Adding CARP address makes Proxy ARP fail…?

jimp

If the VIP must be on both nodes, it must be a CARP type VIP. You can either add CARP VIPs directly, using a unique VHID for each one – or alternately, add them as IP Aliases on top of the CARP VIP interface (a new thing in 2.x) that way you don't have to have a ton of VHIDs broadcast every second.

Jonb

I created the CARP address and put the subnet as /24 and then I address the additional VIP as IP alias. From what I understand this is correct but the trouble is the upstream router has the MAC for the backup firewall not the master for the VIP ip alias addresses.

marcelloc

@Jonb:

I created the CARP address and put the subnet as /24 and then I address the additional VIP as IP alias. From what I understand this is correct but the trouble is the upstream router has the MAC for the backup firewall not the master for the VIP ip alias addresses.

Why don't you use only carp ips instead of Ip alias.

The upstream router will see mac from master node.

Jonb

because that means 253 Vhids

marcelloc

@Jonb:

because that means 253 Vhids

It's a one time job to get a full redundante firewall.

jimp

If you use IP Alias on the WAN interface, that won't work, you have to add the IP alias VIPs and select their interface as your CARP VIP on WAN.

You didn't specify if that is what you had done, but that is the most likely way to have broken it.

Jonb

Light bulb lol  :) Thanks I understand now so select IP alias and rather than select WAN as the interface it will be X.X.X.X (Carp IP int)

That will explain a lot as I didn't think it could or meant to be done that way.

jimp

Yeah that's a new trick for 2.x. Each CARP VIP causes a VHID broadcast once per second. So if you have 250 VIPs, that's quite a lot of traffic. Plus you can't have more than 254 per segment.

So we made it so that you can select the CARP VIP as the "interface" for the IP alias, that way the alias is actually made on the vipx interface and not the physical interface.

That way it can fail over all at once when the CARP VIP switches, only requires one VHID, and so on. So in the long run it's faster to do multiple IPs that way, plus you bypass the normal limits of CARP, you just need to remember to pick the CARP entry as the interface :-)

Jonb

fantastic thanks helps out big time.

marcelloc

@jimp:

Yeah that's a new trick for 2.x. Each CARP VIP causes a VHID broadcast once per second. So if you have 250 VIPs, that's quite a lot of traffic. Plus you can't have more than 254 per segment.

So we made it so that you can select the CARP VIP as the "interface" for the IP alias, that way the alias is actually made on the vipx interface and not the physical interface.

That way it can fail over all at once when the CARP VIP switches, only requires one VHID, and so on. So in the long run it's faster to do multiple IPs that way, plus you bypass the normal limits of CARP, you just need to remember to pick the CARP entry as the interface :-)

Great feature!!!  :D

I'll test it.

jimp

@marcelloc:

Great feature!!!  :D

I'll test it.

We've had a few customers using it in production since we added it, it works quite well. :-)

Jonb

Cool thanks I can confirm this working.