Re: [ovirt-users] CARP Fails on Bond mode=1
How can it lead into packet duplication when the passive should not be active and only it's mac-address should be visible on the switch to prevent confusion on the switch ? For a VRRP setup on the switch there is no other option then mode=1 as far as I know ? 2016-07-13 14:50 GMT+02:00 Pavel Gashev <Pax@acronis.com>:
I would say that bonding breaks CARP somehow. In example mode=1 can lead to packet duplication, so pfsense can receive it's own packets. Try firewall in pfsense all incomming packets that have the same source MAC address as pfsense.
-----Original Message----- From: "Matt ." <yamakasi.014@gmail.com> Date: Wednesday 13 July 2016 at 15:29 To: Pavel Gashev <Pax@acronis.com> Subject: Re: [ovirt-users] CARP Fails on Bond mode=1
Hi Pavel,
No it's Pfsense, so FreeBSD.
Is there something different there ?
2016-07-13 13:59 GMT+02:00 Pavel Gashev <Pax@acronis.com>:
Matt,
How is CARP implemented? Is it OpenBSD?
-----Original Message----- From: <users-bounces@ovirt.org> on behalf of "Matt ." <yamakasi.014@gmail.com> Date: Wednesday 13 July 2016 at 12:42 Cc: users <users@ovirt.org> Subject: Re: [ovirt-users] CARP Fails on Bond mode=1
Hi Pavel,
This is done and used without the Bond before.
Now I applied a bond it goes wrong and I'm searching but can't find a thing about it.
2016-07-13 11:03 GMT+02:00 Pavel Gashev <Pax@acronis.com>:
Matt,
In order to use CARP/VRRP in a VM you have to disable MAC spoofing prevention. http://lists.ovirt.org/pipermail/users/2015-May/032839.html
-----Original Message----- From: <users-bounces@ovirt.org> on behalf of "Matt ." <yamakasi.014@gmail.com> Date: Tuesday 12 July 2016 at 21:58 To: users <users@ovirt.org> Subject: [ovirt-users] CARP Fails on Bond mode=1
Hi guys,
I have been testing bonding with a vm connected to the network on this bond mode=1 (vlans on top of it) where the vm uses a carp IP for failover.
It seems that when the VM which holds the Carp IP and so is Master you can ping both IP's, so interface IP and Carp IP, but you cannot throw/route any traffic over it.
You can route traffic over the interface IP of the Carp Slave.
Is this known or just not possible ?
I hope it's a "bug" :)
Thanks,
Matt _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
In mode=1 the active interface sends traffic, but both interfaces accept incoming traffic. Hardware switches send broadcast/multicast/unknown destination MACs to all ports, including the passive interface. So packet sent from the active interface can be received back from the passive interface. FreeBSD CARP just would go mad when it receives its own packets. I believe if you get Linux implementation, it will work well in the same network setup. I use keepalived in oVirt VMs with bonded network, and have no issues. -----Original Message----- From: "Matt ." <yamakasi.014@gmail.com> Date: Wednesday 13 July 2016 at 15:54 To: Pavel Gashev <Pax@acronis.com>, users <users@ovirt.org> Subject: Re: [ovirt-users] CARP Fails on Bond mode=1 How can it lead into packet duplication when the passive should not be active and only it's mac-address should be visible on the switch to prevent confusion on the switch ? For a VRRP setup on the switch there is no other option then mode=1 as far as I know ? 2016-07-13 14:50 GMT+02:00 Pavel Gashev <Pax@acronis.com>:
I would say that bonding breaks CARP somehow. In example mode=1 can lead to packet duplication, so pfsense can receive it's own packets. Try firewall in pfsense all incomming packets that have the same source MAC address as pfsense.
-----Original Message----- From: "Matt ." <yamakasi.014@gmail.com> Date: Wednesday 13 July 2016 at 15:29 To: Pavel Gashev <Pax@acronis.com> Subject: Re: [ovirt-users] CARP Fails on Bond mode=1
Hi Pavel,
No it's Pfsense, so FreeBSD.
Is there something different there ?
2016-07-13 13:59 GMT+02:00 Pavel Gashev <Pax@acronis.com>:
Matt,
How is CARP implemented? Is it OpenBSD?
-----Original Message----- From: <users-bounces@ovirt.org> on behalf of "Matt ." <yamakasi.014@gmail.com> Date: Wednesday 13 July 2016 at 12:42 Cc: users <users@ovirt.org> Subject: Re: [ovirt-users] CARP Fails on Bond mode=1
Hi Pavel,
This is done and used without the Bond before.
Now I applied a bond it goes wrong and I'm searching but can't find a thing about it.
2016-07-13 11:03 GMT+02:00 Pavel Gashev <Pax@acronis.com>:
Matt,
In order to use CARP/VRRP in a VM you have to disable MAC spoofing prevention. http://lists.ovirt.org/pipermail/users/2015-May/032839.html
-----Original Message----- From: <users-bounces@ovirt.org> on behalf of "Matt ." <yamakasi.014@gmail.com> Date: Tuesday 12 July 2016 at 21:58 To: users <users@ovirt.org> Subject: [ovirt-users] CARP Fails on Bond mode=1
Hi guys,
I have been testing bonding with a vm connected to the network on this bond mode=1 (vlans on top of it) where the vm uses a carp IP for failover.
It seems that when the VM which holds the Carp IP and so is Master you can ping both IP's, so interface IP and Carp IP, but you cannot throw/route any traffic over it.
You can route traffic over the interface IP of the Carp Slave.
Is this known or just not possible ?
I hope it's a "bug" :)
Thanks,
Matt _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Hi Pavel, Thanks for your update. I also saw that the post are both online but I thought the second nic only advertises the mac so the switch does not get confused. The issue might be that i do VRRP, so the bond is connected to two switches, they are not stacked, only trunked as that's what VRRP requires and works well on the side where there is only one VLAN on the Host interface. It just goes wrong on multiple vlans. This is what I see everywhere. Mode 1 (active-backup) This mode places one of the interfaces into a backup state and will only make it active if the link is lost by the active interface. Only one slave in the bond is active at an instance of time. A different slave becomes active only when the active slave fails. This mode provides fault tolerance. It's sure I need to get my traffic back on my sending port, so that is why the arp for the passive port was there I thought. Are there other modes that should be working on VRRP in your understanding ? Thanks a lot, Matt 2016-07-13 15:43 GMT+02:00 Pavel Gashev <Pax@acronis.com>:
In mode=1 the active interface sends traffic, but both interfaces accept incoming traffic. Hardware switches send broadcast/multicast/unknown destination MACs to all ports, including the passive interface. So packet sent from the active interface can be received back from the passive interface. FreeBSD CARP just would go mad when it receives its own packets.
I believe if you get Linux implementation, it will work well in the same network setup. I use keepalived in oVirt VMs with bonded network, and have no issues.
-----Original Message----- From: "Matt ." <yamakasi.014@gmail.com> Date: Wednesday 13 July 2016 at 15:54 To: Pavel Gashev <Pax@acronis.com>, users <users@ovirt.org> Subject: Re: [ovirt-users] CARP Fails on Bond mode=1
How can it lead into packet duplication when the passive should not be active and only it's mac-address should be visible on the switch to prevent confusion on the switch ?
For a VRRP setup on the switch there is no other option then mode=1 as far as I know ?
2016-07-13 14:50 GMT+02:00 Pavel Gashev <Pax@acronis.com>:
I would say that bonding breaks CARP somehow. In example mode=1 can lead to packet duplication, so pfsense can receive it's own packets. Try firewall in pfsense all incomming packets that have the same source MAC address as pfsense.
-----Original Message----- From: "Matt ." <yamakasi.014@gmail.com> Date: Wednesday 13 July 2016 at 15:29 To: Pavel Gashev <Pax@acronis.com> Subject: Re: [ovirt-users] CARP Fails on Bond mode=1
Hi Pavel,
No it's Pfsense, so FreeBSD.
Is there something different there ?
2016-07-13 13:59 GMT+02:00 Pavel Gashev <Pax@acronis.com>:
Matt,
How is CARP implemented? Is it OpenBSD?
-----Original Message----- From: <users-bounces@ovirt.org> on behalf of "Matt ." <yamakasi.014@gmail.com> Date: Wednesday 13 July 2016 at 12:42 Cc: users <users@ovirt.org> Subject: Re: [ovirt-users] CARP Fails on Bond mode=1
Hi Pavel,
This is done and used without the Bond before.
Now I applied a bond it goes wrong and I'm searching but can't find a thing about it.
2016-07-13 11:03 GMT+02:00 Pavel Gashev <Pax@acronis.com>:
Matt,
In order to use CARP/VRRP in a VM you have to disable MAC spoofing prevention. http://lists.ovirt.org/pipermail/users/2015-May/032839.html
-----Original Message----- From: <users-bounces@ovirt.org> on behalf of "Matt ." <yamakasi.014@gmail.com> Date: Tuesday 12 July 2016 at 21:58 To: users <users@ovirt.org> Subject: [ovirt-users] CARP Fails on Bond mode=1
Hi guys,
I have been testing bonding with a vm connected to the network on this bond mode=1 (vlans on top of it) where the vm uses a carp IP for failover.
It seems that when the VM which holds the Carp IP and so is Master you can ping both IP's, so interface IP and Carp IP, but you cannot throw/route any traffic over it.
You can route traffic over the interface IP of the Carp Slave.
Is this known or just not possible ?
I hope it's a "bug" :)
Thanks,
Matt _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
As addition: I get the same result using mode=4, only when I use multiple VLANS on the interface. 2016-07-13 15:58 GMT+02:00 Matt . <yamakasi.014@gmail.com>:
Hi Pavel,
Thanks for your update. I also saw that the post are both online but I thought the second nic only advertises the mac so the switch does not get confused.
The issue might be that i do VRRP, so the bond is connected to two switches, they are not stacked, only trunked as that's what VRRP requires and works well on the side where there is only one VLAN on the Host interface.
It just goes wrong on multiple vlans.
This is what I see everywhere.
Mode 1 (active-backup) This mode places one of the interfaces into a backup state and will only make it active if the link is lost by the active interface. Only one slave in the bond is active at an instance of time. A different slave becomes active only when the active slave fails. This mode provides fault tolerance.
It's sure I need to get my traffic back on my sending port, so that is why the arp for the passive port was there I thought.
Are there other modes that should be working on VRRP in your understanding ?
Thanks a lot,
Matt
2016-07-13 15:43 GMT+02:00 Pavel Gashev <Pax@acronis.com>:
In mode=1 the active interface sends traffic, but both interfaces accept incoming traffic. Hardware switches send broadcast/multicast/unknown destination MACs to all ports, including the passive interface. So packet sent from the active interface can be received back from the passive interface. FreeBSD CARP just would go mad when it receives its own packets.
I believe if you get Linux implementation, it will work well in the same network setup. I use keepalived in oVirt VMs with bonded network, and have no issues.
-----Original Message----- From: "Matt ." <yamakasi.014@gmail.com> Date: Wednesday 13 July 2016 at 15:54 To: Pavel Gashev <Pax@acronis.com>, users <users@ovirt.org> Subject: Re: [ovirt-users] CARP Fails on Bond mode=1
How can it lead into packet duplication when the passive should not be active and only it's mac-address should be visible on the switch to prevent confusion on the switch ?
For a VRRP setup on the switch there is no other option then mode=1 as far as I know ?
2016-07-13 14:50 GMT+02:00 Pavel Gashev <Pax@acronis.com>:
I would say that bonding breaks CARP somehow. In example mode=1 can lead to packet duplication, so pfsense can receive it's own packets. Try firewall in pfsense all incomming packets that have the same source MAC address as pfsense.
-----Original Message----- From: "Matt ." <yamakasi.014@gmail.com> Date: Wednesday 13 July 2016 at 15:29 To: Pavel Gashev <Pax@acronis.com> Subject: Re: [ovirt-users] CARP Fails on Bond mode=1
Hi Pavel,
No it's Pfsense, so FreeBSD.
Is there something different there ?
2016-07-13 13:59 GMT+02:00 Pavel Gashev <Pax@acronis.com>:
Matt,
How is CARP implemented? Is it OpenBSD?
-----Original Message----- From: <users-bounces@ovirt.org> on behalf of "Matt ." <yamakasi.014@gmail.com> Date: Wednesday 13 July 2016 at 12:42 Cc: users <users@ovirt.org> Subject: Re: [ovirt-users] CARP Fails on Bond mode=1
Hi Pavel,
This is done and used without the Bond before.
Now I applied a bond it goes wrong and I'm searching but can't find a thing about it.
