Hello,
The fix recommended by Remi works great. Can we have this into an official
patch?
Why I am not using it as Claudio recommends is that vlan20 in my case also
is a transit vlan like vlan21 so it cannot be a passive interface. From the
docs I understand that having carp listed as an interface will force it
into passive mode. I should have mentioned this in my original email, sorry
about that.
All in all, current snapshot seems to do what documentation says in terms
of "depend on". The stable 6.8 does not so a patch is warranted I think.
On Tue, Dec 22, 2020 at 3:50 PM Claudio Jeker <cje...@diehard.n-r-g.com>
wrote:
> On Tue, Dec 22, 2020 at 02:04:27PM +0100, open...@kene.nu wrote:
> > Hello,
> > I am seeing what I deem to be unexpected behavior with ospfd and
> depending
> > on carp interfaces.
> > Running 6.8 with latest patches applied on all three routers.
> >
> > # uname -a
> > OpenBSD extfw1.lab.kambi.com 6.8 GENERIC.MP#2 amd64
> >
> > My setup is as following;
> > Two openbsd boxes (FW1 and FW2) acting as a firewall pair sharing carp
> > interfaces.
> > Single openbsd box (R1) that in this instance acts as a client trying to
> > reach servers that are reachable via the FWs.
> > VLan20 (actually carp20) is my nexthop (BGP wise) to reach any networks
> > behind the FW pair.
> > VLan21 is the link network between all the three boxes. The FWs share a
> > carp21 interface.
> >
> > My FW ospfd.conf (same on all three boxes apart from the "depend on"
> which
> > is absent from R1):
> > router-id <redacted>
> >
> > area 0.0.0.0 {
> > interface lo1
> > interface vlan20 {
> > depend on carp20
> > }
> > interface vlan21 {
> > depend on carp21
> > }
> > }
>
> I would change the config to just use
>
> area 0.0.0.0 {
> interface lo1
> interface carp20
> interface vlan21
> }
>
> This way the network on vlan20/carp20 will be announced depending on the
> carp state with the backup system announcing the same route with a high
> metric. There is no need to use "depend on" for such a simple case.
>
> For vlan21 I would not do that since there you want reachability in any
> case especially if you announce BGP networks on the firewalls with the
> carp21 address (instead of the default vlan21 one).
>
> > Carp20:
> > root@FW1:~ # ifconfig carp20 | grep inet
> > inet 172.30.9.21 netmask 0xfffffff0 broadcast 172.30.9.31
> >
> > Now to the strange part. I see that the selected route in R1 points to
> FW1
> > even though carp20/21 on FW1 is in state BACKUP. No matter what I do,
> apart
> > from setting static metrics, ospfd on R1 always selects FW1 as nexthop.
> > root@FW1:~ # ifconfig vlan21 | grep inet
> > inet 172.30.9.34 netmask 0xfffffff0 broadcast 172.30.9.47
> > root@FW1:~ # ifconfig carp20 | grep carp:
> > carp: BACKUP carpdev vlan20 vhid 1 advbase 1 advskew 10
> > root@FW1:~ # ifconfig carp21 | grep carp:
> > carp: BACKUP carpdev vlan21 vhid 1 advbase 1 advskew 10
> >
> > root@FW2:~ # ifconfig vlan21 | grep inet
> > inet 172.30.9.35 netmask 0xfffffff0 broadcast 172.30.9.47
> > root@FW2:~ # ifconfig carp20 | grep carp:
> > carp: MASTER carpdev vlan20 vhid 1 advbase 1 advskew 100
> > root@FW2:~ # ifconfig carp21 | grep carp:
> > carp: MASTER carpdev vlan21 vhid 1 advbase 1 advskew 100
> >
> > root@R1:~ # ospfctl sh
> > neighID Pri State DeadTime Address Iface
> > Uptime
> > 172.30.9.4 1 FULL/OTHER 00:00:38 172.30.9.35 vlan21
> 00:21:33
> > 172.30.9.3 1 FULL/BCKUP 00:00:38 172.30.9.34 vlan21
> 00:22:14
> >
> > root@R1:~ # ospfctl sh fib | grep 172.30.9.16/2
> > *O 32 172.30.9.16/28 172.30.9.34
> > *O 32 172.30.9.16/28 172.30.9.35
> >
> > root@R1:~ # ospfctl sh rib | grep 172.30.9.16/2
> > 172.30.9.16/28 172.30.9.34 Intra-Area Network 20
> > 00:30:33
> > 172.30.9.16/28 172.30.9.35 Intra-Area Network 20
> > 00:29:56
> >
> > root@R1:~ # route -n get 172.30.9.21
> > route to: 172.30.9.21
> > destination: 172.30.9.16
> > mask: 255.255.255.240
> > gateway: 172.30.9.34
> > interface: vlan21
> > if address: 172.30.9.37
> > priority: 32 (ospf)
> > flags: <UP,GATEWAY,DONE,MPATH>
> > use mtu expire
> > 11 0 0
> >
> > As seen above R1 selects 172.30.9.34 as the nexthop based on ospf which
> is
> > wrong. It should be 172.30.9.35 as FW2 is carp master for carp20/21.
> What I
> > in the end want to achieve is that the router with carp20/21 MASTER
> should
> > be the preferred carp20 nexthop. An assumption can be made that carp20/21
> > will always have the same FW as master in my case.
>
> --
> :wq Claudio
>
