Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    ESXi, vswitch and CARP IP

    Virtualization
    2
    5
    1358
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nikolaii last edited by

      Hello,
      I'm looking for some advice.

      I have two ESXi host, linked by a single network card.
      On each host, I created a vswitch which includes the physical network card. Then I add a port group to this vswitch, in order to create two separate subnets (say lan_a and lan_b).

      So far, so good, I can setup CARP IPs and they do work well.

      But I feel like this setup is not very good in sense of "traffic isolation". If I run a packet capture on one of the interface (in lan_a) I can see traffic (from lan_b) which is not for this interface. I guess this is quit normal since in ESXi I have to activate the "promiscuous" mode in order to make the CARP possible.

      So is there any other option, which could allow the use of CARP IPs between two hosts and a good level of isolation?

      Usually I setup vswitches without any physical interfaces attached to it, and the pfsense makes the routing. This provide a decent isolation (well at least when I do a packet capture I don't see any other traffic but the one related to the interface).
      But then, no more layer 2 possible, right? Hence no CARP IP …

      Thanks.
      Nicolas

      Nicolas

      1 Reply Last reply Reply Quote 0
      • N
        nikolaii last edited by

        I have attached a diagram to show the current ESXi network settings. Both ESXi hosts are configured the same way.

        So right now every firewall interface has a CARP IP which is working perfectly.

        But I feel there is something wrong: I did setup a DHCP server on each interface ; and most of the time there is one DHCP server which answer all the network queries, even to servers in other networks. I guess this can be explained by the fact that all my "port groups" are attached to the same vswitch (which is also in promiscuous mode).

        But how can I avoid this and make every DHCP server answer to its subnet only?

        Thanks,
        Nicolas


        Nicolas

        1 Reply Last reply Reply Quote 0
        • E
          EMWEE last edited by

          A switch is a layer 2 device…so its still 1 broadcast domain. U can create VLANS to split them up. But turning your interface in promiscuous mode make it one broadcast and collision domain.

          Many you should a another NIC dedicated to CARP.

          1 Reply Last reply Reply Quote 0
          • N
            nikolaii last edited by

            Unfortunately I can't add a secondary NIC as the server is provided as is by an hosting company (OVH).

            So my best option would be to add VLANs … I'll do some tests to see if they are supported by the provider's switches.

            Nicolas

            1 Reply Last reply Reply Quote 0
            • N
              nikolaii last edited by

              Hi,

              And the answer is no. The provider doesn't currently permit to pass VLAN taggs between two hosts. It will be added in a future release though.

              But for now, I can't use VLANs.

              So what is the best option to isolate the subnets? Am I right in assuming that if I create a new vswitch with no attached interface to it, the CARP won't work at all for the subnet in this vswitch?

              Thanks,
              Nicolas

              Nicolas

              1 Reply Last reply Reply Quote 0
              • First post
                Last post