2016-07-13 11:03 GMT+02:00 Pavel Gashev <Pax@acronis.com>:
Matt,
In order to use CARP/VRRP in a VM you have to disable MAC spoofing prevention. http://lists.ovirt.org/pipermail/users/2015-May/032839.html
-----Original Message----- From: <users-bounces@ovirt.org> on behalf of "Matt ." <yamakasi.014@gmail.com> Date: Tuesday 12 July 2016 at 21:58 To: users <users@ovirt.org> Subject: [ovirt-users] CARP Fails on Bond mode=1
Hi guys,
I have been testing bonding with a vm connected to the network on this bond mode=1 (vlans on top of it) where the vm uses a carp IP for failover.
It seems that when the VM which holds the Carp IP and so is Master you can ping both IP's, so interface IP and Carp IP, but you cannot throw/route any traffic over it.
You can route traffic over the interface IP of the Carp Slave.
Is this known or just not possible ?
I hope it's a "bug" :)
Thanks,
Matt _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
This is a multi-part message in MIME format. --------------7161FBAE455AFA40D329AFFF Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: quoted-printable Hi=2C You could try to add =22 net=2Einet=2Ecarp=2Edrop=5Fechoed=3D1=22 to pfsens= e in=20 /etc/sysctl=2Econf =3F It is an old fix for VMWare and FreeBSD=2E I am not able to test it at the= =20 moment but I can see it=27s not in the config of the latest version of=20= PFSense=2E Maybe this will help=3F https=3A//doc=2Epfsense=2Eorg/index=2Ephp/CARP=5FConfiguration=5FTroublesho= oting Client Port Issues If a physical CARP cluster is connected to a switch with an ESX box using multiple ports on the ESX box =28lagg group or similar=29=2C and= only certain devices/IPs are reachable by the target VM=2C then the port group settings in ESX may need adjusted to set the load balancing for the group to hash based on IP=2C not the originating interface=2E Side effects of having that set incorrectly include=3A * Traffic only reaching the target VM in promisc mode on its NIC * Inability to reach the CARP IP from the target VM when the =22real=22 IP of the primary firewall is reachable * Port forwards or other inbound connections to the target VM work from some IPs and not others=2E On 07/13/2016 03=3A59 PM=2C Matt =2E wrote=3A =3E As addition=3A I get the same result using mode=3D4=2C only when I use= =3E multiple VLANS on the interface=2E =3E =3E 2016-07-13 15=3A58 GMT+02=3A00 Matt =2E =3Cyamakasi=2E014=40gmail=2Ecom= =3E=3A =3E=3E Hi Pavel=2C =3E=3E =3E=3E Thanks for your update=2E I also saw that the post are both online b= ut I =3E=3E thought the second nic only advertises the mac so the switch does no= t =3E=3E get confused=2E =3E=3E =3E=3E The issue might be that i do VRRP=2C so the bond is connected to two= =3E=3E switches=2C they are not stacked=2C only trunked as that=27s what VR= RP =3E=3E requires and works well on the side where there is only one VLAN on= =3E=3E the Host interface=2E =3E=3E =3E=3E It just goes wrong on multiple vlans=2E =3E=3E =3E=3E This is what I see everywhere=2E =3E=3E =3E=3E Mode 1 =28active-backup=29 =3E=3E This mode places one of the interfaces into a backup state and will= =3E=3E only make it active if the link is lost by the active interface=2E O= nly =3E=3E one slave in the bond is active at an instance of time=2E A differen= t =3E=3E slave becomes active only when the active slave fails=2E This mode= =3E=3E provides fault tolerance=2E =3E=3E =3E=3E It=27s sure I need to get my traffic back on my sending port=2C so t= hat is =3E=3E why the arp for the passive port was there I thought=2E =3E=3E =3E=3E Are there other modes that should be working on VRRP in your underst= anding =3F =3E=3E =3E=3E Thanks a lot=2C =3E=3E =3E=3E Matt =3E=3E =3E=3E =3E=3E =3E=3E 2016-07-13 15=3A43 GMT+02=3A00 Pavel Gashev =3CPax=40acronis=2Ecom= =3E=3A =3E=3E=3E In mode=3D1 the active interface sends traffic=2C but both interf= aces accept incoming traffic=2E Hardware switches send broadcast/multicast/= unknown destination MACs to all ports=2C including the passive interface=2E= So packet sent from the active interface can be received back from the pas= sive interface=2E FreeBSD CARP just would go mad when it receives its own p= ackets=2E =3E=3E=3E =3E=3E=3E I believe if you get Linux implementation=2C it will work well in= the same network setup=2E I use keepalived in oVirt VMs with bonded networ= k=2C and have no issues=2E =3E=3E=3E =3E=3E=3E -----Original Message----- =3E=3E=3E From=3A =22Matt =2E=22 =3Cyamakasi=2E014=40gmail=2Ecom=3E =3E=3E=3E Date=3A Wednesday 13 July 2016 at 15=3A54 =3E=3E=3E To=3A Pavel Gashev =3CPax=40acronis=2Ecom=3E=2C users =3Cusers=40= ovirt=2Eorg=3E =3E=3E=3E Subject=3A Re=3A =5Bovirt-users=5D CARP Fails on Bond mode=3D1 =3E=3E=3E =3E=3E=3E How can it lead into packet duplication when the passive should n= ot be =3E=3E=3E active and only it=27s mac-address should be visible on the switc= h to =3E=3E=3E prevent confusion on the switch =3F =3E=3E=3E =3E=3E=3E For a VRRP setup on the switch there is no other option then mode= =3D1 as =3E=3E=3E far as I know =3F =3E=3E=3E =3E=3E=3E 2016-07-13 14=3A50 GMT+02=3A00 Pavel Gashev =3CPax=40acronis=2Eco= m=3E=3A =3E=3E=3E=3E I would say that bonding breaks CARP somehow=2E In example mod= e=3D1 can lead to packet duplication=2C so pfsense can receive it=27s own p= ackets=2E Try firewall in pfsense all incomming packets that have the same= source MAC address as pfsense=2E =3E=3E=3E=3E =3E=3E=3E=3E -----Original Message----- =3E=3E=3E=3E From=3A =22Matt =2E=22 =3Cyamakasi=2E014=40gmail=2Ecom=3E =3E=3E=3E=3E Date=3A Wednesday 13 July 2016 at 15=3A29 =3E=3E=3E=3E To=3A Pavel Gashev =3CPax=40acronis=2Ecom=3E =3E=3E=3E=3E Subject=3A Re=3A =5Bovirt-users=5D CARP Fails on Bond mode=3D1= =3E=3E=3E=3E =3E=3E=3E=3E Hi Pavel=2C =3E=3E=3E=3E =3E=3E=3E=3E No it=27s Pfsense=2C so FreeBSD=2E =3E=3E=3E=3E =3E=3E=3E=3E Is there something different there =3F =3E=3E=3E=3E =3E=3E=3E=3E =3E=3E=3E=3E =3E=3E=3E=3E 2016-07-13 13=3A59 GMT+02=3A00 Pavel Gashev =3CPax=40acronis= =2Ecom=3E=3A =3E=3E=3E=3E=3E Matt=2C =3E=3E=3E=3E=3E =3E=3E=3E=3E=3E How is CARP implemented=3F Is it OpenBSD=3F =3E=3E=3E=3E=3E =3E=3E=3E=3E=3E -----Original Message----- =3E=3E=3E=3E=3E From=3A =3Cusers-bounces=40ovirt=2Eorg=3E on behalf of =22M= att =2E=22 =3Cyamakasi=2E014=40gmail=2Ecom=3E =3E=3E=3E=3E=3E Date=3A Wednesday 13 July 2016 at 12=3A42 =3E=3E=3E=3E=3E Cc=3A users =3Cusers=40ovirt=2Eorg=3E =3E=3E=3E=3E=3E Subject=3A Re=3A =5Bovirt-users=5D CARP Fails on Bond mode= =3D1 =3E=3E=3E=3E=3E =3E=3E=3E=3E=3E Hi Pavel=2C =3E=3E=3E=3E=3E =3E=3E=3E=3E=3E This is done and used without the Bond before=2E =3E=3E=3E=3E=3E =3E=3E=3E=3E=3E Now I applied a bond it goes wrong and I=27m searching but= can=27t find a =3E=3E=3E=3E=3E thing about it=2E =3E=3E=3E=3E=3E =3E=3E=3E=3E=3E =3E=3E=3E=3E=3E =3E=3E=3E=3E=3E 2016-07-13 11=3A03 GMT+02=3A00 Pavel Gashev =3CPax=40acroni= s=2Ecom=3E=3A =3E=3E=3E=3E=3E=3E Matt=2C =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E=3E In order to use CARP/VRRP in a VM you have to disable MA= C spoofing prevention=2E =3E=3E=3E=3E=3E=3E http=3A//lists=2Eovirt=2Eorg/pipermail/users/2015-May/03= 2839=2Ehtml =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E=3E -----Original Message----- =3E=3E=3E=3E=3E=3E From=3A =3Cusers-bounces=40ovirt=2Eorg=3E on behalf of= =22Matt =2E=22 =3Cyamakasi=2E014=40gmail=2Ecom=3E =3E=3E=3E=3E=3E=3E Date=3A Tuesday 12 July 2016 at 21=3A58 =3E=3E=3E=3E=3E=3E To=3A users =3Cusers=40ovirt=2Eorg=3E =3E=3E=3E=3E=3E=3E Subject=3A =5Bovirt-users=5D CARP Fails on Bond mode=3D1= =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E=3E Hi guys=2C =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E=3E I have been testing bonding with a vm connected to the n= etwork on this =3E=3E=3E=3E=3E=3E bond mode=3D1 =28vlans on top of it=29 where the vm uses= a carp IP for =3E=3E=3E=3E=3E=3E failover=2E =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E=3E It seems that when the VM which holds the Carp IP and so= is Master you =3E=3E=3E=3E=3E=3E can ping both IP=27s=2C so interface IP and Carp IP=2C b= ut you cannot =3E=3E=3E=3E=3E=3E throw/route any traffic over it=2E =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E=3E You can route traffic over the interface IP of the Carp= Slave=2E =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E=3E Is this known or just not possible =3F =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E=3E I hope it=27s a =22bug=22 =3A=29 =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E=3E Thanks=2C =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E=3E Matt =3E=3E=3E=3E=3E=3E =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F =3E=3E=3E=3E=3E=3E Users mailing list =3E=3E=3E=3E=3E=3E Users=40ovirt=2Eorg =3E=3E=3E=3E=3E=3E http=3A//lists=2Eovirt=2Eorg/mailman/listinfo/users =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F =3E=3E=3E=3E=3E Users mailing list =3E=3E=3E=3E=3E Users=40ovirt=2Eorg =3E=3E=3E=3E=3E http=3A//lists=2Eovirt=2Eorg/mailman/listinfo/users =3E=3E=3E=3E=3E =3E=3E=3E=3E=3E =3E=3E=3E=3E =3E=3E=3E =3E =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F =3E Users mailing list =3E Users=40ovirt=2Eorg =3E http=3A//lists=2Eovirt=2Eorg/mailman/listinfo/users Met vriendelijke groet=2C With kind regards=2C Jorick Astrego Netbulae Virtualization Experts=20 ---------------- =09Tel=3A 053 20 30 270 =09info=40netbulae=2Eeu =09Staalsteden 4-3A =09KvK= 08198180 =09Fax=3A 053 20 30 271 =09www=2Enetbulae=2Eeu =097547 TA Enschede =09BTW= NL821234584B01 ---------------- --------------7161FBAE455AFA40D329AFFF Content-Type: text/html; charset="windows-1252" Content-Transfer-Encoding: quoted-printable =3Chtml=3E =3Chead=3E =3Cmeta content=3D=22text/html=3B