Hey Ari, I use CARP a lot at our colo and recently migrated many of the machines to = FreeBSD 10 as well. I've had the same question as you about VHID best prac= tices as the docs don't really expound on this. I'd love to hear some pers= pective from the authors of CARP as well. In any case, we run a pair of FreeBSD 10/pf gateways at our colo with binat= setup between several dozen internal private networks (VLANs) and the outs= ide WAN (pool of ~64 public IPs). Traffic between private networks doesn't= use any form of NAT, but does get routed through the same gateways and is = subject to the same filtering policies. In this setup, we share one VHID a= cross all of the public IPs on the WAN interface, and we share a second VHI= D across all of the private gateway IPs on the LAN interface. Everything *= appears* to work just fine, and we've heavily tested failover, etc. Whethe= r right or wrong, it is working for us. Daniel On Jul 17, 2014, at 12:40 AM, Aristedes Maniatis <ari@ish.com.au> wrote: > Thanks for this. However unlike Linux where it is a system property, it l= ooks like this option needs to be invoked inside each userland application.= So without changing code for each app I care about, it looks like I'm crea= ting lots of /32 CARP addresses. > = > Can someone shed more light on what vhid represents? What happens when tw= o addresses share the same vhid on the same (or different) interfaces? Why = do the examples in the FreeBSD handbook always show different vhids? > = > Ari > = > = > On 11/07/2014 3:26am, Adrian Chadd wrote: >> yeah, you can search for IP_BINDANY. It's a socket option. >> = >> = >> -a >> = >> = >> On 10 July 2014 06:52, Aristedes Maniatis <ari@ish.com.au> wrote: >>> With the changes in CARP as part of FreeBSD 10 I have some questions ab= out the best way to do some things. >>> = >>> = >>> 1. On a load balancer (haproxy) we might have the machine handling 100 = or 5000 IP addresses. It would be simplest to just define a /24 (or more) r= ange on the external interface (or in CARP) but then I cannot bind to each = address. >>> = >>> Linux has something like net.ipv4.ip_nonlocal_bind. There appears to be= nothing similar for FreeBSD. Do I need to define a /32 and alias each addr= ess? >>> = >>> a. is there a cleaner way? >>> b. will that cause performance issues if I create many hundreds of /32 = aliases on the interface? >>> = >>> = >>> = >>> 2. If I need to define a large number of aliases in CARP I'll quickly r= un out of vhids which I understand to go up to 256. What is the real meanin= g of vhid in a CARP definition? Can they be shared by different IP addresse= s on the load balancer pair? That is, can they all be labelled "vhid=3D1" o= r is CARP limited to 256 IP addresses, each of which has to be a /32 (see a= bove). >>> = >>> All the examples in the FreeBSD manual use a different vhid for each IP= address but doesn't explain why. >>> = >>> a. If two addresses (aliases) share the same vhid, will that mean they = fail over together always? (That might be a good thing for me). >>> b. Will it reduce "are you alive?" network traffic between the CARP clu= ster to have one vhid? >>> c. Will bad things happen if I share vhids? >>> = >>> = >>> Thanks >>> Ari >>> = >>> = >>> -- >>> --------------------------> >>> Aristedes Maniatis >>> ish >>> http://www.ish.com.au >>> Level 1, 30 Wilson Street Newtown 2042 Australia >>> phone +61 2 9550 5001 fax +61 2 9550 4001 >>> GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A >>> _______________________________________________ >>> freebsd-stable@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-stable >>> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.or= g" > = > -- = > --------------------------> > Aristedes Maniatis > ish > http://www.ish.com.au > Level 1, 30 Wilson Street Newtown 2042 Australia > phone +61 2 9550 5001 fax +61 2 9550 4001 > GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" = Daniel Duerr =95 President GIZMO Creative, Inc. PO Box 2137, Carmel Valley, California t: +1 (831) 531-2270 x103 =95 e: dd@gizmocreative.com = _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"