Large number of alias addresses in a HA setup - to CARP or not to?

[Patrick M. Hausen]

Hi all,

we are in the planning stage for a HA pair protecting a web server farm. We will have something from a /26 to a /24 IPv4 externally.

Does one create a CARP VHID per address or is there another method to add them for inbound proxying? Of course they should all switch over to the standby node should the active one fail.

I have always worked with all CARP VHIDs in the past but I never had more than a handful of addresses to manage.

Thanks
Patrick

[franco]

I think we added VHID support to normal aliases for this case... one CARP and the rest normal but VHID set accordingly.

changelog.git:community/17.7/17.7.1:o firewall: add optional VHID to support alias IP on CARP

Long time ago :)


Cheers,
Franco

[Patrick M. Hausen]

Thanks!

[Patrick M. Hausen]

I think we added VHID support to normal aliases for this case... one CARP and the rest normal but VHID set accordingly.

changelog.git:community/17.7/17.7.1:o firewall: add optional VHID to support alias IP on CARP

I just learned there is a rather tight MAC address limit for vSwitches at Hetzner - 32 per Port.
All aliases are using the same MAC address, right?

EDIT: I just tested with a /29 in the exact planned production environment. It looks like this:

Main IP address - shares MAC address with parent interface for vSwitch VLAN:

Code Select Expand

? (49.13.250.181) at a0:36:9f:0c:59:f8 on vlan01 permanent [vlan]

CARP and alias addresses - different MAC address but all aliases seem to share a single one:

Code Select Expand

? (49.13.250.180) at 00:00:5e:00:01:02 on vlan01 expires in 1198 seconds [vlan]
? (49.13.250.179) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]

Can you (or anyone) confirm that this is indeed the case?

Thanks,
Patrick

[Patrick M. Hausen]

Tested and confirmed. The CARP address and all IP alias addresses share the same CARP MAC:

Code Select Expand

? (49.13.251.55) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.23) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.54) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.22) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.53) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.21) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.52) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.20) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.51) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.19) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.50) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.18) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.49) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.17) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.48) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.16) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.31) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.62) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.30) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
? (49.13.251.61) at 00:00:5e:00:01:02 on vlan01 expires in 1195 seconds [vlan]
[...]


So, yes, an OPNsense HA cluster at Hetzner with external vSwitch works. Great!