charset=3Dwindows-1252=22 http-equiv=3D=22Content-Type=22=3E =3C/head=3E =3Cbody text=3D=22=23000000=22 bgcolor=3D=22=23FFFFFF=22=3E Hi=2C=3Cbr=3E =3Cbr=3E You could try to add =22 =3Cmeta http-equiv=3D=22content-type=22 content=3D=22text/html=3B charset=3Dwindows-1252=22=3E net=2Einet=2Ecarp=2Edrop=5Fechoed=3D1=22 to pfsense in /etc/sysctl=2Eco= nf =3F=3Cbr=3E =3Cbr=3E It is an old fix for VMWare and FreeBSD=2E I am not able to test it at= the moment but I can see it=27s not in the config of the latest version of PFSense=2E=3Cbr=3E =3Cbr=3E Maybe this will help=3F=3Cbr=3E =3Cbr=3E =3Ca class=3D=22moz-txt-link-freetext=22 href=3D=22https=3A//doc=2Epfse= nse=2Eorg/index=2Ephp/CARP=5FConfiguration=5FTroubleshooting=22=3Ehttps=3A/= /doc=2Epfsense=2Eorg/index=2Ephp/CARP=5FConfiguration=5FTroubleshooting=3C/= a=3E=3Cbr=3E =3Cblockquote=3E =3Cmeta http-equiv=3D=22content-type=22 content=3D=22text/html=3B charset=3Dwindows-1252=22=3E =3Ch4 style=3D=22color=3A black=3B font-weight=3A bold=3B margin=3A 0= px 0px 0=2E3em=3B padding-top=3A 0=2E5em=3B padding-bottom=3A 0=2E17em=3B border-bott= om-style=3A none=3B font-size=3A 14=2E732px=3B font-family=3A sans-serif=3B fon= t-style=3A normal=3B font-variant=3A normal=3B letter-spacing=3A normal=3B line-height=3A 19=2E05px=3B orphans=3A auto=3B text-align=3A start= =3B text-indent=3A 0px=3B text-transform=3A none=3B white-space=3A norm= al=3B widows=3A 1=3B word-spacing=3A 0px=3B -webkit-text-stroke-width=3A= 0px=3B background=3A none=3B=22=3E=3Cspan class=3D=22mw-headline=22 id=3D=22Client=5FPort=5FIssues=22=3EClient Port Issues=3C/span=3E= =3C/h4=3E =3Cp style=3D=22margin=3A 0=2E4em 0px 0=2E5em=3B line-height=3A 19=2E= 05px=3B color=3A rgb=2885=2C 85=2C 85=29=3B font-family=3A sans-serif=3B font-size= =3A 12=2E7px=3B font-style=3A normal=3B font-variant=3A normal=3B font-weight=3A no= rmal=3B letter-spacing=3A normal=3B orphans=3A auto=3B text-align=3A start= =3B text-indent=3A 0px=3B text-transform=3A none=3B white-space=3A norm= al=3B widows=3A 1=3B word-spacing=3A 0px=3B -webkit-text-stroke-width=3A= 0px=3B=22=3EIf a physical CARP cluster is connected to a switch with an ESX box using multiple ports on the ESX box =28lagg group or similar=29=2C= and only certain devices/IPs are reachable by the target VM=2C then the port group settings in ESX may need adjusted to set the load balancing for the group to hash based on IP=2C not the originating= interface=2E=3C/p=3E =3Cp style=3D=22margin=3A 0=2E4em 0px 0=2E5em=3B line-height=3A 19=2E= 05px=3B color=3A rgb=2885=2C 85=2C 85=29=3B font-family=3A sans-serif=3B font-size= =3A 12=2E7px=3B font-style=3A normal=3B font-variant=3A normal=3B font-weight=3A no= rmal=3B letter-spacing=3A normal=3B orphans=3A auto=3B text-align=3A start= =3B text-indent=3A 0px=3B text-transform=3A none=3B white-space=3A norm= al=3B widows=3A 1=3B word-spacing=3A 0px=3B -webkit-text-stroke-width=3A= 0px=3B=22=3ESide effects of having that set incorrectly include=3A=3C/p=3E =3Cul style=3D=22line-height=3A 19=2E05px=3B list-style-type=3A squar= e=3B margin=3A 0=2E3em 0px 0px 1=2E6em=3B padding=3A 0px=3B list-style-image=3A url=28=26quot=3Bbullet=2Egif=26quot=3B=29=3B color=3A rgb=2885=2C 8= 5=2C 85=29=3B font-family=3A sans-serif=3B font-size=3A 12=2E7px=3B font-style=3A= normal=3B font-variant=3A normal=3B font-weight=3A normal=3B letter-spacing= =3A normal=3B orphans=3A auto=3B text-align=3A start=3B text-indent=3A= 0px=3B text-transform=3A none=3B white-space=3A normal=3B widows=3A 1=3B= word-spacing=3A 0px=3B -webkit-text-stroke-width=3A 0px=3B=22=3E =3Cli style=3D=22margin-bottom=3A 0=2E1em=3B=22=3ETraffic only reac= hing the target VM in promisc mode on its NIC=3C/li=3E =3Cli style=3D=22margin-bottom=3A 0=2E1em=3B=22=3EInability to reac= h the CARP IP from the target VM when the =22real=22 IP of the primary firewall= is reachable=3C/li=3E =3Cli style=3D=22margin-bottom=3A 0=2E1em=3B=22=3EPort forwards or= other inbound connections to the target VM work from some IPs and not others=2E=3C/li=3E =3C/ul=3E =3Cbr class=3D=22Apple-interchange-newline=22=3E =3C/blockquote=3E =3Cbr=3E =3Cbr=3E =3Cbr=3E =3Cbr=3E =3Cmeta http-equiv=3D=22content-type=22 content=3D=22text/html=3B charset=3Dwindows-1252=22=3E =3Cdiv class=3D=22moz-cite-prefix=22=3EOn 07/13/2016 03=3A59 PM=2C Matt= =2E wrote=3A=3Cbr=3E =3C/div=3E =3Cblockquote cite=3D=22mid=3ACAPNQp06UMTC5HJtbbCAno1-dvy1B-8BiagffRGM9WCdWNGzz4Q=40mail= =2Egmail=2Ecom=22 type=3D=22cite=22=3E =3Cpre wrap=3D=22=22=3EAs addition=3A I get the same result using mod= e=3D4=2C only when I use multiple VLANS on the interface=2E 2016-07-13 15=3A58 GMT+02=3A00 Matt =2E =3Ca class=3D=22moz-txt-link-rfc239= 6E=22 href=3D=22mailto=3Ayamakasi=2E014=40gmail=2Ecom=22=3E=26lt=3Byamakasi= =2E014=40gmail=2Ecom=26gt=3B=3C/a=3E=3A =3C/pre=3E =3Cblockquote type=3D=22cite=22=3E =3Cpre wrap=3D=22=22=3EHi Pavel=2C Thanks for your update=2E I also saw that the post are both online but I thought the second nic only advertises the mac so the switch does not get confused=2E The issue might be that i do VRRP=2C so the bond is connected to two switches=2C they are not stacked=2C only trunked as that=27s what VRRP requires and works well on the side where there is only one VLAN on the Host interface=2E It just goes wrong on multiple vlans=2E This is what I see everywhere=2E Mode 1 =28active-backup=29 This mode places one of the interfaces into a backup state and will only make it active if the link is lost by the active interface=2E Only one slave in the bond is active at an instance of time=2E A different slave becomes active only when the active slave fails=2E This mode provides fault tolerance=2E It=27s sure I need to get my traffic back on my sending port=2C so that is= why the arp for the passive port was there I thought=2E Are there other modes that should be working on VRRP in your understanding= =3F Thanks a lot=2C Matt 2016-07-13 15=3A43 GMT+02=3A00 Pavel Gashev =3Ca class=3D=22moz-txt-link-rf= c2396E=22 href=3D=22mailto=3APax=40acronis=2Ecom=22=3E=26lt=3BPax=40acronis= =2Ecom=26gt=3B=3C/a=3E=3A =3C/pre=3E =3Cblockquote type=3D=22cite=22=3E =3Cpre wrap=3D=22=22=3EIn mode=3D1 the active interface sends tra= ffic=2C but both interfaces accept incoming traffic=2E Hardware switches se= nd broadcast/multicast/unknown destination MACs to all ports=2C including t= he passive interface=2E So packet sent from the active interface can be rec= eived back from the passive interface=2E FreeBSD CARP just would go mad whe= n it receives its own packets=2E I believe if you get Linux implementation=2C it will work well in the same= network setup=2E I use keepalived in oVirt VMs with bonded network=2C and= have no issues=2E -----Original Message----- From=3A =22Matt =2E=22 =3Ca class=3D=22moz-txt-link-rfc2396E=22 href=3D=22m= ailto=3Ayamakasi=2E014=40gmail=2Ecom=22=3E=26lt=3Byamakasi=2E014=40gmail=2E= com=26gt=3B=3C/a=3E Date=3A Wednesday 13 July 2016 at 15=3A54 To=3A Pavel Gashev =3Ca class=3D=22moz-txt-link-rfc2396E=22 href=3D=22mailt= o=3APax=40acronis=2Ecom=22=3E=26lt=3BPax=40acronis=2Ecom=26gt=3B=3C/a=3E=2C= users =3Ca class=3D=22moz-txt-link-rfc2396E=22 href=3D=22mailto=3Ausers=40= ovirt=2Eorg=22=3E=26lt=3Busers=40ovirt=2Eorg=26gt=3B=3C/a=3E Subject=3A Re=3A =5Bovirt-users=5D CARP Fails on Bond mode=3D1 How can it lead into packet duplication when the passive should not be active and only it=27s mac-address should be visible on the switch to prevent confusion on the switch =3F For a VRRP setup on the switch there is no other option then mode=3D1 as far as I know =3F 2016-07-13 14=3A50 GMT+02=3A00 Pavel Gashev =3Ca class=3D=22moz-txt-link-rf= c2396E=22 href=3D=22mailto=3APax=40acronis=2Ecom=22=3E=26lt=3BPax=40acronis= =2Ecom=26gt=3B=3C/a=3E=3A =3C/pre=3E =3Cblockquote type=3D=22cite=22=3E =3Cpre wrap=3D=22=22=3EI would say that bonding breaks CARP som= ehow=2E In example mode=3D1 can lead to packet duplication=2C so pfsense ca= n receive it=27s own packets=2E Try firewall in pfsense all incomming packe= ts that have the same source MAC address as pfsense=2E -----Original Message----- From=3A =22Matt =2E=22 =3Ca class=3D=22moz-txt-link-rfc2396E=22 href=3D=22m= ailto=3Ayamakasi=2E014=40gmail=2Ecom=22=3E=26lt=3Byamakasi=2E014=40gmail=2E= com=26gt=3B=3C/a=3E Date=3A Wednesday 13 July 2016 at 15=3A29 To=3A Pavel Gashev =3Ca class=3D=22moz-txt-link-rfc2396E=22 href=3D=22mailt= o=3APax=40acronis=2Ecom=22=3E=26lt=3BPax=40acronis=2Ecom=26gt=3B=3C/a=3E Subject=3A Re=3A =5Bovirt-users=5D CARP Fails on Bond mode=3D1 Hi Pavel=2C No it=27s Pfsense=2C so FreeBSD=2E Is there something different there =3F 2016-07-13 13=3A59 GMT+02=3A00 Pavel Gashev =3Ca class=3D=22moz-txt-link-rf= c2396E=22 href=3D=22mailto=3APax=40acronis=2Ecom=22=3E=26lt=3BPax=40acronis= =2Ecom=26gt=3B=3C/a=3E=3A =3C/pre=3E =3Cblockquote type=3D=22cite=22=3E =3Cpre wrap=3D=22=22=3EMatt=2C How is CARP implemented=3F Is it OpenBSD=3F -----Original Message----- From=3A =3Ca class=3D=22moz-txt-link-rfc2396E=22 href=3D=22mailto=3Ausers-b= ounces=40ovirt=2Eorg=22=3E=26lt=3Busers-bounces=40ovirt=2Eorg=26gt=3B=3C/a= =3E on behalf of =22Matt =2E=22 =3Ca class=3D=22moz-txt-link-rfc2396E=22 hr= ef=3D=22mailto=3Ayamakasi=2E014=40gmail=2Ecom=22=3E=26lt=3Byamakasi=2E014= =40gmail=2Ecom=26gt=3B=3C/a=3E Date=3A Wednesday 13 July 2016 at 12=3A42 Cc=3A users =3Ca class=3D=22moz-txt-link-rfc2396E=22 href=3D=22mailto=3Ause= rs=40ovirt=2Eorg=22=3E=26lt=3Busers=40ovirt=2Eorg=26gt=3B=3C/a=3E Subject=3A Re=3A =5Bovirt-users=5D CARP Fails on Bond mode=3D1 Hi Pavel=2C This is done and used without the Bond before=2E Now I applied a bond it goes wrong and I=27m searching but can=27t find a= thing about it=2E 2016-07-13 11=3A03 GMT+02=3A00 Pavel Gashev =3Ca class=3D=22moz-txt-link-rf= c2396E=22 href=3D=22mailto=3APax=40acronis=2Ecom=22=3E=26lt=3BPax=40acronis= =2Ecom=26gt=3B=3C/a=3E=3A =3C/pre=3E =3Cblockquote type=3D=22cite=22=3E =3Cpre wrap=3D=22=22=3EMatt=2C In order to use CARP/VRRP in a VM you have to disable MAC spoofing preventi= on=2E =3Ca class=3D=22moz-txt-link-freetext=22 href=3D=22http=3A//lists=2Eovirt= =2Eorg/pipermail/users/2015-May/032839=2Ehtml=22=3Ehttp=3A//lists=2Eovirt= =2Eorg/pipermail/users/2015-May/032839=2Ehtml=3C/a=3E -----Original Message----- From=3A =3Ca class=3D=22moz-txt-link-rfc2396E=22 href=3D=22mailto=3Ausers-b= ounces=40ovirt=2Eorg=22=3E=26lt=3Busers-bounces=40ovirt=2Eorg=26gt=3B=3C/a= =3E on behalf of =22Matt =2E=22 =3Ca class=3D=22moz-txt-link-rfc2396E=22 hr= ef=3D=22mailto=3Ayamakasi=2E014=40gmail=2Ecom=22=3E=26lt=3Byamakasi=2E014= =40gmail=2Ecom=26gt=3B=3C/a=3E Date=3A Tuesday 12 July 2016 at 21=3A58 To=3A users =3Ca class=3D=22moz-txt-link-rfc2396E=22 href=3D=22mailto=3Ause= rs=40ovirt=2Eorg=22=3E=26lt=3Busers=40ovirt=2Eorg=26gt=3B=3C/a=3E Subject=3A =5Bovirt-users=5D CARP Fails on Bond mode=3D1 Hi guys=2C I have been testing bonding with a vm connected to the network on this bond mode=3D1 =28vlans on top of it=29 where the vm uses a carp IP for failover=2E It seems that when the VM which holds the Carp IP and so is Master you can ping both IP=27s=2C so interface IP and Carp IP=2C but you cannot throw/route any traffic over it=2E You can route traffic over the interface IP of the Carp Slave=2E Is this known or just not possible =3F I hope it=27s a =22bug=22 =3A=29 Thanks=2C Matt =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F Users mailing list =3Ca class=3D=22moz-txt-link-abbreviated=22 href=3D=22mailto=3AUsers=40ovir= t=2Eorg=22=3EUsers=40ovirt=2Eorg=3C/a=3E =3Ca class=3D=22moz-txt-link-freetext=22 href=3D=22http=3A//lists=2Eovirt= =2Eorg/mailman/listinfo/users=22=3Ehttp=3A//lists=2Eovirt=2Eorg/mailman/lis= tinfo/users=3C/a=3E =3C/pre=3E =3C/blockquote=3E =3Cpre wrap=3D=22=22=3E=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F Users mailing list =3Ca class=3D=22moz-txt-link-abbreviated=22 href=3D=22mailto=3AUsers=40ovir= t=2Eorg=22=3EUsers=40ovirt=2Eorg=3C/a=3E =3Ca class=3D=22moz-txt-link-freetext=22 href=3D=22http=3A//lists=2Eovirt= =2Eorg/mailman/listinfo/users=22=3Ehttp=3A//lists=2Eovirt=2Eorg/mailman/lis= tinfo/users=3C/a=3E =3C/pre=3E =3C/blockquote=3E =3Cpre wrap=3D=22=22=3E =3C/pre=3E =3C/blockquote=3E =3Cpre wrap=3D=22=22=3E =3C/pre=3E =3C/blockquote=3E =3C/blockquote=3E =3Cpre wrap=3D=22=22=3E=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F Users mailing list =3Ca class=3D=22moz-txt-link-abbreviated=22 href=3D=22mailto=3AUsers=40ovir= t=2Eorg=22=3EUsers=40ovirt=2Eorg=3C/a=3E =3Ca class=3D=22moz-txt-link-freetext=22 href=3D=22http=3A//lists=2Eovirt= =2Eorg/mailman/listinfo/users=22=3Ehttp=3A//lists=2Eovirt=2Eorg/mailman/lis= tinfo/users=3C/a=3E =3C/pre=3E =3C/blockquote=3E =3Cbr=3E =20= =3CBR /=3E =3CBR /=3E =3Cb style=3D=22color=3A=23604c78=22=3E=3C/b=3E=3Cbr=3E=3Cbr=3E=3Cspan styl= e=3D=22color=3A=23604c78=3B=22=3E=3Cfont color=3D=22000000=22=3E=3Cspan sty= le=3D=22mso-fareast-language=3Aen-gb=3B=22 lang=3D=22NL=22=3EMet vriendelij= ke groet=2C With kind regards=2C=3Cbr=3E=3Cbr=3EJorick Astrego=3Cbr=3E=3C/s= pan=3E=3C/font=3E=3C/span=3E=3Cb style=3D=22color=3A=23604c78=22=3E=3Cbr=3E= Netbulae Virtualization Experts =3C/b=3E=3Cbr=3E=3Chr style=3D=22border=3An= one=3Bborder-top=3A1px solid =23ccc=3B=22=3E=3Ctable style=3D=22width=3A 52= 2px=22=3E=3Ctbody=3E=3Ctr=3E=3Ctd style=3D=22width=3A 130px=3Bfont-size=3A= 10px=22=3ETel=3A 053 20 30 270=3C/td=3E =3Ctd style=3D=22width=3A 130p= x=3Bfont-size=3A 10px=22=3Einfo=40netbulae=2Eeu=3C/td=3E =3Ctd style=3D= =22width=3A 130px=3Bfont-size=3A 10px=22=3EStaalsteden 4-3A=3C/td=3E =20= =3Ctd style=3D=22width=3A 130px=3Bfont-size=3A 10px=22=3EKvK 08198180=3C/td= =3E=3C/tr=3E=3Ctr=3E =3Ctd style=3D=22width=3A 130px=3Bfont-size=3A 10px= =22=3EFax=3A 053 20 30 271=3C/td=3E =3Ctd style=3D=22width=3A 130px=3Bfo= nt-size=3A 10px=22=3Ewww=2Enetbulae=2Eeu=3C/td=3E =3Ctd style=3D=22width= =3A 130px=3Bfont-size=3A 10px=22=3E7547 TA Enschede=3C/td=3E =3Ctd style= =3D=22width=3A 130px=3Bfont-size=3A 10px=22=3EBTW NL821234584B01=3C/td=3E= =3C/tr=3E=3C/tbody=3E=3C/table=3E=3Cbr=3E=3Chr style=3D=22border=3Anone=3Bb= order-top=3A1px solid =23ccc=3B=22=3E=3CBR /=3E =3C/body=3E =3C/html=3E --------------7161FBAE455AFA40D329AFFF--
This is a multi-part message in MIME format. --------------6E39ACA7E4E413CC3E391C4F Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: quoted-printable Hi=2C You could try to add =22 net=2Einet=2Ecarp=2Edrop=5Fechoed=3D1=22 to pfsens= e in=20 /etc/sysctl=2Econf =3F It is an old fix for VMWare and FreeBSD=2E I am not able to test it at the= =20 moment but I can see it=27s not in the config of the latest version of=20= PFSense=2E Or maybe better=3A https=3A//doc=2Epfsense=2Eorg/index=2Ephp/CARP=5FConfiguration=5FTroublesho= oting Client Port Issues If a physical CARP cluster is connected to a switch with an ESX box using multiple ports on the ESX box =28lagg group or similar=29=2C and= only certain devices/IPs are reachable by the target VM=2C then the port group settings in ESX may need adjusted to set the load balancing for the group to hash based on IP=2C not the originating interface=2E Side effects of having that set incorrectly include=3A * Traffic only reaching the target VM in promisc mode on its NIC * Inability to reach the CARP IP from the target VM when the =22real=22 IP of the primary firewall is reachable * Port forwards or other inbound connections to the target VM work from some IPs and not others=2E So you could try with bonding option =22xmit=5Fhash=5Fpolicy=3Dlayer2+3=22= and see=20 if that helps=2E=2E=2E Kind regards=2C Jorick Astrego On 07/13/2016 03=3A59 PM=2C Matt =2E wrote=3A =3E As addition=3A I get the same result using mode=3D4=2C only when I use= =3E multiple VLANS on the interface=2E =3E =3E 2016-07-13 15=3A58 GMT+02=3A00 Matt =2E=3Cyamakasi=2E014=40gmail=2Ecom= =3E=3A =3E=3E Hi Pavel=2C =3E=3E =3E=3E Thanks for your update=2E I also saw that the post are both online b= ut I =3E=3E thought the second nic only advertises the mac so the switch does no= t =3E=3E get confused=2E =3E=3E =3E=3E The issue might be that i do VRRP=2C so the bond is connected to two= =3E=3E switches=2C they are not stacked=2C only trunked as that=27s what VR= RP =3E=3E requires and works well on the side where there is only one VLAN on= =3E=3E the Host interface=2E =3E=3E =3E=3E It just goes wrong on multiple vlans=2E =3E=3E =3E=3E This is what I see everywhere=2E =3E=3E =3E=3E Mode 1 =28active-backup=29 =3E=3E This mode places one of the interfaces into a backup state and will= =3E=3E only make it active if the link is lost by the active interface=2E O= nly =3E=3E one slave in the bond is active at an instance of time=2E A differen= t =3E=3E slave becomes active only when the active slave fails=2E This mode= =3E=3E provides fault tolerance=2E =3E=3E =3E=3E It=27s sure I need to get my traffic back on my sending port=2C so t= hat is =3E=3E why the arp for the passive port was there I thought=2E =3E=3E =3E=3E Are there other modes that should be working on VRRP in your underst= anding =3F =3E=3E =3E=3E Thanks a lot=2C =3E=3E =3E=3E Matt =3E=3E =3E=3E =3E=3E =3E=3E 2016-07-13 15=3A43 GMT+02=3A00 Pavel Gashev=3CPax=40acronis=2Ecom=3E= =3A =3E=3E=3E In mode=3D1 the active interface sends traffic=2C but both interf= aces accept incoming traffic=2E Hardware switches send broadcast/multicast/= unknown destination MACs to all ports=2C including the passive interface=2E= So packet sent from the active interface can be received back from the pas= sive interface=2E FreeBSD CARP just would go mad when it receives its own p= ackets=2E =3E=3E=3E =3E=3E=3E I believe if you get Linux implementation=2C it will work well in= the same network setup=2E I use keepalived in oVirt VMs with bonded networ= k=2C and have no issues=2E =3E=3E=3E =3E=3E=3E -----Original Message----- =3E=3E=3E From=3A =22Matt =2E=22=3Cyamakasi=2E014=40gmail=2Ecom=3E =3E=3E=3E Date=3A Wednesday 13 July 2016 at 15=3A54 =3E=3E=3E To=3A Pavel Gashev=3CPax=40acronis=2Ecom=3E=2C users=3Cusers=40ov= irt=2Eorg=3E =3E=3E=3E Subject=3A Re=3A =5Bovirt-users=5D CARP Fails on Bond mode=3D1 =3E=3E=3E =3E=3E=3E How can it lead into packet duplication when the passive should n= ot be =3E=3E=3E active and only it=27s mac-address should be visible on the switc= h to =3E=3E=3E prevent confusion on the switch =3F =3E=3E=3E =3E=3E=3E For a VRRP setup on the switch there is no other option then mode= =3D1 as =3E=3E=3E far as I know =3F =3E=3E=3E =3E=3E=3E 2016-07-13 14=3A50 GMT+02=3A00 Pavel Gashev=3CPax=40acronis=2Ecom= =3E=3A =3E=3E=3E=3E I would say that bonding breaks CARP somehow=2E In example mod= e=3D1 can lead to packet duplication=2C so pfsense can receive it=27s own p= ackets=2E Try firewall in pfsense all incomming packets that have the same= source MAC address as pfsense=2E =3E=3E=3E=3E =3E=3E=3E=3E -----Original Message----- =3E=3E=3E=3E From=3A =22Matt =2E=22=3Cyamakasi=2E014=40gmail=2Ecom=3E =3E=3E=3E=3E Date=3A Wednesday 13 July 2016 at 15=3A29 =3E=3E=3E=3E To=3A Pavel Gashev=3CPax=40acronis=2Ecom=3E =3E=3E=3E=3E Subject=3A Re=3A =5Bovirt-users=5D CARP Fails on Bond mode=3D1= =3E=3E=3E=3E =3E=3E=3E=3E Hi Pavel=2C =3E=3E=3E=3E =3E=3E=3E=3E No it=27s Pfsense=2C so FreeBSD=2E =3E=3E=3E=3E =3E=3E=3E=3E Is there something different there =3F =3E=3E=3E=3E =3E=3E=3E=3E =3E=3E=3E=3E =3E=3E=3E=3E 2016-07-13 13=3A59 GMT+02=3A00 Pavel Gashev=3CPax=40acronis=2E= com=3E=3A =3E=3E=3E=3E=3E Matt=2C =3E=3E=3E=3E=3E =3E=3E=3E=3E=3E How is CARP