Documentation suggestion of NOT using /32 for the VIP seems wrong
-
"Incorrect Subnet Mask
The real subnet mask must be used for a CARP VIP, not /32. This must match the subnet mask for the IP address on the interface to which the CARP VIP is assigned."
Source address selection on a machine I'm using for example has decided to use the VIP as the source when the carp status is BACKUP. This is clearly wrong as return packets never reach me and instead go to the machine that's PRIMARY.
Looking at the FreeBSD documentation their examples in fact use the /32.
https://docs.freebsd.org/en/books/handbook/advanced-networking/#carpClearly using /32 would solve the issue I'm seeing.
So who's wrong? -
This post is deleted! -
I also wanted to point out that older FBSD documentation pointed out the distinction:
https://docs-archive.freebsd.org/doc/13.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html
In short pre FBSD 10 was the mask of the interface.
10+ was a /32.It'd be nice for some clarification here regarding PFsense. They are indeed on FBSD later than 10.
-
These limitations on posting is horrible. Anyways....
In short, I believe when the VIP is the only ip address in a given network and used as carp amongst several machines the netmask has to be used accordingly whether that be a 24, 22, etc.
If however, the VIP is being added as another IP within an already defined network, it should be a /32.
-
Alright last post from me. Leaving it here so someone can find it.
The documentation concerning carp is wrong: "A High Availability cluster using CARP needs three IP addresses in each subnet along with a separate unused subnet for the Sync interface."
The fact is, a High Availability cluster using CARP needs only one IP address. It only ever needed one IP address. This statement directly contradicts all the documentation available from carp(4) and the FreeBSD handbook.
The distinction that I initially missed, but now have reread and understand is that when using a single IP assigned to a VIP, so long as there isn't an existing network with another IP in that same network, then the network for that VIP should in fact be a whatever that network is. Otherwise it should be a /32.
Let's put it this way for a further understanding (sudo interface configuration):
Server 1 (Primary):
ifconfig em0 inet 192.168.0.10.1/24
ifconfig em0 inet 192.168.0.0.2/24 alias
ifconfig em0 vhid 1 advskew 100 pass mekmitasdigoat 192.168.0.1/24 aliasServer 2 (Backup):
ifconfig em0 inet 192.168.0.0.2/24
ifconfig em0 inet 192.168.0.0.3/24 alias
ifconfig em0 vhid 1 advskew 100 pass mekmitasdigoat 192.168.0.1/24 aliasIn the above example, if the OS chooses the VIP of 192.168.0.1/24 for packets sourced from Backup, Backup will never see the response, as they'll go to Primary instead. Going to primary is the expected part. Source selection of 192.168.0.1 is the unexpected but, It's unexpected because the netgate documentation is just wrong as this VIP should have been a /32.
Documentation where the VIP isn't a /32 to which netgate is correct:
Server 1 (Primary):
ifconfig em0 inet 192.168.0.10.1/24
ifconfig em0 inet 192.168.0.1.1/24 alias
ifconfig em0.123 vhid 1 advskew 100 pass mekmitasdigoat 192.168.0.1/24 aliasServer 2 (Backup):
ifconfig em0 inet 192.168.0.0.2/24
ifconfig em0 inet 192.168.0.1.2/24 alias
ifconfig em0 vhid 1 advskew 100 pass mekmitasdigoat 192.168.0.1/24 alias