Can pfsync be used over router or WAN?
Hi, Have anyone tried pfsync over router or WAN? I have read setup guide of CARP+pfsync, the pfsync interface is connected through a crossover cable. Can I connect 2 pfsync interfaces through a router or WAN? Thanks ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: Can pfsync be used over router or WAN?
Sam Wun wrote: > > Have anyone tried pfsync over router or WAN? > I have read setup guide of CARP+pfsync, the pfsync interface is > connected through a crossover cable. Can I connect 2 pfsync > interfaces through a router or WAN? pfsync(4) talks about this: NETWORK SYNCHRONISATION States can be synchronised between two or more firewalls using this interface, by specifying a synchronisation interface using ifconfig(8). For example, the following command sets fxp0 as the synchronisation interface: # ifconfig pfsync0 syncdev fxp0 It is important that the underlying synchronisation interface is up and has an IP address assigned. By default, state change messages are sent out on the synchronisation interface using IP multicast packets. The protocol is IP protocol 240, PFSYNC, and the multicast group used is 224.0.0.240. When a peer address is specified using the syncpeer keyword, the peer address is used as a destination for the pfsync traffic, and the traffic can then be protected using ipsec(4). In such a configuration, the syncdev should be set to the enc(4) interface, as this is where the traffic arrives when it is decapsulated, e.g.: # ifconfig pfsync0 syncpeer 10.0.0.2 syncdev enc0 It is important that the pfsync traffic be well secured as there is no authentication on the protocol and it would be trivial to spoof packets which create states, bypassing the pf ruleset. Either run the pfsync protocol on a trusted network - ideally a network dedicated to pfsync messages such as a crossover cable between two firewalls, or specify a peer address and protect the traffic with ipsec(4). For pfsync to start its operation automatically at the system boot time, pfsync_enable and pfsync_syncdev variables should be used in rc.conf(5). It is not advisable to set up pfsync with common network interface configuration variables of rc.conf(5) because pfsync must start after its syncdev, which cannot be always ensured in the latter case. Syncing over a WAN doesn't seem like it would make sense, offhand. Normally you psync between devices that will be able to provide routing for a firewalled connection. A device far across a WAN doesn't seem like it would be able to provide redundant service. But that's up to your design, I suppose. Syncing across a LAN could make sense, but you will want to take steps to secure the traffic. -- David DeSimone == Network Admin == f...@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: kern/134369: [route] [ip6] IPV6 in Head broken for routing table updates
Old Synopsis: IPV6 in Head broken for routing table updates New Synopsis: [route] [ip6] IPV6 in Head broken for routing table updates Responsible-Changed-From-To: freebsd-bugs->freebsd-net Responsible-Changed-By: linimon Responsible-Changed-When: Fri May 8 18:05:39 UTC 2009 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=134369 ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: New INTEL firmware v3.1 for device iwi (IPW 2200BG)
On Sun, 3 May 2009, Andrew Thompson wrote: On Sun, May 03, 2009 at 02:48:13PM +0200, Dieter Brozio wrote: Hi there, To whom it may concern: INTEL released in March 2009 a new version 3.1 of its firmware version for the WLAN iwi device (Pro/Wireless 2200BG). http://ipw2200.sourceforge.net/firmware.php http://ipw2200.sourceforge.net/firmware.php?fid=8 On my 7.2.RC2 desktop PC (without WLAN) I noticed that in /usr/src/sys/contrib/dev/iwi/ipw2200_bss.fw.uu /usr/src/sys/contrib/dev/iwi/ipw2200_ibss.fw.uu /usr/src/sys/contrib/dev/iwi/ipw2200_sniffer.fw.uu is still the old v3.0 iwi firmware inside. This fw generates after some hours of operation error messages like "iwi0:scan stuck" and finally the network connection will be disconnected. I've tested fw v3.1 this week on my FBSD6.4 laptop: No problems, no "scan stuck", no side-effects. Brilliant. Great. If anyone can also confirm it works on current then I will commit. I have been using the new firmware for a couple of days on current with this device: i...@pci0:2:1:0: class=0x028000 card=0x27218086 chip=0x42208086 rev=0x05 hdr=0x00 vendor = 'Intel Corporation' device = 'MPCI3B driverIntel PRO/Wireless 2200BG' class = network No problems observed. $.02, /Mikko ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: Can pfsync be used over router or WAN?