implemented=3F Is it OpenBSD=3F =3E=3E=3E=3E=3E =3E=3E=3E=3E=3E -----Original Message----- =3E=3E=3E=3E=3E From=3A=3Cusers-bounces=40ovirt=2Eorg=3E on behalf of =22M= att =2E=22=3Cyamakasi=2E014=40gmail=2Ecom=3E =3E=3E=3E=3E=3E Date=3A Wednesday 13 July 2016 at 12=3A42 =3E=3E=3E=3E=3E Cc=3A users=3Cusers=40ovirt=2Eorg=3E =3E=3E=3E=3E=3E Subject=3A Re=3A =5Bovirt-users=5D CARP Fails on Bond mode= =3D1 =3E=3E=3E=3E=3E =3E=3E=3E=3E=3E Hi Pavel=2C =3E=3E=3E=3E=3E =3E=3E=3E=3E=3E This is done and used without the Bond before=2E =3E=3E=3E=3E=3E =3E=3E=3E=3E=3E Now I applied a bond it goes wrong and I=27m searching but= can=27t find a =3E=3E=3E=3E=3E thing about it=2E =3E=3E=3E=3E=3E =3E=3E=3E=3E=3E =3E=3E=3E=3E=3E =3E=3E=3E=3E=3E 2016-07-13 11=3A03 GMT+02=3A00 Pavel Gashev=3CPax=40acronis= =2Ecom=3E=3A =3E=3E=3E=3E=3E=3E Matt=2C =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E=3E In order to use CARP/VRRP in a VM you have to disable MA= C spoofing prevention=2E =3E=3E=3E=3E=3E=3E http=3A//lists=2Eovirt=2Eorg/pipermail/users/2015-May/03= 2839=2Ehtml =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E=3E -----Original Message----- =3E=3E=3E=3E=3E=3E From=3A=3Cusers-bounces=40ovirt=2Eorg=3E on behalf of= =22Matt =2E=22=3Cyamakasi=2E014=40gmail=2Ecom=3E =3E=3E=3E=3E=3E=3E Date=3A Tuesday 12 July 2016 at 21=3A58 =3E=3E=3E=3E=3E=3E To=3A users=3Cusers=40ovirt=2Eorg=3E =3E=3E=3E=3E=3E=3E Subject=3A =5Bovirt-users=5D CARP Fails on Bond mode=3D1= =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E=3E Hi guys=2C =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E=3E I have been testing bonding with a vm connected to the n= etwork on this =3E=3E=3E=3E=3E=3E bond mode=3D1 =28vlans on top of it=29 where the vm uses= a carp IP for =3E=3E=3E=3E=3E=3E failover=2E =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E=3E It seems that when the VM which holds the Carp IP and so= is Master you =3E=3E=3E=3E=3E=3E can ping both IP=27s=2C so interface IP and Carp IP=2C b= ut you cannot =3E=3E=3E=3E=3E=3E throw/route any traffic over it=2E =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E=3E You can route traffic over the interface IP of the Carp= Slave=2E =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E=3E Is this known or just not possible =3F =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E=3E I hope it=27s a =22bug=22 =3A=29 =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E=3E Thanks=2C =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E=3E Matt =3E=3E=3E=3E=3E=3E =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F =3E=3E=3E=3E=3E=3E Users mailing list =3E=3E=3E=3E=3E=3E Users=40ovirt=2Eorg =3E=3E=3E=3E=3E=3E http=3A//lists=2Eovirt=2Eorg/mailman/listinfo/users =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F =3E=3E=3E=3E=3E Users mailing list =3E=3E=3E=3E=3E Users=40ovirt=2Eorg =3E=3E=3E=3E=3E http=3A//lists=2Eovirt=2Eorg/mailman/listinfo/users =3E=3E=3E=3E=3E =3E=3E=3E=3E=3E =3E =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F =3E Users mailing list =3E Users=40ovirt=2Eorg =3E http=3A//lists=2Eovirt=2Eorg/mailman/listinfo/users Met vriendelijke groet=2C With kind regards=2C Jorick Astrego Netbulae Virtualization Experts=20 ---------------- =09Tel=3A 053 20 30 270 =09info=40netbulae=2Eeu =09Staalsteden 4-3A =09KvK= 08198180 =09Fax=3A 053 20 30 271 =09www=2Enetbulae=2Eeu =097547 TA Enschede =09BTW= NL821234584B01 ---------------- --------------6E39ACA7E4E413CC3E391C4F Content-Type: text/html; charset="windows-1252" Content-Transfer-Encoding: quoted-printable =3Chtml=3E =3Chead=3E =3Cmeta http-equiv=3D=22content-type=22 content=3D=22text/html=3B chars= et=3Dwindows-1252=22=3E =3C/head=3E =3Cbody text=3D=22=23000000=22 bgcolor=3D=22=23FFFFFF=22=3E =3Cbr=3E =3Cdiv class=3D=22moz-forward-container=22=3E =3Cmeta content=3D=22text/html=3B charset=3Dwindows-1252=22 http-equiv=3D=22Content-Type=22=3E Hi=2C=3Cbr=3E =3Cbr=3E You could try to add =22 =3Cmeta http-equiv=3D=22content-type=22 content=3D=22text/html=3B charset=3Dwindows-1252=22=3E net=2Einet=2Ecarp=2Edrop=5Fechoed=3D1=22 to pfsense in /etc/sysctl=2E= conf =3F=3Cbr=3E =3Cbr=3E It is an old fix for VMWare and FreeBSD=2E I am not able to test it= at the moment but I can see it=27s not in the config of the latest version of PFSense=2E=3Cbr=3E =3Cbr=3E Or maybe better=3A=3Cbr=3E =3Cbr=3E =3Ca moz-do-not-send=3D=22true=22 class=3D=22moz-txt-link-freetext=22= href=3D=22https=3A//doc=2Epfsense=2Eorg/index=2Ephp/CARP=5FConfiguration=5F= Troubleshooting=22=3Ehttps=3A//doc=2Epfsense=2Eorg/index=2Ephp/CARP=5FConfi= guration=5FTroubleshooting=3C/a=3E=3Cbr=3E =3Cblockquote=3E =3Cmeta http-equiv=3D=22content-type=22 content=3D=22text/html=3B= charset=3Dwindows-1252=22=3E =3Ch4 style=3D=22color=3A black=3B font-weight=3A bold=3B margin=3A= 0px 0px 0=2E3em=3B padding-top=3A 0=2E5em=3B padding-bottom=3A 0=2E17em= =3B border-bottom-style=3A none=3B font-size=3A 14=2E732px=3B font-fa= mily=3A sans-serif=3B font-style=3A normal=3B font-variant=3A normal=3B= letter-spacing=3A normal=3B line-height=3A 19=2E05px=3B orphans= =3A auto=3B text-align=3A start=3B text-indent=3A 0px=3B text-transform=3A no= ne=3B white-space=3A normal=3B widows=3A 1=3B word-spacing=3A 0px=3B -webkit-text-stroke-width=3A 0px=3B background=3A none=3B=22=3E= =3Cspan class=3D=22mw-headline=22 id=3D=22Client=5FPort=5FIssues=22=3EC= lient Port Issues=3C/span=3E=3C/h4=3E =3Cp style=3D=22margin=3A 0=2E4em 0px 0=2E5em=3B line-height=3A 19= =2E05px=3B color=3A rgb=2885=2C 85=2C 85=29=3B font-family=3A sans-serif=3B font-size= =3A 12=2E7px=3B font-style=3A normal=3B font-variant=3A normal=3B font-weight=3A= normal=3B letter-spacing=3A normal=3B orphans=3A auto=3B text-align=3A star= t=3B text-indent=3A 0px=3B text-transform=3A none=3B white-space=3A no= rmal=3B widows=3A 1=3B word-spacing=3A 0px=3B -webkit-text-stroke-width= =3A 0px=3B=22=3EIf a physical CARP cluster is connected to a switch with an ESX box using multiple ports on the ESX box =28lagg group or similar=29=2C and only certain devices/IPs are reachable by the= target VM=2C then the port group settings in ESX may need adjusted to set the load balancing for the group to hash based on IP=2C not the originating interface=2E=3C/p=3E =3Cp style=3D=22margin=3A 0=2E4em 0px 0=2E5em=3B line-height=3A 19= =2E05px=3B color=3A rgb=2885=2C 85=2C 85=29=3B font-family=3A sans-serif=3B font-size= =3A 12=2E7px=3B font-style=3A normal=3B font-variant=3A normal=3B font-weight=3A= normal=3B letter-spacing=3A normal=3B orphans=3A auto=3B text-align=3A star= t=3B text-indent=3A 0px=3B text-transform=3A none=3B white-space=3A no= rmal=3B widows=3A 1=3B word-spacing=3A 0px=3B -webkit-text-stroke-width= =3A 0px=3B=22=3ESide effects of having that set incorrectly include=3A=3C/p=3E =3Cul style=3D=22line-height=3A 19=2E05px=3B list-style-type=3A squ= are=3B margin=3A 0=2E3em 0px 0px 1=2E6em=3B padding=3A 0px=3B list-style= -image=3A url=28=26quot=3Bbullet=2Egif=26quot=3B=29=3B color=3A rgb=2885=2C= 85=2C 85=29=3B font-family=3A sans-serif=3B font-size=3A 12=2E7px=3B font-style= =3A normal=3B font-variant=3A normal=3B font-weight=3A normal=3B letter-spacing=3A normal=3B orphans=3A auto=3B text-align=3A star= t=3B text-indent=3A 0px=3B text-transform=3A none=3B white-space=3A no= rmal=3B widows=3A 1=3B word-spacing=3A 0px=3B -webkit-text-stroke-width= =3A 0px=3B=22=3E =3Cli style=3D=22margin-bottom=3A 0=2E1em=3B=22=3ETraffic only re= aching the target VM in promisc mode on its NIC=3C/li=3E =3Cli style=3D=22margin-bottom=3A 0=2E1em=3B=22=3EInability to re= ach the CARP IP from the target VM when the =22real=22 IP of the primary firewall is reachable=3C/li=3E =3Cli style=3D=22margin-bottom=3A 0=2E1em=3B=22=3EPort forwards o= r other inbound connections to the target VM work from some IPs and not others=2E=3C/li=3E =3C/ul=3E =3Cbr class=3D=22Apple-interchange-newline=22=3E =3C/blockquote=3E So you could try with bonding option =22xmit=5Fhash=5Fpolicy=3Dlayer2= +3=22 and see if that helps=2E=2E=2E=3Cbr=3E =3Cbr=3E Kind regards=2C=3Cbr=3E Jorick Astrego=3Cbr=3E =3Cbr=3E =3Cbr=3E =3Cmeta http-equiv=3D=22content-type=22 content=3D=22text/html=3B charset=3Dwindows-1252=22=3E =3Cdiv class=3D=22moz-cite-prefix=22=3EOn 07/13/2016 03=3A59 PM=2C Ma= tt =2E wrote=3A=3Cbr=3E =3C/div=3E =3Cblockquote cite=3D=22mid=3ACAPNQp06UMTC5HJtbbCAno1-dvy1B-8BiagffRGM9WCdWNGzz4Q=40mail= =2Egmail=2Ecom=22 type=3D=22cite=22=3E =3Cpre wrap=3D=22=22=3EAs addition=3A I get the same result using m= ode=3D4=2C only when I use multiple VLANS on the interface=2E 2016-07-13 15=3A58 GMT+02=3A00 Matt =2E =3Ca moz-do-not-send=3D=22true=22 c= lass=3D=22moz-txt-link-rfc2396E=22 href=3D=22mailto=3Ayamakasi=2E014=40gmai= l=2Ecom=22=3E=26lt=3Byamakasi=2E014=40gmail=2Ecom=26gt=3B=3C/a=3E=3A =3C/pre=3E =3Cblockquote type=3D=22cite=22=3E =3Cpre wrap=3D=22=22=3EHi Pavel=2C Thanks for your update=2E I also saw that the post are both online but I thought the second nic only advertises the mac so the switch does not get confused=2E The issue might be that i do VRRP=2C so the bond is connected to two switches=2C they are not stacked=2C only trunked as that=27s what VRRP requires and works well on the side where there is only one VLAN on the Host interface=2E It just goes wrong on multiple vlans=2E This is what I see everywhere=2E Mode 1 =28active-backup=29 This mode places one of the interfaces into a backup state and will only make it active if the link is lost by the active interface=2E Only one slave in the bond is active at an instance of time=2E A different slave becomes active only when the active slave fails=2E This mode provides fault tolerance=2E It=27s sure I need to get my traffic back on my sending port=2C so that