On Tue, Dec 22, 2020 at 02:04:27PM +0100, open...@kene.nu wrote:
> Hello,
> I am seeing what I deem to be unexpected behavior with ospfd and depending
> on carp interfaces.
> Running 6.8 with latest patches applied on all three routers.
>
> # uname -a
> OpenBSD extfw1.lab.kambi.com 6.8 GENERIC.MP#2 amd64
>
> My setup is as following;
> Two openbsd boxes (FW1 and FW2) acting as a firewall pair sharing carp
> interfaces.
> Single openbsd box (R1) that in this instance acts as a client trying to
> reach servers that are reachable via the FWs.
> VLan20 (actually carp20) is my nexthop (BGP wise) to reach any networks
> behind the FW pair.
> VLan21 is the link network between all the three boxes. The FWs share a
> carp21 interface.
>
> My FW ospfd.conf (same on all three boxes apart from the "depend on" which
> is absent from R1):
> router-id <redacted>
>
> area 0.0.0.0 {
> interface lo1
> interface vlan20 {
> depend on carp20
> }
> interface vlan21 {
> depend on carp21
> }
> }
I would change the config to just use
area 0.0.0.0 {
interface lo1
interface carp20
interface vlan21
}
This way the network on vlan20/carp20 will be announced depending on the
carp state with the backup system announcing the same route with a high
metric. There is no need to use "depend on" for such a simple case.
For vlan21 I would not do that since there you want reachability in any
case especially if you announce BGP networks on the firewalls with the
carp21 address (instead of the default vlan21 one).
> Carp20:
> root@FW1:~ # ifconfig carp20 | grep inet
> inet 172.30.9.21 netmask 0xfffffff0 broadcast 172.30.9.31
>
> Now to the strange part. I see that the selected route in R1 points to FW1
> even though carp20/21 on FW1 is in state BACKUP. No matter what I do, apart
> from setting static metrics, ospfd on R1 always selects FW1 as nexthop.
> root@FW1:~ # ifconfig vlan21 | grep inet
> inet 172.30.9.34 netmask 0xfffffff0 broadcast 172.30.9.47
> root@FW1:~ # ifconfig carp20 | grep carp:
> carp: BACKUP carpdev vlan20 vhid 1 advbase 1 advskew 10
> root@FW1:~ # ifconfig carp21 | grep carp:
> carp: BACKUP carpdev vlan21 vhid 1 advbase 1 advskew 10
>
> root@FW2:~ # ifconfig vlan21 | grep inet
> inet 172.30.9.35 netmask 0xfffffff0 broadcast 172.30.9.47
> root@FW2:~ # ifconfig carp20 | grep carp:
> carp: MASTER carpdev vlan20 vhid 1 advbase 1 advskew 100
> root@FW2:~ # ifconfig carp21 | grep carp:
> carp: MASTER carpdev vlan21 vhid 1 advbase 1 advskew 100
>
> root@R1:~ # ospfctl sh
> neighID Pri State DeadTime Address Iface
> Uptime
> 172.30.9.4 1 FULL/OTHER 00:00:38 172.30.9.35 vlan21 00:21:33
> 172.30.9.3 1 FULL/BCKUP 00:00:38 172.30.9.34 vlan21 00:22:14
>
> root@R1:~ # ospfctl sh fib | grep 172.30.9.16/2
> *O 32 172.30.9.16/28 172.30.9.34
> *O 32 172.30.9.16/28 172.30.9.35
>
> root@R1:~ # ospfctl sh rib | grep 172.30.9.16/2
> 172.30.9.16/28 172.30.9.34 Intra-Area Network 20
> 00:30:33
> 172.30.9.16/28 172.30.9.35 Intra-Area Network 20
> 00:29:56
>
> root@R1:~ # route -n get 172.30.9.21
> route to: 172.30.9.21
> destination: 172.30.9.16
> mask: 255.255.255.240
> gateway: 172.30.9.34
> interface: vlan21
> if address: 172.30.9.37
> priority: 32 (ospf)
> flags: <UP,GATEWAY,DONE,MPATH>
> use mtu expire
> 11 0 0
>
> As seen above R1 selects 172.30.9.34 as the nexthop based on ospf which is
> wrong. It should be 172.30.9.35 as FW2 is carp master for carp20/21. What I
> in the end want to achieve is that the router with carp20/21 MASTER should
> be the preferred carp20 nexthop. An assumption can be made that carp20/21
> will always have the same FW as master in my case.
--
:wq Claudio