Establish a IPSEC bewteen this 2 pfsync points is a way to go. On Sat, May 9, 2009 at 2:44 AM, David DeSimone wrote: > Sam Wun wrote: >> >> Have anyone tried pfsync over router or WAN? >> I have read setup guide of CARP+pfsync, the pfsync interface is >> connected through a crossover cable. Can I connect 2 pfsync >> interfaces through a router or WAN? > > pfsync(4) talks about this: > > NETWORK SYNCHRONISATION > States can be synchronised between two or more firewalls using > this interface, by specifying a synchronisation interface using > ifconfig(8). For example, the following command sets fxp0 as > the synchronisation interface: > > # ifconfig pfsync0 syncdev fxp0 > > It is important that the underlying synchronisation interface > is up and has an IP address assigned. > > By default, state change messages are sent out on the > synchronisation interface using IP multicast packets. The > protocol is IP protocol 240, PFSYNC, and the multicast group > used is 224.0.0.240. When a peer address is specified using > the syncpeer keyword, the peer address is used as a destination > for the pfsync traffic, and the traffic can then be protected > using ipsec(4). In such a configuration, the syncdev should > be set to the enc(4) interface, as this is where the traffic > arrives when it is decapsulated, e.g.: > > # ifconfig pfsync0 syncpeer 10.0.0.2 syncdev enc0 > > It is important that the pfsync traffic be well secured as > there is no authentication on the protocol and it would be > trivial to spoof packets which create states, bypassing the > pf ruleset. Either run the pfsync protocol on a trusted > network - ideally a network dedicated to pfsync messages such > as a crossover cable between two firewalls, or specify a peer > address and protect the traffic with ipsec(4). > > For pfsync to start its operation automatically at the system > boot time, pfsync_enable and pfsync_syncdev variables should be > used in rc.conf(5). It is not advisable to set up pfsync with > common network interface configuration variables of rc.conf(5) > because pfsync must start after its syncdev, which cannot be > always ensured in the latter case. > > Syncing over a WAN doesn't seem like it would make sense, offhand. > Normally you psync between devices that will be able to provide routing > for a firewalled connection. A device far across a WAN doesn't seem > like it would be able to provide redundant service. But that's up to > your design, I suppose. > > Syncing across a LAN could make sense, but you will want to take steps > to secure the traffic. > > -- > David DeSimone == Network Admin == f...@verio.net > "I don't like spinach, and I'm glad I don't, because if I > liked it I'd eat it, and I just hate it." -- Clarence Darrow > > > This email message is intended for the use of the person to whom it has been > sent, and may contain information that is confidential or legally protected. > If you are not the intended recipient or have received this message in error, > you are not authorized to copy, distribute, or otherwise use this message or > its attachments. Please notify the sender immediately by return e-mail and > permanently delete this message and any attachments. Verio, Inc. makes no > warranty that this email is error or virus free. Thank you. > ___ > freebsd...@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org" > ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
CARP on FreeBSD 7,2
Hi, I tried to setup CARP in FreeBSD 7.2, but seems not able to assign IP to the carp interfaces. Here is my rc.conf file: hostname="test.ip6.com.au" ifconfig_fxp0="inet 192.168.1.248 netmask 255.255.255.0" sshd_enable="YES" pf_enable="YES" pf_rules="/etc/pf.anti-spam.conf" pf_flags="" pflog_enable="YES" pflog_logfile="/var/log/pflog" pflog_program="/sbin/pflogd" pflog_flags="" pfsync_enable="NO" pfsync_syncdev="" pfsync_ifconfig="" cloned_interfaces="carp1" ifconfig_carp1="up 24.214.165.129/25 vhid 2 pass privatepassword" test:~ # ifconfig fxp0: flags=8843 metric 0 mtu 1500 options=8 ether 00:13:20:65:ad:bd inet 192.168.1.248 netmask 0xff00 broadcast 192.168.1.255 media: Ethernet autoselect (100baseTX ) status: active plip0: flags=108810 metric 0 mtu 1500 lo0: flags=8049 metric 0 mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff00 pflog0: flags=141 metric 0 mtu 33204 pfsync0: flags=0<> metric 0 mtu 1460 syncpeer: 224.0.0.240 maxupd: 128 carp1: flags=9 metric 0 mtu 1500 carp: INIT vhid 1 advbase 1 advskew 50 What have I missed? Thanks ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: CARP on FreeBSD 7,2
