topic Re: multihome VIP clusterXL in Firewall and Security Management

multihome VIP clusterXL

Daniel_Kavan — Tue, 05 Apr 2022 19:13:20 GMT

Hi,

Has anyone tried to multihome a VIP in clusterXL? It would be temporary. We're moving a DMZ network from one firewall to another, otherwise have to change default routes & reboot 20 linux servers.

Re: multihome VIP clusterXL

PhoneBoy — Tue, 05 Apr 2022 21:08:10 GMT

You mean use multiple subnets on the same physical interface with ClusterXL?
Pretty sure this is NOT supported.

Re: multihome VIP clusterXL

Daniel_Kavan — Tue, 05 Apr 2022 21:29:09 GMT

Same subnet different IPs

The current VIP is 192.168.10.22 and I want it to also listen on 192.168.10.26 temporarily.

Re: multihome VIP clusterXL

PhoneBoy — Tue, 05 Apr 2022 21:33:22 GMT

Pretty sure that's not supported either (multiple VIPs on the same subnet).
That said, you could probably get the same effect by setting up a static ARP for .26 to give the same MAC as .22, so the packets are received by the relevant gateway.

Re: multihome VIP clusterXL

Daniel_Kavan — Wed, 06 Apr 2022 19:04:42 GMT

Maybe we will try that. I guess even if it doesn't survive a reboot, I could add it back. Also, you'd only be able to put that on one of the cluster members I assume, so that may be a complication.

Re: multihome VIP clusterXL

Bob_Zimmerman — Wed, 06 Apr 2022 19:44:20 GMT

As long as you don't need the cluster to send traffic from the VIP, you can just add a proxy ARP statement for it. Be sure to add it on both members. That will cause the active member to reply to ARP requests for the IP in question using the same mechanism which causes the active member to reply to ARP requests for the VIP. As long as ARP gets the traffic to the member, you should be fine.

Proxy ARP entries in clish survive reboot as long as you run 'save config'.

Re: multihome VIP clusterXL

Daniel_Kavan — Mon, 18 Apr 2022 18:59:39 GMT

eth2 .25 cluster member A

eth2 .24 cluster member B

.26 is the new VIP and .22 is the IP on the old hardware.

So, just to be clear I could add a proxy ARP for .22 in the web ui on each member.

IPv4 Address 192.168.10.22

Interface name eth2 or I can choose MAC and use the same MAC on the respective cluster member.

Real IP on member A will be 192.168.10.25, .24 on B

Re: multihome VIP clusterXL

Bob_Zimmerman — Mon, 18 Apr 2022 19:31:29 GMT

I would add it on the command line, but yes. That's fundamentally how the inbound leg of a ClusterXL VIP works in the first place.

As long as you don't need to negotiate dynamic routing with both IPs, it will work.