balancing and the switch seem to drop the CARP advertisement paquets.
OpenBSD 1 LAN = 192.168.102.2/24
OpenBSD 2 LAN = 192.168.102.3/24
OpenBSD carp0 pseudo-interface bonded to the LAN on each BSD router share 192.168.102.1/24
VLAN are configured fine since 192.168.102.2 and 192.168.102.3 can ping each other but carp interface is master / master on each group when it should be master / salve on the first and slave / master on the second. It's meen that CARP is not able to comunicate. If I plug them directly at each other without passing through the switch, CARP state are fine ( master / slave and slave / master).
If I look the port stat where the BSD LAN is plug, I see both receive Size Counters Rx 64-127 Bytes and Rx Drops increase at the same rate around 1 by seconds while CARP advertisement paquet is set to 1 seconds. I changed advertise to 30 seconds and those stats increase a lot slower.
CARP balancing is in ip mode that use a multicast mac-address. I will try in ip-stealth mode instead that will hiden the mac-address instead and force the switch to broadcast on every port of the same VLAN.
CARP paquets dropped by the switch
-
mike99 - Associate
- Posts: 837
- Joined: Tue Nov 25, 2014 10:53 am
- Location: Quebec, Canada
- Has thanked: 95 times
- Been thanked: 245 times
Re: CARP paquets dropped by the switch
In ip mode, if I ping each others, I see the mac-address of the device in the mac table but I don't see the carp0 multicast mac address.
-
mike99 - Associate
- Posts: 837
- Joined: Tue Nov 25, 2014 10:53 am
- Location: Quebec, Canada
- Has thanked: 95 times
- Been thanked: 245 times
Re: CARP paquets dropped by the switch
In ip-stealth mode, it seem to work since the state are now master/slave and slave/master.
Mac-address use by the carp0 interface on both router in ip mode:
lladdr 01:00:5e:00:01:01
On the mac-address of the second switch:
00-00-5e-00-01-01 12 4002 ICANN, IANA Department Unknown
On the switch that show the mac-address, I still see the rx paquets droped increase around every seconds.
Mac-address use by the carp0 interface on both router in ip mode:
lladdr 01:00:5e:00:01:01
On the mac-address of the second switch:
00-00-5e-00-01-01 12 4002 ICANN, IANA Department Unknown
On the switch that show the mac-address, I still see the rx paquets droped increase around every seconds.
-
mike99 - Associate
- Posts: 837
- Joined: Tue Nov 25, 2014 10:53 am
- Location: Quebec, Canada
- Has thanked: 95 times
- Been thanked: 245 times
Re: CARP paquets dropped by the switch
I forgetted, firmware 1.3.3r5. No log both for the switch or linux. Multicast is activated on every ports.
-
mike99 - Associate
- Posts: 837
- Joined: Tue Nov 25, 2014 10:53 am
- Location: Quebec, Canada
- Has thanked: 95 times
- Been thanked: 245 times
Re: CARP paquets dropped by the switch
Even with ip-stealth, the're strange biavior. With hidden mac address, traffic should be broadcast on every port of the VLAN until the switch learn the mac-address of the device with the associated IP address but it's not the case. With tcpdump, I see the traffic hit only one of the the BSD, never never never never randomly,never both at same time like unknown mac-address traffic should.
OpenBSD em4 carp0 192.168.102.1/24 - WS12-250A port 12 VLAN 4002 untag / port 13-14 VLAN 4002 tag
############################### WS24-400A VLAN 4002 port 25,26 tag ------------------------------------- My PC on port 20 untag 4002
OpenBSD em4 carp0 192.168.102.1/24 - WS12-250A port 12 VLAN untag (BSD) / port 13-14 VLAN 4002 tag
The trafic pass through VLAN 4002.
It's the better shema I can do since we can make several space and can upload image.
SFP 13 and 14 or 25 and 26 are all linked between them for high availibility with RSTP enabled on those ports.
OpenBSD em4 carp0 192.168.102.1/24 - WS12-250A port 12 VLAN 4002 untag / port 13-14 VLAN 4002 tag
############################### WS24-400A VLAN 4002 port 25,26 tag ------------------------------------- My PC on port 20 untag 4002
OpenBSD em4 carp0 192.168.102.1/24 - WS12-250A port 12 VLAN untag (BSD) / port 13-14 VLAN 4002 tag
The trafic pass through VLAN 4002.
It's the better shema I can do since we can make several space and can upload image.
SFP 13 and 14 or 25 and 26 are all linked between them for high availibility with RSTP enabled on those ports.
Last edited by mike99 on Thu Sep 17, 2015 8:54 pm, edited 1 time in total.
-
Eric Stern - Employee
- Posts: 532
- Joined: Wed Apr 09, 2014 9:41 pm
- Location: Toronto, Ontario
- Has thanked: 0 time
- Been thanked: 130 times
-
mike99 - Associate
- Posts: 837
- Joined: Tue Nov 25, 2014 10:53 am
- Location: Quebec, Canada
- Has thanked: 95 times
- Been thanked: 245 times
Re: CARP paquets dropped by the switch
Thanks Eric for the answer, I will try it tomorrow.
-
mike99 - Associate
- Posts: 837
- Joined: Tue Nov 25, 2014 10:53 am
- Location: Quebec, Canada
- Has thanked: 95 times
- Been thanked: 245 times
Re: CARP paquets dropped by the switch
Eric Stern wrote:Do you have IGMP snooping enabled?
No, it was disabled. I tryed with it enabled and disabled with the same result. In IP mode, CARP advertisement are always drop. I have also test with several switch including HP Procurve 2530-24G, a D-Link unmanaged switch and a Mikrotik RB750UP in the switch side of the router (pass the whole day on it ). Every other switchs have the same behaviors except for the Mikrotik working fine in IP mode (won't block CARP advertisements).
It would be great if it could work with Netonix, else I would need to put 2 Tik switch between the BSDs and the Netonix . Is the're any way to find out why it's block (only while not hidding the mac-address) so I could try to find a way to work around this ?
Thanks
-
sirhc - Employee
- Posts: 7416
- Joined: Tue Apr 08, 2014 3:48 pm
- Location: Lancaster, PA
- Has thanked: 1608 times
- Been thanked: 1325 times
Re: CARP paquets dropped by the switch
Eric is working on v1.3.3rcX right now. When he is finished working with me on this over the next few days maybe he can work with you to figure this out.
Support is handled on the Forums not in Emails and PMs.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.
-
Eric Stern - Employee
- Posts: 532
- Joined: Wed Apr 09, 2014 9:41 pm
- Location: Toronto, Ontario
- Has thanked: 0 time
- Been thanked: 130 times
Re: CARP paquets dropped by the switch
Even with IGMP snooping disabled there is still a chance it could be interfering. You can try this
edit /etc/init.d/vtss_appl
remove the -i option on line 9 (this enabled igmp snooping)
run "/etc/init.d/vtss_appl restart"
And then test again.
edit /etc/init.d/vtss_appl
remove the -i option on line 9 (this enabled igmp snooping)
run "/etc/init.d/vtss_appl restart"
And then test again.
Who is online
Users browsing this forum: No registered users and 47 guests