is= why the arp for the passive port was there I thought=2E Are there other modes that should be working on VRRP in your understanding= =3F Thanks a lot=2C Matt 2016-07-13 15=3A43 GMT+02=3A00 Pavel Gashev =3Ca moz-do-not-send=3D=22true= =22 class=3D=22moz-txt-link-rfc2396E=22 href=3D=22mailto=3APax=40acronis=2E= com=22=3E=26lt=3BPax=40acronis=2Ecom=26gt=3B=3C/a=3E=3A =3C/pre=3E =3Cblockquote type=3D=22cite=22=3E =3Cpre wrap=3D=22=22=3EIn mode=3D1 the active interface sends t= raffic=2C but both interfaces accept incoming traffic=2E Hardware switches= send broadcast/multicast/unknown destination MACs to all ports=2C includin= g the passive interface=2E So packet sent from the active interface can be= received back from the passive interface=2E FreeBSD CARP just would go mad= when it receives its own packets=2E I believe if you get Linux implementation=2C it will work well in the same= network setup=2E I use keepalived in oVirt VMs with bonded network=2C and= have no issues=2E -----Original Message----- From=3A =22Matt =2E=22 =3Ca moz-do-not-send=3D=22true=22 class=3D=22moz-txt= -link-rfc2396E=22 href=3D=22mailto=3Ayamakasi=2E014=40gmail=2Ecom=22=3E=26l= t=3Byamakasi=2E014=40gmail=2Ecom=26gt=3B=3C/a=3E Date=3A Wednesday 13 July 2016 at 15=3A54 To=3A Pavel Gashev =3Ca moz-do-not-send=3D=22true=22 class=3D=22moz-txt-lin= k-rfc2396E=22 href=3D=22mailto=3APax=40acronis=2Ecom=22=3E=26lt=3BPax=40acr= onis=2Ecom=26gt=3B=3C/a=3E=2C users =3Ca moz-do-not-send=3D=22true=22 class= =3D=22moz-txt-link-rfc2396E=22 href=3D=22mailto=3Ausers=40ovirt=2Eorg=22=3E= =26lt=3Busers=40ovirt=2Eorg=26gt=3B=3C/a=3E Subject=3A Re=3A =5Bovirt-users=5D CARP Fails on Bond mode=3D1 How can it lead into packet duplication when the passive should not be active and only it=27s mac-address should be visible on the switch to prevent confusion on the switch =3F For a VRRP setup on the switch there is no other option then mode=3D1 as far as I know =3F 2016-07-13 14=3A50 GMT+02=3A00 Pavel Gashev =3Ca moz-do-not-send=3D=22true= =22 class=3D=22moz-txt-link-rfc2396E=22 href=3D=22mailto=3APax=40acronis=2E= com=22=3E=26lt=3BPax=40acronis=2Ecom=26gt=3B=3C/a=3E=3A =3C/pre=3E =3Cblockquote type=3D=22cite=22=3E =3Cpre wrap=3D=22=22=3EI would say that bonding breaks CARP s= omehow=2E In example mode=3D1 can lead to packet duplication=2C so pfsense= can receive it=27s own packets=2E Try firewall in pfsense all incomming pa= ckets that have the same source MAC address as pfsense=2E -----Original Message----- From=3A =22Matt =2E=22 =3Ca moz-do-not-send=3D=22true=22 class=3D=22moz-txt= -link-rfc2396E=22 href=3D=22mailto=3Ayamakasi=2E014=40gmail=2Ecom=22=3E=26l= t=3Byamakasi=2E014=40gmail=2Ecom=26gt=3B=3C/a=3E Date=3A Wednesday 13 July 2016 at 15=3A29 To=3A Pavel Gashev =3Ca moz-do-not-send=3D=22true=22 class=3D=22moz-txt-lin= k-rfc2396E=22 href=3D=22mailto=3APax=40acronis=2Ecom=22=3E=26lt=3BPax=40acr= onis=2Ecom=26gt=3B=3C/a=3E Subject=3A Re=3A =5Bovirt-users=5D CARP Fails on Bond mode=3D1 Hi Pavel=2C No it=27s Pfsense=2C so FreeBSD=2E Is there something different there =3F 2016-07-13 13=3A59 GMT+02=3A00 Pavel Gashev =3Ca moz-do-not-send=3D=22true= =22 class=3D=22moz-txt-link-rfc2396E=22 href=3D=22mailto=3APax=40acronis=2E= com=22=3E=26lt=3BPax=40acronis=2Ecom=26gt=3B=3C/a=3E=3A =3C/pre=3E =3Cblockquote type=3D=22cite=22=3E =3Cpre wrap=3D=22=22=3EMatt=2C How is CARP implemented=3F Is it OpenBSD=3F -----Original Message----- From=3A =3Ca moz-do-not-send=3D=22true=22 class=3D=22moz-txt-link-rfc2396E= =22 href=3D=22mailto=3Ausers-bounces=40ovirt=2Eorg=22=3E=26lt=3Busers-bounc= es=40ovirt=2Eorg=26gt=3B=3C/a=3E on behalf of =22Matt =2E=22 =3Ca moz-do-no= t-send=3D=22true=22 class=3D=22moz-txt-link-rfc2396E=22 href=3D=22mailto=3A= yamakasi=2E014=40gmail=2Ecom=22=3E=26lt=3Byamakasi=2E014=40gmail=2Ecom=26gt= =3B=3C/a=3E Date=3A Wednesday 13 July 2016 at 12=3A42 Cc=3A users =3Ca moz-do-not-send=3D=22true=22 class=3D=22moz-txt-link-rfc23= 96E=22 href=3D=22mailto=3Ausers=40ovirt=2Eorg=22=3E=26lt=3Busers=40ovirt=2E= org=26gt=3B=3C/a=3E Subject=3A Re=3A =5Bovirt-users=5D CARP Fails on Bond mode=3D1 Hi Pavel=2C This is done and used without the Bond before=2E Now I applied a bond it goes wrong and I=27m searching but can=27t find a= thing about it=2E 2016-07-13 11=3A03 GMT+02=3A00 Pavel Gashev =3Ca moz-do-not-send=3D=22true= =22 class=3D=22moz-txt-link-rfc2396E=22 href=3D=22mailto=3APax=40acronis=2E= com=22=3E=26lt=3BPax=40acronis=2Ecom=26gt=3B=3C/a=3E=3A =3C/pre=3E =3Cblockquote type=3D=22cite=22=3E =3Cpre wrap=3D=22=22=3EMatt=2C In order to use CARP/VRRP in a VM you have to disable MAC spoofing preventi= on=2E =3Ca moz-do-not-send=3D=22true=22 class=3D=22moz-txt-link-freetext=22 href= =3D=22http=3A//lists=2Eovirt=2Eorg/pipermail/users/2015-May/032839=2Ehtml= =22=3Ehttp=3A//lists=2Eovirt=2Eorg/pipermail/users/2015-May/032839=2Ehtml= =3C/a=3E -----Original Message----- From=3A =3Ca moz-do-not-send=3D=22true=22 class=3D=22moz-txt-link-rfc2396E= =22 href=3D=22mailto=3Ausers-bounces=40ovirt=2Eorg=22=3E=26lt=3Busers-bounc= es=40ovirt=2Eorg=26gt=3B=3C/a=3E on behalf of =22Matt =2E=22 =3Ca moz-do-no= t-send=3D=22true=22 class=3D=22moz-txt-link-rfc2396E=22 href=3D=22mailto=3A= yamakasi=2E014=40gmail=2Ecom=22=3E=26lt=3Byamakasi=2E014=40gmail=2Ecom=26gt= =3B=3C/a=3E Date=3A Tuesday 12 July 2016 at 21=3A58 To=3A users =3Ca moz-do-not-send=3D=22true=22 class=3D=22moz-txt-link-rfc23= 96E=22 href=3D=22mailto=3Ausers=40ovirt=2Eorg=22=3E=26lt=3Busers=40ovirt=2E= org=26gt=3B=3C/a=3E Subject=3A =5Bovirt-users=5D CARP Fails on Bond mode=3D1 Hi guys=2C I have been testing bonding with a vm connected to the network on this bond mode=3D1 =28vlans on top of it=29 where the vm uses a carp IP for failover=2E It seems that when the VM which holds the Carp IP and so is Master you can ping both IP=27s=2C so interface IP and Carp IP=2C but you cannot throw/route any traffic over it=2E You can route traffic over the interface IP of the Carp Slave=2E Is this known or just not possible =3F I hope it=27s a =22bug=22 =3A=29 Thanks=2C Matt =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F Users mailing list =3Ca moz-do-not-send=3D=22true=22 class=3D=22moz-txt-link-abbreviated=22 hr= ef=3D=22mailto=3AUsers=40ovirt=2Eorg=22=3EUsers=40ovirt=2Eorg=3C/a=3E =3Ca moz-do-not-send=3D=22true=22 class=3D=22moz-txt-link-freetext=22 href= =3D=22http=3A//lists=2Eovirt=2Eorg/mailman/listinfo/users=22=3Ehttp=3A//lis= ts=2Eovirt=2Eorg/mailman/listinfo/users=3C/a=3E =3C/pre=3E =3C/blockquote=3E =3Cpre wrap=3D=22=22=3E=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F Users mailing list =3Ca moz-do-not-send=3D=22true=22 class=3D=22moz-txt-link-abbreviated=22 hr= ef=3D=22mailto=3AUsers=40ovirt=2Eorg=22=3EUsers=40ovirt=2Eorg=3C/a=3E =3Ca moz-do-not-send=3D=22true=22 class=3D=22moz-txt-link-freetext=22 href= =3D=22http=3A//lists=2Eovirt=2Eorg/mailman/listinfo/users=22=3Ehttp=3A//lis= ts=2Eovirt=2Eorg/mailman/listinfo/users=3C/a=3E =3C/pre=3E =3C/blockquote=3E =3Cpre wrap=3D=22=22=3E =3C/pre=3E =3C/blockquote=3E =3Cpre wrap=3D=22=22=3E =3C/pre=3E =3C/blockquote=3E =3C/blockquote=3E =3Cpre wrap=3D=22=22=3E=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F Users mailing list =3Ca moz-do-not-send=3D=22true=22 class=3D=22moz-txt-link-abbreviated=22 hr= ef=3D=22mailto=3AUsers=40ovirt=2Eorg=22=3EUsers=40ovirt=2Eorg=3C/a=3E =3Ca moz-do-not-send=3D=22true=22 class=3D=22moz-txt-link-freetext=22 href= =3D=22http=3A//lists=2Eovirt=2Eorg/mailman/listinfo/users=22=3Ehttp=3A//lis= ts=2Eovirt=2Eorg/mailman/listinfo/users=3C/a=3E =3C/pre=3E =3C/blockquote=3E =3Cbr=3E =3C/div=3E =20= =3CBR /=3E =3CBR /=3E =3Cb style=3D=22color=3A=23604c78=22=3E=3C/b=3E=3Cbr=3E=3Cbr=3E=3Cspan styl= e=3D=22color=3A=23604c78=3B=22=3E=3Cfont color=3D=22000000=22=3E=3Cspan sty= le=3D=22mso-fareast-language=3Aen-gb=3B=22 lang=3D=22NL=22=3EMet vriendelij= ke groet=2C With kind regards=2C=3Cbr=3E=3Cbr=3EJorick Astrego=3Cbr=3E=3C/s= pan=3E=3C/font=3E=3C/span=3E=3Cb style=3D=22color=3A=23604c78=22=3E=3Cbr=3E= Netbulae Virtualization Experts =3C/b=3E=3Cbr=3E=3Chr style=3D=22border=3An= one=3Bborder-top=3A1px solid =23ccc=3B=22=3E=3Ctable style=3D=22width=3A 52= 2px=22=3E=3Ctbody=3E=3Ctr=3E=3Ctd style=3D=22width=3A 130px=3Bfont-size=3A= 10px=22=3ETel=3A 053 20 30 270=3C/td=3E =3Ctd style=3D=22width=3A 130p= x=3Bfont-size=3A 10px=22=3Einfo=40netbulae=2Eeu=3C/td=3E =3Ctd style=3D= =22width=3A 130px=3Bfont-size=3A 10px=22=3EStaalsteden 4-3A=3C/td=3E =20= =3Ctd style=3D=22width=3A 130px=3Bfont-size=3A 10px=22=3EKvK 08198180=3C/td= =3E=3C/tr=3E=3Ctr=3E =3Ctd style=3D=22width=3A 130px=3Bfont-size=3A 10px= =22=3EFax=3A 053 20 30 271=3C/td=3E =3Ctd style=3D=22width=3A 130px=3Bfo= nt-size=3A 10px=22=3Ewww=2Enetbulae=2Eeu=3C/td=3E =3Ctd style=3D=22width= =3A 130px=3Bfont-size=3A 10px=22=3E7547 TA Enschede=3C/td=3E =3Ctd style= =3D=22width=3A 130px=3Bfont-size=3A 10px=22=3EBTW NL821234584B01=3C/td=3E= =3C/tr=3E=3C/tbody=3E=3C/table=3E=3Cbr=3E=3Chr style=3D=22border=3Anone=3Bb= order-top=3A1px solid =23ccc=3B=22=3E=3CBR /=3E =3C/body=3E =3C/html=3E --------------6E39ACA7E4E413CC3E391C4F--
