Author Topic: CARP VHID Groups (Read 6601 times)

banym · « **on:** March 23, 2020, 08:37:50 pm »

Do VHID Groups need to be unique for the complete firewall or just for interfaces.

Would it be possible to have VHID1 on WAN and LAN or should the VHID be unique system wide.

mimugmail · « **Reply #1 on:** March 23, 2020, 09:41:45 pm »

Never tried but I think it won't be a good idea.

banym · « **Reply #2 on:** March 23, 2020, 10:09:53 pm »

Real problems appeared if they are on the same interface. But haven't dived into it.

If same VHID was assigned to LAN and one to WAN at leased nothing bad happened... but I am not sure what could happen or if each interface has up to 256 VHIDs to assign.

mimugmail · « **Reply #3 on:** March 24, 2020, 06:52:34 am »

I'm not really sure what your problem is? When you have more than one VHID on an interface you have an error in your design.

banym · « **Reply #4 on:** March 24, 2020, 08:50:36 am »

My understanding was, for each virtual CARP address I need an unique VHID.

If I want to have multiple WAN IPs handled each as a virtual IP I need unique VHID groups for each of them?
Thats how I did it in the past. And I did not reuse the VHID for an other interface.

When I use the same VHID Groups on WAN for two different addresses it leads to problems like IPsec tunnels do not work because the first address of each VHID group is used as identifier not the configured one. Just an example.

The reason I ask is I stumbled over a fucked up configuration where VHID where used multiple times. On WAN it came to the behaviour that IPSec did not work as configured and choose the wrong identifier. While cleaning the configuration the way it worked for me in the past I asked myself if the unique identifier only needs to be unique per interface or system wide.

hbc · « **Reply #5 on:** March 24, 2020, 09:07:32 am »

Quote from: mimugmail on March 24, 2020, 06:52:34 am

I'm not really sure what your problem is? When you have more than one VHID on an interface you have an error in your design.

Or IPv6 running. Version 19.x allowed to use same VHID for IPv4 and IPv6. Used it to force common failover of both ip families.

20.X does not allow use of same VHID for IPv4 and IPv6. So need to waste more (double) VHIDs. I hope it just must be unique per interface. Else with many vlans, ipv6 and other vrrp/carp devices in network that must not overlap, 256 VHIDs are depleted pretty wuick.

mimugmail · « **Reply #6 on:** March 24, 2020, 10:44:21 am »

Quote from: banym on March 24, 2020, 08:50:36 am

My understanding was, for each virtual CARP address I need an unique VHID.

If I want to have multiple WAN IPs handled each as a virtual IP I need unique VHID groups for each of them?
Thats how I did it in the past. And I did not reuse the VHID for an other interface.

When I use the same VHID Groups on WAN for two different addresses it leads to problems like IPsec tunnels do not work because the first address of each VHID group is used as identifier not the configured one. Just an example.

The reason I ask is I stumbled over a fucked up configuration where VHID where used multiple times. On WAN it came to the behaviour that IPSec did not work as configured and choose the wrong identifier. While cleaning the configuration the way it worked for me in the past I asked myself if the unique identifier only needs to be unique per interface or system wide.

No, when you have VHID 1 for WAN and you want to add more CARP IPs, just set for the second IP interface WAN, type Alias but set the correct VHID at the bottom. This would be the clean approach.

mimugmail · « **Reply #7 on:** March 24, 2020, 10:44:52 am »

Quote from: hbc on March 24, 2020, 09:07:32 am

Quote from: mimugmail on March 24, 2020, 06:52:34 am
I'm not really sure what your problem is? When you have more than one VHID on an interface you have an error in your design.

Or IPv6 running. Version 19.x allowed to use same VHID for IPv4 and IPv6. Used it to force common failover of both ip families.

20.X does not allow use of same VHID for IPv4 and IPv6. So need to waste more (double) VHIDs. I hope it just must be unique per interface. Else with many vlans, ipv6 and other vrrp/carp devices in network that must not overlap, 256 VHIDs are depleted pretty wuick.

Really? Do you have a link to the issue why this was changed?

banym · « **Reply #8 on:** March 24, 2020, 10:57:46 am »

I found this in the FreeBSD Docs

Quote

The VHID for each virtual IP address must be unique across the broadcast domain of the network interface.

Source: https://www.freebsd.org/doc/handbook/carp.html

For me this indecates you can use the same VHID on different interfaces without problems. Only same VHID on same Interface within broadcast range are NOT supported.

Am I correct?

hbc · « **Reply #9 on:** March 24, 2020, 11:12:55 am »

Quote from: mimugmail on March 24, 2020, 10:44:52 am

Quote from: hbc on March 24, 2020, 09:07:32 am
Quote from: mimugmail on March 24, 2020, 06:52:34 am
I'm not really sure what your problem is? When you have more than one VHID on an interface you have an error in your design.

Or IPv6 running. Version 19.x allowed to use same VHID for IPv4 and IPv6. Used it to force common failover of both ip families.

20.X does not allow use of same VHID for IPv4 and IPv6. So need to waste more (double) VHIDs. I hope it just must be unique per interface. Else with many vlans, ipv6 and other vrrp/carp devices in network that must not overlap, 256 VHIDs are depleted pretty wuick.

Really? Do you have a link to the issue why this was changed?

https://github.com/opnsense/core/issues/3732

Quote

since the internal key is per interface+vhid it won't support overlap

Author Topic: CARP VHID Groups (Read 6601 times)

banym

CARP VHID Groups

mimugmail

Re: CARP VHID Groups

banym

Re: CARP VHID Groups

mimugmail

Re: CARP VHID Groups

banym

Re: CARP VHID Groups

hbc

Re: CARP VHID Groups

mimugmail

Re: CARP VHID Groups

mimugmail

Re: CARP VHID Groups

banym

Re: CARP VHID Groups

hbc

Re: CARP VHID Groups