nat-gw1: tentative to use VRRP MAC address on public as well

This doesn't really work as there is a default route to answer any request. We must either use some kind of L3VRF to ensure proxy ARP is using only the route we provide to decide if it has to answer or we must use a userland proxy ARP.
kucerarichard · Mar 20, 2019 · 6ea5c9a · 6ea5c9a
1 parent c0880a8
commit 6ea5c9a
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 12 deletions.
diff --git a/lab-nat-gw1/keepalived.NATx.conf b/lab-nat-gw1/keepalived.NATx.conf
@@ -1,39 +1,77 @@
-vrrp_instance NAT1 {
+vrrp_instance NAT-PRIVATE-1 {
   state BACKUP
   interface eth0
-  track_interface {
-    eth1
-  }
   virtual_router_id 11
   priority {{ priority1 }}
   advert_int 1
   virtual_ipaddress {
     172.22.34.1/32
   }
+
+  use_vmac
+  vmac_xmit_base
+  notify_master "{{ pwd }}/vrrp-master vrrp.11"
+}
+vrrp_instance NAT-PUBLIC-1 {
+  state BACKUP
+  interface eth1
+  virtual_router_id 21
+  priority {{ priority1 }}
+  advert_int 1
   virtual_routes {
     203.0.113.128/26 dev lo
   }
 
   use_vmac
-  notify_master "{{ pwd }}/vrrp-master vrrp.11"
+  vmac_xmit_base
+  notify_master "{{ pwd }}/vrrp-master vrrp.21"
 }
-
-vrrp_instance NAT2 {
-  state BACKUP
-  interface eth0
+vrrp_sync_group NAT-1 {
+  group {
+    NAT-PRIVATE-1
+    NAT-PUBLIC-1
+  }
   track_interface {
+    eth0
     eth1
   }
+}
+
+vrrp_instance NAT-PRIVATE-2 {
+  state BACKUP
+  interface eth0
   virtual_router_id 12
   priority {{ priority2 }}
   advert_int 1
   virtual_ipaddress {
     172.22.34.2/32
   }
+
+  use_vmac
+  vmac_xmit_base
+  notify_master "{{ pwd }}/vrrp-master vrrp.12"
+}
+vrrp_instance NAT-PUBLIC-2 {
+  state BACKUP
+  interface eth1
+  virtual_router_id 22
+  priority {{ priority2 }}
+  advert_int 1
   virtual_routes {
     203.0.113.192/26 dev lo
   }
 
   use_vmac
-  notify_master "{{ pwd }}/vrrp-master vrrp.12"
+  vmac_xmit_base
+  notify_master "{{ pwd }}/vrrp-master vrrp.22"
+}
+vrrp_sync_group NAT-2 {
+  group {
+    NAT-PRIVATE-2
+    NAT-PUBLIC-2
+  }
+  track_interface {
+    eth0
+    eth1
+  }
 }
diff --git a/lab-nat-gw1/setup b/lab-nat-gw1/setup
@@ -80,8 +80,8 @@ case $uts in
         iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 0x10/0x70 -j SNAT --to-source 203.0.113.129-203.0.113.190 --persistent
         iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 0x20/0x70 -j SNAT --to-source 203.0.113.193-203.0.113.254 --persistent
         sysctl -qw net.netfilter.nf_conntrack_tcp_loose=1
-        sysctl -qw net.ipv4.conf.eth1.proxy_arp=1
-        sysctl -qw net.ipv4.neigh.eth1.proxy_delay=0
+        sysctl -qw net/ipv4/conf/vrrp.21/proxy_arp=1
+        sysctl -qw net/ipv4/neigh/vrrp.22/proxy_delay=0
 
         # Use conntrackd on top of that for almost seamless redundancy
         ip addr add 169.254.100.${uts#NAT}/24 dev eth2