anyone using CARP / OpenBSD on their VPS' ? i know someone has to... got a customer saying they can ping the CARP interface from their VMs, but they can't ping the CARP interface from the outside (perhaps the CARP interface shouldn't even be pingable from the outside?) interesting concept (reading up on CARP) up_the_irons: isn't CARP using local (RFC1918) addresses? (afaict from http://www.openbsd.org/faq/pf/carp.html) nfi heh I've used CARP before, but not on a VPS. It doesn't have anything to do with RFC1918 addresses oic that page isn't making much sense to me atm heh It's the same in concept as VRRP or HSRP. You have a 'floating' IP address which can move between machines on a L2 segment if one goes down so IP failover? The first paragraph on that page begins "CARP is the Common Address Redundancy Protocol. Its primary purpose is to allow multiple hosts on the same network segment to share an IP address." :) plett: you explained it much better :) up_the_irons: it may be due to mac addresses changing? mercutio: i would imagine so, but when the CARP IP gets assigned a new MAC, I would imagine some sort of gratuitous ARP would be sent so switches update their caches. Otherwise, it would be kinda pointless. lots of routers can hold onto arp for ages hence i'm not really a fan of crap on external facing interfaces carp i did mean carp nice freudian slip :P weird i just had a long pause to my vm and now it seems fine like it went to sleep oh it seems it emulates other mac addresses it may only be when load balancing it could be firewall-related... I had a similar problem on a pfsense box the other day, as I'd moved a service from a static to a CARP IP but then forgot to add firewall rules allowing traffic to the CARP address oh well i have no idea and i've only got one ipv4 address so don't really ... hmm, i wonder if carp works with ipv6 it does say it supports ipv6 i so need a fan i'm melting http://www.bigassfans.com/ ha i know a maintenance man at a local hotel. he told me about installing a Big Ass Fan[TM] carp works with ipv6 somewhat, I've done it, but have ended up having to ping6 the carp ip from the client before it works at times, supposedly code went in to fix it, I never setup a proper test env to confirm this or not ahh i've only got a /64 to my vps atm i think, and it seems carp doesn't like using an overlapping address or i'm doing somethign wrong the "local" interface needs only a private address, something it can talk to the other host using. Then the public address gets floated between them At least, that's from my experimentation with pfSense. And in that scenario, a dedicated, separate interface was recommended so it would have a completely separate (non-public) IP anyways. The idea of using CARP between VPS', particularly if they're on separate hosts, is intriguing. yeah it is slightly even if it's just for things like authorative dns that timeout and can go to diff server but are much faster if server is up and you don't have to worry about state etc That reminds me... one of these days I need to read up on anycast anycast is pretty simple basically you advertise the same address in multiple locations via BGP that said, it gets more complicated with traffic management etc like BGP as-path isn't always accurate for closest destination whoa, really? you can advertise the same address in multiple places? that's wild... yeh but you need to advertise at least a /24 well if it's to the internet ha obviously :p if it's just your local network you can easily add /32 in different locations (obviously if you're familiar with BGP) yeah i had no idea how familiar you were there's like 25,000 BGP users in thew orld isn't ther? oh maybe more Yeah, I'm vaguely familiar with I thought I heard there were 39k or so ok 25k was a random stab in the dark anyway there are like more than a billion users so a lot of people aren't using bgp Well since you've explained it, it seems very simple afterall err i mean don't necessarily need to understand bgp yeah umm generally speaking you have a /24 for external facing then you have another subnet for internal facking facing ie, you need to be able to reach the gear regardless but pretty much if you have more than two locations having a /32 advertised gets helpful real quickly for dns just like lots of people know 8.8.8.8 it's much easier to remember one number for all locations than heaps of differnet ip numbers i reckon there should be a standard anycast recursive dns myself that any provider can implement but yeah, the problem with anycast for wider internet facing stuff, is there's lots of community stuff that needs to be done to improve routing and providers can be hit and miss with how they let you influence routing i kind of wish there was better control for that stuff standardised most providers allow you to set communities on your advertisements to control that type of stuff yeah, bu t it's not standardised *nod*