I need to make work a scheme like this:
http://i.imgur.com/1xsXX.png
So, I have 3 servers: in, out1 and out2; out1 and out2 plugged into one switched environment, so they can see each other on layer 2, which is bad for me, because they can make a switching loop in some case. out1 and out2 connect with openvpn to "in" in bridged configuration, tap interfaces have no addresses.
Then I make bridge interfaces on all servers and adding only tap0 interfaces to bridge0 on each server, make each bridge0 interface configured with address from 10.0.0.0/24 subnet. On this moment everything is working and servers pinging each other 10.0.0.0/24 address.
Then I want to make carp work on out1 and out2 on bridge0-tap0 pair, but if I configure carp0 interface to work in 10.0.0.0/24 subnet, it stays in INIT state forever - so this is my first question - why carp won't work on bridge0-tap0 interface?
If I bridge tap0 and em0 interfaces on out1 and out2, then carp on both servers gets into MASTER state, I get switching loop and when I use tcpdump on bridge0 interfaces (-i bridge0 net 10.0.0.0/24), on out1 I see ONLY vrrp advertisements from out2 (no advertisements from out1), on out2 bridge0 I see ONLY advertisements from out1, and on "in" bridge0 i see advertisements from both servers, and nothing is working.
So, here's the second question - how to make things work in this case? STP? But how to configure it, what interfaces put into STP? And will my precious carp work with STP?
I'm creating carp0 interface with commands:
Then I see in log:
carp interface is:
If I do [cmd=]ifconfig carp0 up[/cmd] I see this error in /var/log/messages:
and carp interface come up
I know, I know, carp should make interface up by itself, just trying everything.
And beside those messages I don't see anything in log from carp.
Here are the sysctls:
System is 8.2-R
Interfaces on out1/2
http://i.imgur.com/1xsXX.png
So, I have 3 servers: in, out1 and out2; out1 and out2 plugged into one switched environment, so they can see each other on layer 2, which is bad for me, because they can make a switching loop in some case. out1 and out2 connect with openvpn to "in" in bridged configuration, tap interfaces have no addresses.
Then I make bridge interfaces on all servers and adding only tap0 interfaces to bridge0 on each server, make each bridge0 interface configured with address from 10.0.0.0/24 subnet. On this moment everything is working and servers pinging each other 10.0.0.0/24 address.
Then I want to make carp work on out1 and out2 on bridge0-tap0 pair, but if I configure carp0 interface to work in 10.0.0.0/24 subnet, it stays in INIT state forever - so this is my first question - why carp won't work on bridge0-tap0 interface?
If I bridge tap0 and em0 interfaces on out1 and out2, then carp on both servers gets into MASTER state, I get switching loop and when I use tcpdump on bridge0 interfaces (-i bridge0 net 10.0.0.0/24), on out1 I see ONLY vrrp advertisements from out2 (no advertisements from out1), on out2 bridge0 I see ONLY advertisements from out1, and on "in" bridge0 i see advertisements from both servers, and nothing is working.
So, here's the second question - how to make things work in this case? STP? But how to configure it, what interfaces put into STP? And will my precious carp work with STP?
I'm creating carp0 interface with commands:
Code:
/sbin/ifconfig carp0 create
/sbin/ifconfig carp0 vhid 1 advskew 10 pass jkbsvdreg 10.0.0.10/24
/sbin/sysctl net.inet.carp.preempt=1
/sbin/sysctl net.inet.carp.drop_echoed=1Then I see in log:
Code:
Oct 5 17:11:49 220 kernel: bridge0: promiscuous mode enabledcarp interface is:
Code:
carp0: flags=8<LOOPBACK> metric 0 mtu 1500
inet 10.0.0.10 netmask 0xffffff00
carp: INIT vhid 1 advbase 1 advskew 10If I do [cmd=]ifconfig carp0 up[/cmd] I see this error in /var/log/messages:
Code:
Oct 5 17:15:13 220 kernel: ifa_add_loopback_route: insertion failedand carp interface come up
Code:
carp0: flags=9<UP,LOOPBACK> metric 0 mtu 1500
inet 10.0.0.10 netmask 0xffffff00
carp: INIT vhid 1 advbase 1 advskew 10I know, I know, carp should make interface up by itself, just trying everything.
And beside those messages I don't see anything in log from carp.
Here are the sysctls:
Code:
# sysctl -a | grep carp
net.inet.ip.same_prefix_carp_only: 0
net.inet.carp.allow: 1
net.inet.carp.preempt: 1
net.inet.carp.log: 2
net.inet.carp.arpbalance: 0
net.inet.carp.drop_echoed: 1
net.inet.carp.suppress_preempt: 1System is 8.2-R
Interfaces on out1/2
Code:
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC>
ether 00:25:90:06:a7:ee
inet x.x.x.220 netmask 0xffffff00 broadcast x.x.x.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric
0 mtu 1500
options=2098<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
ether 00:25:90:06:a7:ef
media: Ethernet autoselect
status: no carrier
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST>
metric 0 mtu 1500
options=80000<LINKSTATE>
ether 00:bd:39:50:01:00
Opened by PID 1521
bridge0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST>
metric 0 mtu 1500
ether 56:7e:c1:dc:ff:2f
inet 10.0.0.20 netmask 0xff000000 broadcast 10.255.255.255
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 4 priority 128 path cost 2000000
carp0: flags=8<LOOPBACK> metric 0 mtu 1500
inet 10.0.0.10 netmask 0xffffff00
carp: INIT vhid 1 advbase 1 advskew 10