OPNsense Forum
Archive => 20.1 Legacy Series => Topic started by: banym on March 23, 2020, 08:37:50 pm
-
Do VHID Groups need to be unique for the complete firewall or just for interfaces.
Would it be possible to have VHID1 on WAN and LAN or should the VHID be unique system wide.
-
Never tried but I think it won't be a good idea.
-
Real problems appeared if they are on the same interface. But haven't dived into it.
If same VHID was assigned to LAN and one to WAN at leased nothing bad happened... but I am not sure what could happen or if each interface has up to 256 VHIDs to assign.
-
I'm not really sure what your problem is? When you have more than one VHID on an interface you have an error in your design.
-
My understanding was, for each virtual CARP address I need an unique VHID.
If I want to have multiple WAN IPs handled each as a virtual IP I need unique VHID groups for each of them?
Thats how I did it in the past. And I did not reuse the VHID for an other interface.
When I use the same VHID Groups on WAN for two different addresses it leads to problems like IPsec tunnels do not work because the first address of each VHID group is used as identifier not the configured one. Just an example.
The reason I ask is I stumbled over a fucked up configuration where VHID where used multiple times. On WAN it came to the behaviour that IPSec did not work as configured and choose the wrong identifier. While cleaning the configuration the way it worked for me in the past I asked myself if the unique identifier only needs to be unique per interface or system wide.
-
I'm not really sure what your problem is? When you have more than one VHID on an interface you have an error in your design.
Or IPv6 running. Version 19.x allowed to use same VHID for IPv4 and IPv6. Used it to force common failover of both ip families.
20.X does not allow use of same VHID for IPv4 and IPv6. So need to waste more (double) VHIDs. I hope it just must be unique per interface. Else with many vlans, ipv6 and other vrrp/carp devices in network that must not overlap, 256 VHIDs are depleted pretty wuick.
-
My understanding was, for each virtual CARP address I need an unique VHID.
If I want to have multiple WAN IPs handled each as a virtual IP I need unique VHID groups for each of them?
Thats how I did it in the past. And I did not reuse the VHID for an other interface.
When I use the same VHID Groups on WAN for two different addresses it leads to problems like IPsec tunnels do not work because the first address of each VHID group is used as identifier not the configured one. Just an example.
The reason I ask is I stumbled over a fucked up configuration where VHID where used multiple times. On WAN it came to the behaviour that IPSec did not work as configured and choose the wrong identifier. While cleaning the configuration the way it worked for me in the past I asked myself if the unique identifier only needs to be unique per interface or system wide.
No, when you have VHID 1 for WAN and you want to add more CARP IPs, just set for the second IP interface WAN, type Alias but set the correct VHID at the bottom. This would be the clean approach.
-
I'm not really sure what your problem is? When you have more than one VHID on an interface you have an error in your design.
Or IPv6 running. Version 19.x allowed to use same VHID for IPv4 and IPv6. Used it to force common failover of both ip families.
20.X does not allow use of same VHID for IPv4 and IPv6. So need to waste more (double) VHIDs. I hope it just must be unique per interface. Else with many vlans, ipv6 and other vrrp/carp devices in network that must not overlap, 256 VHIDs are depleted pretty wuick.
Really? Do you have a link to the issue why this was changed?
-
I found this in the FreeBSD Docs
The VHID for each virtual IP address must be unique across the broadcast domain of the network interface.
Source: https://www.freebsd.org/doc/handbook/carp.html
For me this indecates you can use the same VHID on different interfaces without problems. Only same VHID on same Interface within broadcast range are NOT supported.
Am I correct?
-
I'm not really sure what your problem is? When you have more than one VHID on an interface you have an error in your design.
Or IPv6 running. Version 19.x allowed to use same VHID for IPv4 and IPv6. Used it to force common failover of both ip families.
20.X does not allow use of same VHID for IPv4 and IPv6. So need to waste more (double) VHIDs. I hope it just must be unique per interface. Else with many vlans, ipv6 and other vrrp/carp devices in network that must not overlap, 256 VHIDs are depleted pretty wuick.
Really? Do you have a link to the issue why this was changed?
https://github.com/opnsense/core/issues/3732
since the internal key is per interface+vhid it won't support overlap