The following command also failed: test:~ # ifconfig carp1 vhid 1 pass password 192.168.2.144/24 up ifconfig: ioctl (SIOCAIFADDR): Can't assign requested address > > Hi, > > I tried to setup CARP in FreeBSD 7.2, but seems not able to assign IP to > the carp interfaces. > > Here is my rc.conf file: > > hostname="test.ip6.com.au" > ifconfig_fxp0="inet 192.168.1.248 netmask 255.255.255.0" > sshd_enable="YES" > > pf_enable="YES" > pf_rules="/etc/pf.anti-spam.conf" > pf_flags="" > pflog_enable="YES" > pflog_logfile="/var/log/pflog" > pflog_program="/sbin/pflogd" > pflog_flags="" > pfsync_enable="NO" > pfsync_syncdev="" > pfsync_ifconfig="" > > cloned_interfaces="carp1" > ifconfig_carp1="up 24.214.165.129/25 vhid 2 pass privatepassword" > > > test:~ # ifconfig > fxp0: flags=8843 metric 0 mtu 1500 > options=8 > ether 00:13:20:65:ad:bd > inet 192.168.1.248 netmask 0xff00 broadcast 192.168.1.255 > media: Ethernet autoselect (100baseTX ) > status: active > plip0: flags=108810 metric 0 mtu > 1500 > lo0: flags=8049 metric 0 mtu 16384 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 > inet6 ::1 prefixlen 128 > inet 127.0.0.1 netmask 0xff00 > pflog0: flags=141 metric 0 mtu 33204 > pfsync0: flags=0<> metric 0 mtu 1460 > syncpeer: 224.0.0.240 maxupd: 128 > carp1: flags=9 metric 0 mtu 1500 > carp: INIT vhid 1 advbase 1 advskew 50 > > What have I missed? > > Thanks > > > ___ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" > > ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: CARP on FreeBSD 7,2
On Fri, May 8, 2009 at 10:09 PM, Sam Wan wrote: > The following command also failed: > > test:~ # ifconfig carp1 vhid 1 pass password 192.168.2.144/24 up > ifconfig: ioctl (SIOCAIFADDR): Can't assign requested address > >> >> Hi, >> >> I tried to setup CARP in FreeBSD 7.2, but seems not able to assign IP to >> the carp interfaces. >> >> Here is my rc.conf file: >> >> hostname="test.ip6.com.au" >> ifconfig_fxp0="inet 192.168.1.248 netmask 255.255.255.0" >> sshd_enable="YES" >> >> pf_enable="YES" >> pf_rules="/etc/pf.anti-spam.conf" >> pf_flags="" >> pflog_enable="YES" >> pflog_logfile="/var/log/pflog" >> pflog_program="/sbin/pflogd" >> pflog_flags="" >> pfsync_enable="NO" >> pfsync_syncdev="" >> pfsync_ifconfig="" >> >> cloned_interfaces="carp1" >> ifconfig_carp1="up 24.214.165.129/25 vhid 2 pass privatepassword" >> >> >> test:~ # ifconfig >> fxp0: flags=8843 metric 0 mtu 1500 >> options=8 >> ether 00:13:20:65:ad:bd >> inet 192.168.1.248 netmask 0xff00 broadcast 192.168.1.255 >> media: Ethernet autoselect (100baseTX ) >> status: active >> plip0: flags=108810 metric 0 mtu >> 1500 >> lo0: flags=8049 metric 0 mtu 16384 >> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 >> inet6 ::1 prefixlen 128 >> inet 127.0.0.1 netmask 0xff00 >> pflog0: flags=141 metric 0 mtu 33204 >> pfsync0: flags=0<> metric 0 mtu 1460 >> syncpeer: 224.0.0.240 maxupd: 128 >> carp1: flags=9 metric 0 mtu 1500 >> carp: INIT vhid 1 advbase 1 advskew 50 >> >> What have I missed? Hi, Currently, the only way to assign an IP address for CARP is to use an IP that is in the same subnet as the physical interface you intend to handle its packets. In other words, since neither 192.168.2.144/24 nor 24.215.165.129/25 are in 192.168.1.248/24, they cannot be assigned to any CARP interface. Eventually, this should be fixed by introducing carpdev, which allows explicitly associating a CARP interface with a physical interface, but it's not there yet. Regards, --Will. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
CARP loadbalance vs. IPVS loadbalance
Hi, Can anyone give comment and suggestion which loadbalancer is better for FreeBSD (7.2), CARP or IPVS? Thanks ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