This is a multi-part message in MIME format. --------------B74BA7A95E21D430C013D45E Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: quoted-printable Hi=2C I tried sending this last week=2C but somehow the list blackholes my=20 messages=2E=2E=2E=2E You could try to add =22 net=2Einet=2Ecarp=2Edrop=5Fechoed=3D1=22 to pfsens= e in=20 /etc/sysctl=2Econf =3F It is an old fix for VMWare and FreeBSD=2E I am not able to test it at the= =20 moment but I can see it=27s not in the config of the latest version of=20= PFSense=2E Or maybe better=3A https=3A//doc=2Epfsense=2Eorg/index=2Ephp/CARP=5FConfiguration=5FTroublesho= oting Client Port Issues If a physical CARP cluster is connected to a switch with an ESX box using multiple ports on the ESX box =28lagg group or similar=29=2C and= only certain devices/IPs are reachable by the target VM=2C then the port group settings in ESX may need adjusted to set the load balancing for the group to hash based on IP=2C not the originating interface=2E Side effects of having that set incorrectly include=3A * Traffic only reaching the target VM in promisc mode on its NIC * Inability to reach the CARP IP from the target VM when the =22real=22 IP of the primary firewall is reachable * Port forwards or other inbound connections to the target VM work from some IPs and not others=2E So you could try with bonding option =22xmit=5Fhash=5Fpolicy=3Dlayer2+3=22= and see=20 if that helps=2E=2E=2E Kind regards=2C Jorick Astrego On 07/13/2016 03=3A59 PM=2C Matt =2E wrote=3A =3E As addition=3A I get the same result using mode=3D4=2C only when I use= =3E multiple VLANS on the interface=2E =3E =3E 2016-07-13 15=3A58 GMT+02=3A00 Matt =2E=3Cyamakasi=2E014=40gmail=2Ecom= =3E=3A =3E=3E Hi Pavel=2C =3E=3E =3E=3E Thanks for your update=2E I also saw that the post are both online b= ut I =3E=3E thought the second nic only advertises the mac so the switch does no= t =3E=3E get confused=2E =3E=3E =3E=3E The issue might be that i do VRRP=2C so the bond is connected to two= =3E=3E switches=2C they are not stacked=2C only trunked as that=27s what VR= RP =3E=3E requires and works well on the side where there is only one VLAN on= =3E=3E the Host interface=2E =3E=3E =3E=3E It just goes wrong on multiple vlans=2E =3E=3E =3E=3E This is what I see everywhere=2E =3E=3E =3E=3E Mode 1 =28active-backup=29 =3E=3E This mode places one of the interfaces into a backup state and will= =3E=3E only make it active if the link is lost by the active interface=2E O= nly =3E=3E one slave in the bond is active at an instance of time=2E A differen= t =3E=3E slave becomes active only when the active slave fails=2E This mode= =3E=3E provides fault tolerance=2E =3E=3E =3E=3E It=27s sure I need to get my traffic back on my sending port=2C so t= hat is =3E=3E why the arp for the passive port was there I thought=2E =3E=3E =3E=3E Are there other modes that should be working on VRRP in your underst= anding =3F =3E=3E =3E=3E Thanks a lot=2C =3E=3E =3E=3E Matt =3E=3E =3E=3E =3E=3E =3E=3E 2016-07-13 15=3A43 GMT+02=3A00 Pavel Gashev=3CPax=40acronis=2Ecom=3E= =3A =3E=3E=3E In mode=3D1 the active interface sends traffic=2C but both interf= aces accept incoming traffic=2E Hardware switches send broadcast/multicast/= unknown destination MACs to all ports=2C including the passive interface=2E= So packet sent from the active interface can be received back from the pas= sive interface=2E FreeBSD CARP just would go mad when it receives its own p= ackets=2E =3E=3E=3E =3E=3E=3E I believe if you get Linux implementation=2C it will work well in= the same network setup=2E I use keepalived in oVirt VMs with bonded networ= k=2C and have no issues=2E =3E=3E=3E =3E=3E=3E -----Original Message----- =3E=3E=3E From=3A =22Matt =2E=22=3Cyamakasi=2E014=40gmail=2Ecom=3E =3E=3E=3E Date=3A Wednesday 13 July 2016 at 15=3A54 =3E=3E=3E To=3A Pavel Gashev=3CPax=40acronis=2Ecom=3E=2C users=3Cusers=40ov= irt=2Eorg=3E =3E=3E=3E Subject=3A Re=3A =5Bovirt-users=5D CARP Fails on Bond mode=3D1 =3E=3E=3E =3E=3E=3E How can it lead into packet duplication when the passive should n= ot be =3E=3E=3E active and only it=27s mac-address should be visible on the switc= h to =3E=3E=3E prevent confusion on the switch =3F =3E=3E=3E =3E=3E=3E For a VRRP setup on the switch there is no other option then mode= =3D1 as =3E=3E=3E far as I know =3F =3E=3E=3E =3E=3E=3E 2016-07-13 14=3A50 GMT+02=3A00 Pavel Gashev=3CPax=40acronis=2Ecom= =3E=3A =3E=3E=3E=3E I would say that bonding breaks CARP somehow=2E In example mod= e=3D1 can lead to packet duplication=2C so pfsense can receive it=27s own p= ackets=2E Try firewall in pfsense all incomming packets that have the same= source MAC address as pfsense=2E =3E=3E=3E=3E =3E=3E=3E=3E -----Original Message----- =3E=3E=3E=3E From=3A =22Matt =2E=22=3Cyamakasi=2E014=40gmail=2Ecom=3E =3E=3E=3E=3E Date=3A Wednesday 13 July 2016 at 15=3A29 =3E=3E=3E=3E To=3A Pavel Gashev=3CPax=40acronis=2Ecom=3E =3E=3E=3E=3E Subject=3A Re=3A =5Bovirt-users=5D CARP Fails on Bond mode=3D1= =3E=3E=3E=3E =3E=3E=3E=3E Hi Pavel=2C =3E=3E=3E=3E =3E=3E=3E=3E No it=27s Pfsense=2C so FreeBSD=2E =3E=3E=3E=3E =3E=3E=3E=3E Is there something different there =3F =3E=3E=3E=3E =3E=3E=3E=3E =3E=3E=3E=3E =3E=3E=3E=3E 2016-07-13 13=3A59 GMT+02=3A00 Pavel Gashev=3CPax=40acronis=2E= com=3E=3A =3E=3E=3E=3E=3E Matt=2C =3E=3E=3E=3E=3E =3E=3E=3E=3E=3E How is CARP implemented=3F Is it OpenBSD=3F =3E=3E=3E=3E=3E =3E=3E=3E=3E=3E -----Original Message----- =3E=3E=3E=3E=3E From=3A=3Cusers-bounces=40ovirt=2Eorg=3E on behalf of =22M= att =2E=22=3Cyamakasi=2E014=40gmail=2Ecom=3E =3E=3E=3E=3E=3E Date=3A Wednesday 13 July 2016 at 12=3A42 =3E=3E=3E=3E=3E Cc=3A users=3Cusers=40ovirt=2Eorg=3E =3E=3E=3E=3E=3E Subject=3A Re=3A =5Bovirt-users=5D CARP Fails on Bond mode= =3D1 =3E=3E=3E=3E=3E =3E=3E=3E=3E=3E Hi Pavel=2C =3E=3E=3E=3E=3E =3E=3E=3E=3E=3E This is done and used without the Bond before=2E =3E=3E=3E=3E=3E =3E=3E=3E=3E=3E Now I applied a bond it goes wrong and I=27m searching but= can=27t find a =3E=3E=3E=3E=3E thing about it=2E =3E=3E=3E=3E=3E =3E=3E=3E=3E=3E =3E=3E=3E=3E=3E =3E=3E=3E=3E=3E 2016-07-13 11=3A03 GMT+02=3A00 Pavel Gashev=3CPax=40acronis= =2Ecom=3E=3A =3E=3E=3E=3E=3E=3E Matt=2C =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E=3E In order to use CARP/VRRP in a VM you have to disable MA= C spoofing prevention=2E =3E=3E=3E=3E=3E=3E http=3A//lists=2Eovirt=2Eorg/pipermail/users/2015-May/03= 2839=2Ehtml =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E=3E -----Original Message----- =3E=3E=3E=3E=3E=3E From=3A=3Cusers-bounces=40ovirt=2Eorg=3E on behalf of= =22Matt =2E=22=3Cyamakasi=2E014=40gmail=2Ecom=3E =3E=3E=3E=3E=3E=3E Date=3A Tuesday 12 July 2016 at 21=3A58 =3E=3E=3E=3E=3E=3E To=3A users=3Cusers=40ovirt=2Eorg=3E =3E=3E=3E=3E=3E=3E Subject=3A =5Bovirt-users=5D CARP Fails on Bond mode=3D1= =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E=3E Hi guys=2C =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E=3E I have been testing bonding with a vm connected to the n= etwork on this =3E=3E=3E=3E=3E=3E bond mode=3D1 =28vlans on top of it=29 where the vm uses= a carp IP for =3E=3E=3E=3E=3E=3E failover=2E =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E=3E It seems that when the VM which holds the Carp IP and so= is Master you =3E=3E=3E=3E=3E=3E can ping both IP=27s=2C so interface IP and Carp IP=2C b= ut you cannot =3E=3E=3E=3E=3E=3E throw/route any traffic over it=2E =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E=3E You can route traffic over the interface IP of the Carp= Slave=2E =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E=3E Is this known or just not possible =3F =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E=3E I hope it=27s a =22bug=22 =3A=29 =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E=3E Thanks=2C =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E=3E Matt =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E=3E =3E=3E=3E=3E=3E=3E =20 Met vriendelijke groet=2C With kind regards=2C Jorick Astrego Netbulae Virtualization Experts=20 ---------------- =09Tel=3A 053 20 30 270 =09info=40netbulae=2Eeu =09Staalsteden 4-3A =09KvK= 08198180 =09Fax=3A 053 20 30 271 =09www=2Enetbulae=2Eeu =097547 TA Enschede =09BTW= NL821234584B01 ---------------- --------------B74BA7A95E21D430C013D45E Content-Type: text/html; charset="windows-1252" Content-Transfer-Encoding: quoted-printable =3Chtml=3E =3Chead=3E =3Cmeta http-equiv=3D=22content-type=22 content=3D=22text/html=3B chars= et=3Dwindows-1252=22=3E =3C/head=3E =3Cbody text=3D=22=23000000=22 bgcolor=3D=22=23FFFFFF=22=3E =3Cbr=3E =3Cdiv class=3D=22moz-forward-container=22=3EHi=2C=3Cbr=3E =3Cdiv class=3D=22moz-forward-container=22=3E =3Cbr=3E I tried sending this last week=2C but somehow the list blackholes= my messages=2E=2E=2E=2E=3Cbr=3E =3Cbr=3E You could try to add =22 =3Cmeta http-equiv=3D=22content-type=22 content=3D=22text/html=3B= charset=3Dwindows-1252=22=3E net=2Einet=2Ecarp=2Edrop=5Fechoed=3D1=22 to pfsense in /etc/sysctl= =2Econf =3F=3Cbr=3E =3Cbr=3E It is an old fix for VMWare and FreeBSD=2E I am not able to test it at the moment but I can see it=27s not in the config of the latest version of PFSense=2E=3Cbr=3E =3Cbr=3E Or maybe better=3A=3Cbr=3E =3Cbr=3E =3Ca moz-do-not-send=3D=22true=22 class=3D=22moz-txt-link-freetext= =22 href=3D=22https=3A//doc=2Epfsense=2Eorg/index=2Ephp/CARP=5FConfiguration=5F= Troubleshooting=22=3Ehttps=3A//doc=2Epfsense=2Eorg/index=2Ephp/CARP=5FConfi= guration=5FTroubleshooting=3C/a=3E=3Cbr=3E =3Cblockquote=3E =3Cmeta http-equiv=3D=22content-type=22 content=3D=22text/html=3B= charset=3Dwindows-1252=22=3E Client Port Issues=3Cbr=3E =3Cbr=3E If a physical CARP cluster is connected to a switch with an ESX box using multiple ports on the ESX box =28lagg group or similar=29=2C and only certain devices/IPs are reachable by the= target VM=2C then the port group settings in ESX may need adjusted to set the load balancing for the group to hash based on IP=2C not the originating interface=2E=3Cbr=3E =3Cbr=3E Side effects of having that set incorrectly include=3A=3Cbr=3E =3Cbr=3E =3Cul=3E =3Cli=3ETraffic only reaching the target VM in promisc mode on= its NIC=3C/li=3E =3Cli=3EInability to reach the CARP IP from the target VM when= the =22real=22 IP of the primary firewall is reachable=3C/li= =3E =3Cli=3EPort forwards or other inbound