VRRP: Linux is sending ARP requests / replies on real interfaces instead of virtual interface

linux-networking

Issue summary:

I have a real interface "vif10" and a virtual interface (using VRRP) "vrrp.1", both having the same IPv4 address. "vif10" has a real MAC address, "vrrp.1" has a virtual MAC (VMAC).

I want the VMAC to be always the sender MAC address on both ARP requests and ARP replies, but sometimes it's not used and the real MAC is used.

In other words:
ARP requests – I want the virtual interface to reply for ARP requests for that common IP (with the VMAC as the sender MAC)
ARP replies – I want the VMAC to be the sender MAC address always on ARP requests.
I think I am missing some /proc/sys/net/ipv4 settings.

Details:

  1. I've got 3 interface on my router:
    vif10: a real interface, ip is 192.168.20.1
    vrrp.1: a virtual interface (VRRP), ip is 192.168.20.1 too. (ownership)
    vrrp.2: a virtual interface (VRRP), ip is 192.168.20.3.

  2. Here is the output of my "ifconfig":

vif10 Link encap:Ethernet HWaddr A4:60:32:00:D4:BA
inet addr:192.168.20.1 Bcast:192.168.20.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:38 errors:0 dropped:0 overruns:0 frame:0
TX packets:3423 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:3002 (2.9 KiB) TX bytes:184494 (180.1 KiB)

vrrp.1 Link encap:Ethernet HWaddr 00:00:5E:00:01:01
inet addr:192.168.20.1 Bcast:192.168.20.0 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:19 errors:0 dropped:0 overruns:0 frame:0
TX packets:31 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1216 (1.1 KiB) TX bytes:1302 (1.2 KiB)

vrrp.2 Link encap:Ethernet HWaddr 00:00:5E:00:01:02
inet addr:192.168.20.3 Bcast:192.168.20.0 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:19 errors:0 dropped:0 overruns:0 frame:0
TX packets:48 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1216 (1.1 KiB) TX bytes:2016 (1.9 KiB)

  1. linux networking flags are:

    cd /proc/sys/net/ipv4/conf/all

    for f in ./*; do echo -n "$f "; cat $f; done

    ./accept_local 0
    ./accept_redirects 0
    ./accept_source_route 0
    ./arp_accept 0
    ./arp_announce 0
    ./arp_filter 0
    ./arp_ignore 0
    ./arp_notify 0
    ./bootp_relay 0
    ./disable_policy 0
    ./disable_xfrm 0
    ./force_igmp_version 0
    ./forwarding 1
    ./log_martians 0
    ./mc_forwarding 0
    ./medium_id 0
    ./promote_secondaries 0
    ./proxy_arp 0
    ./proxy_arp_pvlan 0
    ./route_localnet 0
    ./rp_filter 0
    ./secure_redirects 1
    ./send_redirects 0
    ./shared_media 1
    ./src_valid_mark 0
    ./tag 0

    cd ../vif10

    for f in ./*; do echo -n "$f "; cat $f; done

    ./accept_local 0
    ./accept_redirects 1
    ./accept_source_route 1
    ./arp_accept 0
    ./arp_announce 2
    ./arp_filter 1
    ./arp_ignore 1
    ./arp_notify 0
    ./bootp_relay 0
    ./disable_policy 0
    ./disable_xfrm 0
    ./force_igmp_version 0
    ./forwarding 0
    ./log_martians 0
    ./mc_forwarding 0
    ./medium_id 0
    ./promote_secondaries 0
    ./proxy_arp 0
    ./proxy_arp_pvlan 0
    ./route_localnet 0
    ./rp_filter 0
    ./secure_redirects 1
    ./send_redirects 1
    ./shared_media 1
    ./src_valid_mark 0
    ./tag 0

    cd ../vrrp.1

    for f in ./*; do echo -n "$f "; cat $f; done

    ./accept_local 1
    ./accept_redirects 1
    ./accept_source_route 1
    ./arp_accept 0
    ./arp_announce 2
    ./arp_filter 0
    ./arp_ignore 1
    ./arp_notify 0
    ./bootp_relay 0
    ./disable_policy 0
    ./disable_xfrm 0
    ./force_igmp_version 0
    ./forwarding 1
    ./log_martians 0
    ./mc_forwarding 0
    ./medium_id 0
    ./promote_secondaries 1
    ./proxy_arp 0
    ./proxy_arp_pvlan 0
    ./route_localnet 0
    ./rp_filter 0
    ./secure_redirects 1
    ./send_redirects 1
    ./shared_media 1
    ./src_valid_mark 0
    ./tag 0

    cd ../vrrp.2

    for f in ./*; do echo -n "$f "; cat $f; done

    ./accept_local 1
    ./accept_redirects 1
    ./accept_source_route 1
    ./arp_accept 0
    ./arp_announce 2
    ./arp_filter 0
    ./arp_ignore 1
    ./arp_notify 0
    ./bootp_relay 0
    ./disable_policy 0
    ./disable_xfrm 0
    ./force_igmp_version 0
    ./forwarding 1
    ./log_martians 0
    ./mc_forwarding 0
    ./medium_id 0
    ./promote_secondaries 1
    ./proxy_arp 0
    ./proxy_arp_pvlan 0
    ./route_localnet 0
    ./rp_filter 0
    ./secure_redirects 1
    ./send_redirects 1
    ./shared_media 1
    ./src_valid_mark 0
    ./tag 0

4.here is my system information:

Linux kernel:
# uname -a
Linux Router_A 3.10.70 #2 SMP PREEMPT Mon Apr 24 17:59:38 IDT 2017 armv7l unknown

I am using "keepalived" for VRRP.

keepalived:

# keepalived --version
Keepalived v1.3.2 (04/24,2017), git commit build-12076-11-gef48e87+

All instructions made by Alexandre regarding the VMAC are included:

  1. I am familiar with the following stack overflow article

Why does Linux answer to ARP on incorrect interfaces?

Thanks!

Best Answer

'both having the same IPv4 address' Here in lies your problem. You need vrrp packets to pass between your interfaces, hence you do have an IP conflict, and your mac is likely to flap, since traffic is going to your primary router using it's physical mac. Whether this matters seems to depend on the machine communicating with the vrrp router. virtual and physical mac are going the same place, so this may work, though I have encountered situations where tcp connections freeze on every flap, for many seconds.

If you want this to go away, change to an IP for each physical interface, and a 3rd IP for the floating virtual interface.

This is most certainly not a linux specific answer, Linux actually plays fairly nice with this configuration, relative to what some other operating systems seem to do

Related Topic