1
24.1 Production Series / Bridge Looping Issue: Need Help with STP Activation
« on: February 15, 2024, 03:55:52 pm »Code: [Select]
┌───────────────────────────────────┐
│ Firewall 1 │
│ ┌───────────┐ │
│ ┌──────┤ vlan0.0.50├──┐ ┌────┤
│ │ └───────────┘ └──┤eth0├────────────────────────┐
│ ┌───┴───┐ └────┤ │
│ │ │ │ │
│ │bridge0│ │ │
│ │ │ │ │
│ └───┬───┘ ┌────┤ │
│ │ ┌───────────┐ ┌──┤eth1├──────────┐ │
│ └──────┤ vlan0.1.50├──┘ └────┤ │ │
│ └───────────┘ │ │ │
│ │ ┌────┴─────┐ ┌────┴─────┐
└───────────────────────────────────┘ │ │ │ │
│ switch1 │ │ switch0 │
┌───────────────────────────────────┐ │ │ │ │
│ Firewall 2 │ └────┬─────┘ └────┬─────┘
│ ┌───────────┐ │ │ │
│ ┌──────┤ vlan0.0.50├──┐ ┌────┤ │ │
│ │ └───────────┘ └──┤eth0├──────────┼─────────────┘
│ ┌───┴───┐ └────┤ │
│ │ │ │ │
│ │bridge0│ │ │
│ │ │ │ │
│ └───┬───┘ ┌────┤ │
│ │ ┌───────────┐ ┌──┤eth1├──────────┘
│ └──────┤ vlan0.1.50├──┘ └────┤
│ └───────────┘ │
│ │
└───────────────────────────────────┘
Hello, I have a problem with a loop that I get with an HA configuration over two OPNsense firewalls. I have a bridge on each firewall, and each bridge is bridged to a VLAN via two paths. As can be seen from the diagram, a loop must occur here, unfortunately I need this setup exactly like this. As soon as I set up the setup like this, I have a loop and everything comes to a standstill. Even various attempts to activate STP have not clue, which I also don't really understand.
In terms of HA, I have built myself a sys hook: /usr/local/etc/rc.syshook.d/carp/10-handle-briges.
This script does an ifconfig bridge0 up/down according to the CARP status (MASTER or not MASTER). Basically, this works quite well, but unfortunately not when I restart the firewall. When booting up, CARP takes effect and the bridge is shut down, unfortunately in the following boot process it is detected that the bridge has dependencies, it is configured and thereby brought back up, and I am back to my loop.
Ideally, I should be able to counteract all of this with STP, but it's not working. Does anyone have any idea why not? The attempt to bypass the whole thing using a hook and bringing the bridge up and down is just a workaround; here, I would still need an idea of how to immediately bring the bridge back down in case it is brought back up, depending on the CARP status. My current approach is to write a file (/tmp/carp-status.flag) to check in another script whether the bridge should be up or down, and then to correct this immediately if necessary. Unfortunately, I haven't found a hook yet that I could use as soon as the bridge is brought back up. Maybe with the devd stuff? But I haven't figured out yet how to register for an event here, maybe somewhere in /usr/local/etc/inc/plugins.inc.d/?
Perhaps someone can give me an idea or question everything again and guide me in the right direction?
Greetings, Volker