On Fri, Aug 30, 2013 at 10:08:56AM +0100, Andy wrote:
> Hi guys,
>
> Adding the inet6 as an alias didn't work for me.
> When the first line is an 'inet' entry, adding an inet6 alias
> results in errors when running /etc/netstart :(
I never had a need to use 'alias' for IPv6 addresses, even
when adding multiple addresses to an interface with ifconfig.
> And trying;
> inet 194.199.X.28 255.255.255.240 NONE
> inet6 2001:660:abcd:1234::1:1 64
> description "CARP server"
> carpdev vlan603 vhid 62 advskew 1 carppeer 194.199.X.29 pass xxxxx
>
> Resulted in multi-master (no flip-flopping but permanently
> multi-master) even if I removed the carpdev and carppeer attributes
> :(
I believe the carpdev needs an address in the same prefix as the carp
interface for things to work, because carp uses that information
to locate the carpdev for sending IPv6 multicast. Does the vlan603
interface have an IPv6 address in prefix 2001:660:abcd:1234::/64?
The config I use looks somewhat like this, and works fine for
both IPv4 and IPv6. Note that the carp peers' em interfaces
are plugged into a common switch and are not filtered by pf.
# cat hostname.em0
inet 10.2.84.33 255.255.255.0 NONE
inet6 2001:660:abcd:11::1 64
# cat /etc/hostname.carp0
inet 10.2.84.46 255.255.255.0 NONE vhid 1 pass xxx advbase 10
inet6 2001:660:abcd:11::14 64 vhid 1 pass xxx advbase 10
And on the slave:
# cat hostname.em0
inet 10.2.84.43 255.255.255.0 NONE
inet6 2001:660:abcd:11::11 64
# cat /etc/hostname.carp0
inet 10.2.84.46 255.255.255.0 NONE vhid 1 pass xxx advbase 10 advskew 200
inet6 2001:660:abcd:11::14 64 vhid 1 pass xxx advbase 10 advskew 200
Carp multicast traffic is broadcast across the entire LAN.
But it is authenticated so it cannot be spoofed (the password can
be up to 32 chars in length). I see no way around that unless someone
adds 'carppeer' support for IPv6. The carppeer option only works for
IPv4 right now, probably due to lack of time and personal itch.
ip_carp.c:carp_send_ad() would be the place to start hacking.
> I have tested both of these with PF disabled just encase a rule was
> messing things up.
> With pf enabled, does this rule satisfy CARP and is it sensible?;
> pass in quick proto carp from { fe80::/8 } to { ff00::/8 } keep
> state (no-sync)
Carp sends from fe80::/8 to ff02::/8.
If you can link your firewalls via a trusted network you could
probably just 'skip' the carpdev in pf.conf.
> The only way I have managed to get this to work with 5.3 is separate
> carp devices, if I have to run two of course I will, but I would
> really like to get it working under one for clarity.
Not sure why that worked. Hard to tell without knowing how
your other interfaces are configured.
