Hi all,
we are in the planning stage for a HA pair protecting a web server farm. We will have something from a /26 to a /24 IPv4 externally.
Does one create a CARP VHID per address or is there another method to add them for inbound proxying? Of course they should all switch over to the standby node should the active one fail.
I have always worked with all CARP VHIDs in the past but I never had more than a handful of addresses to manage.
Thanks
Patrick
I think we added VHID support to normal aliases for this case... one CARP and the rest normal but VHID set accordingly.
changelog.git:community/17.7/17.7.1:o firewall: add optional VHID to support alias IP on CARP
Long time ago :)
Cheers,
Franco
Thanks!
Quote from: franco on November 16, 2023, 10:04:05 AM
I think we added VHID support to normal aliases for this case... one CARP and the rest normal but VHID set accordingly.
changelog.git:community/17.7/17.7.1:o firewall: add optional VHID to support alias IP on CARP
I just learned there is a rather tight MAC address limit for vSwitches at Hetzner - 32 per Port.
All aliases are using the same MAC address, right?
EDIT: I just tested with a /29 in the exact planned production environment. It looks like this:
Main IP address - shares MAC address with parent interface for vSwitch VLAN:
? (49.13.250.181) at a0:36:9f:0c:59:f8 on vlan01 permanent [vlan]CARP and alias addresses - different MAC address but all aliases seem to share a single one:
? (49.13.250.180) at 00:00:5e:00:01:02 on vlan01 expires in 1198 seconds [vlan]
? (49.13.250.179) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]Can you (or anyone) confirm that this is indeed the case?
Thanks,
Patrick
Tested and confirmed. The CARP address and all IP alias addresses share the same CARP MAC:
? (49.13.251.55) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.23) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.54) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.22) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.53) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.21) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.52) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.20) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.51) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.19) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.50) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.18) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.49) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.17) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.48) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.16) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.31) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.62) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.30) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.61) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
[...]
So, yes, an OPNsense HA cluster at Hetzner with external vSwitch works. Great!