Solved CARP on /30 subnet

[jbo@]

Hello folks,

I have the following situation:

                                                +-----------+
                                172.31.255.6/24 |           | 192.168.100.1/24
                                       +--------+  silver1  +---------+
                                       |        |           |         |           192.168.100.222/24
          +-----------+                |        +-----------+         |                +-----------+
          |           |                |                              |                |           |
+---------+  ISP GW   +----------------+                              +----------------+  client1  |
          |           |172.31.255.5    |                              |                |           |
          +-----------+                |        +-----------+         |                +-----------+
                                       |        |           |         |
                                       +--------+  silver2  +---------+
                                172.31.255.6/24 |           | 192.168.100.1/24
                                                +-----------+

• ISP GW is a router/modem provided by the ISP (somewhat locked in). It's running in "IP passthrough" mode which essentially forwards all traffic.
• silver1 and silver2 are two identical machines that are supposed to act as a gateway/router for the clients in the LAN behind them
• client1 represents one of the many LAN clients that access the internet through silver1 and silver2
• There's also a dedicated patch cable directly connecting silver1 to silver2 for pfsync(4).

I'm using CARP for failover / virtual IP address handling. The basic CARP setup is working. However, silver2 never manages to access the internet, even if the two CARP interfaces (192.168.100.1/24 and 172.31.255.6/24) are in MASTER mode.
Here's /etc/rc.conf of silver1:

# PF
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pf.log"
pflog_flags=""
pfsync_enable="YES"
pfsync_syncdev="igb4"

# Network
ifconfig_igb0="inet 192.168.8.12/24 up"
ifconfig_igb1="inet 192.168.1.12/24 up"  # DNS access
ifconfig_igb2="inet 192.168.100.2/24 up"
ifconfig_igb2_alias0="inet vhid 1 advskew 100 pass verysecret alias 192.168.100.1/24 up"
ifconfig_igb3="inet 172.31.255.7/24 up"
ifconfig_igb3_alias0="inet vhid 2 advskew 100 pass verysecret alias 172.31.255.6/24 up"
ifconfig_igb4="inet 192.168.255.1/24 up"
defaultrouter="172.31.255.5"

# Routing
gateway_enable="YES"

and here's /etc/rc.conf of silver2:

# PF
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pf.log"
pflog_flags=""
pfsync_enable="YES"
pfsync_syncdev="igb4"

# Networking
ifconfig_igb0="inet 192.168.8.18/24 up"
ifconfig_igb1="inet 192.168.1.18/24 up"  # DNS access
ifconfig_igb2="inet 192.168.100.3/24 up"
ifconfig_igb2_alias0="inet vhid 1 advskew 200 pass verysecret alias 192.168.100.1/24 up"
ifconfig_igb3="inet 172.31.255.8/24 up"
ifconfig_igb3_alias0="inet vhid 2 advskew 200 pass verysecret alias 172.31.255.6/24 up"
ifconfig_igb4="inet 192.168.255.2/24 up"
defaultrouter="172.31.255.5"

# Routing
gateway_enable="YES"

So as mentioned CARP itself is working (correctly setup with preemption as explained in the documentation & examples) but silver2 never gets internet access. In fact, it can never ping 172.31.255.5. I did re-read the "IP Passthrough Guide" documentation provided by the ISP and came across the following info:

The incoming Internet traffic on your WAN-IP address is routed onward to the subnet 172.31.255.4/30 via LAN port 1 in Centro Business. A host with the IP address 172.31.255.6 can be connected to LAN port 1. The gateway for this host is the IP 172.31.255.5. This configuration allows a firewall, for example, to be connected to LAN port 1, and the customer LAN can be operated behind the firewall. Hosts connected to LAN ports 2–4 and those connected via WLAN can access the Internet via CB. The CB guest WLAN can also be used.

"Centrino Business" is what they call their router.

So apparently my network mask on igb3 is wrong. I have never worked with CARP directly before. How would one configure my setup to work with "172.31.255.4/30" here?

 

[usdmatt]

Well for a start you'd want to change the netmasks in your config from /24 to /30 obviously.

The first problem is that the .4/30 network only covers 4 addresses - 4,5,6,7, and two of them can't be used. (4 is network address, which some systems let you use, but you're better off not, and 7 is broadcast). They've used this mask specifically because they expect you to just have a single device connected, with .5 their end and .6 on yours. As such you can't use 7 & 8 like you have.

I *think* you can get away without actually having a default IP on the interface, although I can't easily find confirmation of that. (A fixed address makes it easy to connect to either of the systems without having to use the carp address, but you can just connect via the LAN in your case). I may be wrong on this though, and you only have .6 available.

 

[jbo@]

Thank you for your explanation - I'm aware of the fact that I don't have enough IPs which is what lead me to making this forum topic in the first place.

So what you're saying is that there is a small possibility that I can get away with something like this?

ifconfig_igb3=""  # Placeholder, just remove this line
ifconfig_igb3_alias0="inet vhid 2 advskew 200 pass verysecret alias 172.31.255.6/24 up"

I thought that the "native interface IP" is used for the CARP synchronization traffic?

Can somebody confirm that? Any disadvantages even if it would work? Are there any other solutions?

 

[jbo@]

So I gave this a try and it's actually working!
I also came along this forum topic which is very similar so I'd like to link it here for anyone that comes across this in the future: https://forums.freebsd.org/threads/routing-on-carp-interface-question.48443/. I saw that you already helped there as well.

For completeness, this is the configuration that actually works (/etc/rc.conf of silver1)

ifconfig_igb3="inet vhid 2 advskew 100 pass testpass alias 172.31.255.6/30 up"

Similar for silver2.