connections to the targe= t VM work from some IPs and not others=2E=3C/li=3E =3C/ul=3E =3Cbr class=3D=22Apple-interchange-newline=22=3E =3C/blockquote=3E So you could try with bonding option =22xmit=5Fhash=5Fpolicy=3Dlaye= r2+3=22 and see if that helps=2E=2E=2E=3Cbr=3E =3Cbr=3E Kind regards=2C=3Cbr=3E Jorick Astrego=3Cbr=3E =3Cbr=3E =3Cbr=3E =3Cmeta http-equiv=3D=22content-type=22 content=3D=22text/html=3B= charset=3Dwindows-1252=22=3E =3Cdiv class=3D=22moz-cite-prefix=22=3EOn 07/13/2016 03=3A59 PM=2C= Matt =2E wrote=3A=3Cbr=3E =3C/div=3E =3Cblockquote cite=3D=22mid=3ACAPNQp06UMTC5HJtbbCAno1-dvy1B-8BiagffRGM9WCdWNGzz4Q=40mail= =2Egmail=2Ecom=22 type=3D=22cite=22=3E =3Cpre wrap=3D=22=22=3EAs addition=3A I get the same result using= mode=3D4=2C only when I use multiple VLANS on the interface=2E 2016-07-13 15=3A58 GMT+02=3A00 Matt =2E =3Ca moz-do-not-send=3D=22true=22 c= lass=3D=22moz-txt-link-rfc2396E=22 href=3D=22mailto=3Ayamakasi=2E014=40gmai= l=2Ecom=22=3E=26lt=3Byamakasi=2E014=40gmail=2Ecom=26gt=3B=3C/a=3E=3A =3C/pre=3E =3Cblockquote type=3D=22cite=22=3E =3Cpre wrap=3D=22=22=3EHi Pavel=2C Thanks for your update=2E I also saw that the post are both online but I thought the second nic only advertises the mac so the switch does not get confused=2E The issue might be that i do VRRP=2C so the bond is connected to two switches=2C they are not stacked=2C only trunked as that=27s what VRRP requires and works well on the side where there is only one VLAN on the Host interface=2E It just goes wrong on multiple vlans=2E This is what I see everywhere=2E Mode 1 =28active-backup=29 This mode places one of the interfaces into a backup state and will only make it active if the link is lost by the active interface=2E Only one slave in the bond is active at an instance of time=2E A different slave becomes active only when the active slave fails=2E This mode provides fault tolerance=2E It=27s sure I need to get my traffic back on my sending port=2C so that is= why the arp for the passive port was there I thought=2E Are there other modes that should be working on VRRP in your understanding= =3F Thanks a lot=2C Matt 2016-07-13 15=3A43 GMT+02=3A00 Pavel Gashev =3Ca moz-do-not-send=3D=22true= =22 class=3D=22moz-txt-link-rfc2396E=22 href=3D=22mailto=3APax=40acronis=2E= com=22=3E=26lt=3BPax=40acronis=2Ecom=26gt=3B=3C/a=3E=3A =3C/pre=3E =3Cblockquote type=3D=22cite=22=3E =3Cpre wrap=3D=22=22=3EIn mode=3D1 the active interface sends= traffic=2C but both interfaces accept incoming traffic=2E Hardware switche= s send broadcast/multicast/unknown destination MACs to all ports=2C includi= ng the passive interface=2E So packet sent from the active interface can be= received back from the passive interface=2E FreeBSD CARP just would go mad= when it receives its own packets=2E I believe if you get Linux implementation=2C it will work well in the same= network setup=2E I use keepalived in oVirt VMs with bonded network=2C and= have no issues=2E -----Original Message----- From=3A =22Matt =2E=22 =3Ca moz-do-not-send=3D=22true=22 class=3D=22moz-txt= -link-rfc2396E=22 href=3D=22mailto=3Ayamakasi=2E014=40gmail=2Ecom=22=3E=26l= t=3Byamakasi=2E014=40gmail=2Ecom=26gt=3B=3C/a=3E Date=3A Wednesday 13 July 2016 at 15=3A54 To=3A Pavel Gashev =3Ca moz-do-not-send=3D=22true=22 class=3D=22moz-txt-lin= k-rfc2396E=22 href=3D=22mailto=3APax=40acronis=2Ecom=22=3E=26lt=3BPax=40acr= onis=2Ecom=26gt=3B=3C/a=3E=2C users =3Ca moz-do-not-send=3D=22true=22 class= =3D=22moz-txt-link-rfc2396E=22 href=3D=22mailto=3Ausers=40ovirt=2Eorg=22=3E= =26lt=3Busers=40ovirt=2Eorg=26gt=3B=3C/a=3E Subject=3A Re=3A =5Bovirt-users=5D CARP Fails on Bond mode=3D1 How can it lead into packet duplication when the passive should not be active and only it=27s mac-address should be visible on the switch to prevent confusion on the switch =3F For a VRRP setup on the switch there is no other option then mode=3D1 as far as I know =3F 2016-07-13 14=3A50 GMT+02=3A00 Pavel Gashev =3Ca moz-do-not-send=3D=22true= =22 class=3D=22moz-txt-link-rfc2396E=22 href=3D=22mailto=3APax=40acronis=2E= com=22=3E=26lt=3BPax=40acronis=2Ecom=26gt=3B=3C/a=3E=3A =3C/pre=3E =3Cblockquote type=3D=22cite=22=3E =3Cpre wrap=3D=22=22=3EI would say that bonding breaks CARP= somehow=2E In example mode=3D1 can lead to packet duplication=2C so pfsens= e can receive it=27s own packets=2E Try firewall in pfsense all incomming p= ackets that have the same source MAC address as pfsense=2E -----Original Message----- From=3A =22Matt =2E=22 =3Ca moz-do-not-send=3D=22true=22 class=3D=22moz-txt= -link-rfc2396E=22 href=3D=22mailto=3Ayamakasi=2E014=40gmail=2Ecom=22=3E=26l= t=3Byamakasi=2E014=40gmail=2Ecom=26gt=3B=3C/a=3E Date=3A Wednesday 13 July 2016 at 15=3A29 To=3A Pavel Gashev =3Ca moz-do-not-send=3D=22true=22 class=3D=22moz-txt-lin= k-rfc2396E=22 href=3D=22mailto=3APax=40acronis=2Ecom=22=3E=26lt=3BPax=40acr= onis=2Ecom=26gt=3B=3C/a=3E Subject=3A Re=3A =5Bovirt-users=5D CARP Fails on Bond mode=3D1 Hi Pavel=2C No it=27s Pfsense=2C so FreeBSD=2E Is there something different there =3F 2016-07-13 13=3A59 GMT+02=3A00 Pavel Gashev =3Ca moz-do-not-send=3D=22true= =22 class=3D=22moz-txt-link-rfc2396E=22 href=3D=22mailto=3APax=40acronis=2E= com=22=3E=26lt=3BPax=40acronis=2Ecom=26gt=3B=3C/a=3E=3A =3C/pre=3E =3Cblockquote type=3D=22cite=22=3E =3Cpre wrap=3D=22=22=3EMatt=2C How is CARP implemented=3F Is it OpenBSD=3F -----Original Message----- From=3A =3Ca moz-do-not-send=3D=22true=22 class=3D=22moz-txt-link-rfc2396E= =22 href=3D=22mailto=3Ausers-bounces=40ovirt=2Eorg=22=3E=26lt=3Busers-bounc= es=40ovirt=2Eorg=26gt=3B=3C/a=3E on behalf of =22Matt =2E=22 =3Ca moz-do-no= t-send=3D=22true=22 class=3D=22moz-txt-link-rfc2396E=22 href=3D=22mailto=3A= yamakasi=2E014=40gmail=2Ecom=22=3E=26lt=3Byamakasi=2E014=40gmail=2Ecom=26gt= =3B=3C/a=3E Date=3A Wednesday 13 July 2016 at 12=3A42 Cc=3A users =3Ca moz-do-not-send=3D=22true=22 class=3D=22moz-txt-link-rfc23= 96E=22 href=3D=22mailto=3Ausers=40ovirt=2Eorg=22=3E=26lt=3Busers=40ovirt=2E= org=26gt=3B=3C/a=3E Subject=3A Re=3A =5Bovirt-users=5D CARP Fails on Bond mode=3D1 Hi Pavel=2C This is done and used without the Bond before=2E Now I applied a bond it goes wrong and I=27m searching but can=27t find a= thing about it=2E 2016-07-13 11=3A03 GMT+02=3A00 Pavel Gashev =3Ca moz-do-not-send=3D=22true= =22 class=3D=22moz-txt-link-rfc2396E=22 href=3D=22mailto=3APax=40acronis=2E= com=22=3E=26lt=3BPax=40acronis=2Ecom=26gt=3B=3C/a=3E=3A =3C/pre=3E =3Cblockquote type=3D=22cite=22=3E =3Cpre wrap=3D=22=22=3EMatt=2C In order to use CARP/VRRP in a VM you have to disable MAC spoofing preventi= on=2E =3Ca moz-do-not-send=3D=22true=22 class=3D=22moz-txt-link-freetext=22 href= =3D=22http=3A//lists=2Eovirt=2Eorg/pipermail/users/2015-May/032839=2Ehtml= =22=3Ehttp=3A//lists=2Eovirt=2Eorg/pipermail/users/2015-May/032839=2Ehtml= =3C/a=3E -----Original Message----- From=3A =3Ca moz-do-not-send=3D=22true=22 class=3D=22moz-txt-link-rfc2396E= =22 href=3D=22mailto=3Ausers-bounces=40ovirt=2Eorg=22=3E=26lt=3Busers-bounc= es=40ovirt=2Eorg=26gt=3B=3C/a=3E on behalf of =22Matt =2E=22 =3Ca moz-do-no= t-send=3D=22true=22 class=3D=22moz-txt-link-rfc2396E=22 href=3D=22mailto=3A= yamakasi=2E014=40gmail=2Ecom=22=3E=26lt=3Byamakasi=2E014=40gmail=2Ecom=26gt= =3B=3C/a=3E Date=3A Tuesday 12 July 2016 at 21=3A58 To=3A users =3Ca moz-do-not-send=3D=22true=22 class=3D=22moz-txt-link-rfc23= 96E=22 href=3D=22mailto=3Ausers=40ovirt=2Eorg=22=3E=26lt=3Busers=40ovirt=2E= org=26gt=3B=3C/a=3E Subject=3A =5Bovirt-users=5D CARP Fails on Bond mode=3D1 Hi guys=2C I have been testing bonding with a vm connected to the network on this bond mode=3D1 =28vlans on top of it=29 where the vm uses a carp IP for failover=2E It seems that when the VM which holds the Carp IP and so is Master you can ping both IP=27s=2C so interface IP and Carp IP=2C but you cannot throw/route any traffic over it=2E You can route traffic over the interface IP of the Carp Slave=2E Is this known or just not possible =3F I hope it=27s a =22bug=22 =3A=29 Thanks=2C Matt =3C/pre=3E =3C/blockquote=3E =3C/blockquote=3E =3C/blockquote=3E =3C/blockquote=3E =3C/blockquote=3E =3C/blockquote=3E =3Cbr=3E =3C/div=3E =3C/div=3E =20= =3CBR /=3E =3CBR /=3E =3Cb style=3D=22color=3A=23604c78=22=3E=3C/b=3E=3Cbr=3E=3Cbr=3E=3Cspan styl= e=3D=22color=3A=23604c78=3B=22=3E=3Cfont color=3D=22000000=22=3E=3Cspan sty= le=3D=22mso-fareast-language=3Aen-gb=3B=22 lang=3D=22NL=22=3EMet vriendelij= ke groet=2C With kind regards=2C=3Cbr=3E=3Cbr=3EJorick Astrego=3Cbr=3E=3C/s= pan=3E=3C/font=3E=3C/span=3E=3Cb style=3D=22color=3A=23604c78=22=3E=3Cbr=3E= Netbulae Virtualization Experts =3C/b=3E=3Cbr=3E=3Chr style=3D=22border=3An= one=3Bborder-top=3A1px solid =23ccc=3B=22=3E=3Ctable style=3D=22width=3A 52= 2px=22=3E=3Ctbody=3E=3Ctr=3E=3Ctd style=3D=22width=3A 130px=3Bfont-size=3A= 10px=22=3ETel=3A 053 20 30 270=3C/td=3E =3Ctd style=3D=22width=3A 130p= x=3Bfont-size=3A 10px=22=3Einfo=40netbulae=2Eeu=3C/td=3E =3Ctd style=3D= =22width=3A 130px=3Bfont-size=3A 10px=22=3EStaalsteden 4-3A=3C/td=3E =20= =3Ctd style=3D=22width=3A 130px=3Bfont-size=3A 10px=22=3EKvK 08198180=3C/td= =3E=3C/tr=3E=3Ctr=3E =3Ctd style=3D=22width=3A 130px=3Bfont-size=3A 10px= =22=3EFax=3A 053 20 30 271=3C/td=3E =3Ctd style=3D=22width=3A 130px=3Bfo= nt-size=3A 10px=22=3Ewww=2Enetbulae=2Eeu=3C/td=3E =3Ctd style=3D=22width= =3A 130px=3Bfont-size=3A 10px=22=3E7547 TA Enschede=3C/td=3E =3Ctd style= =3D=22width=3A 130px=3Bfont-size=3A 10px=22=3EBTW NL821234584B01=3C/td=3E= =3C/tr=3E=3C/tbody=3E=3C/table=3E=3Cbr=3E=3Chr style=3D=22border=3Anone=3Bb= order-top=3A1px solid =23ccc=3B=22=3E=3CBR /=3E =3C/body=3E =3C/html=3E --------------B74BA7A95E21D430C013D45E--
participants (3)
-
Jorick Astrego -
Matt . -
Pavel Gashev