CARP and NAT question
Hello, I'd like to NAT outbound traffic from two different private networks through two different interfaces, with CARP on top. I have 4 public IPS available (193.x.x.89, 193.x.x.90, 193.x.x.91, 193.x.x.92). I have two redundant router/firewall running FreeBSD 12 with CARP and PF with the following: (1) which works well, but all traffic goes through the same interface. So I'd like to switch to something like (2), which will not work (lines 5 and 13 are not valid) and I'm wondering if I could use something like (3) ..? Thank you! Julien (1) https://gist.github.com/silenius/4f6173a9b6690292c2174ab3bb89d292 (2) https://gist.github.com/silenius/da9be7e74e9861fa55f927d194e3e410 (3) https://gist.github.com/silenius/b237565b0d181248ff80ea296e5537db -- Julien Cigar Belgian Biodiversity Platform (http://www.biodiversity.be) PGP fingerprint: EEF9 F697 4B68 D275 7B11 6A25 B2BB 3710 A204 23C0 No trees were killed in the creation of this message. However, many electrons were terribly inconvenienced. signature.asc Description: PGP signature
[Bug 240787] netgraph/ng_bridge: Replace NG_BRIDGE_MAX_LINKS with auto-incrementing (Unlimited) links
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=240787 Mark Johnston changed: What|Removed |Added CC||ma...@freebsd.org --- Comment #12 from Mark Johnston --- (In reply to Kubilay Kocak from comment #11) Why is this a 12.1 blocker? The change is a welcome improvement but does not fix a regression. Rather it removes an existing limitation in ng_bridge(4). IMHO it is too late to include this in the release. -- You are receiving this mail because: You are on the CC list for the bug. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: CARP and NAT question
Hi Julien, It's not clear why you are trying to assign multiple carp IP address to two different interfaces from within the same IP subnet. Are you trying to fail over a 2nd carp address or are you trying to improve throughput/redundancy? If you just want to fail over a 2nd carp address, assign a 2nd alias to your first interface. If your trying to improve throughput/redundancy, assign both interfaces to a lagg and build your carp interfaces on top of that instead. -Matthew On 10/8/2019 8:48 AM, Julien Cigar wrote: Hello, I'd like to NAT outbound traffic from two different private networks through two different interfaces, with CARP on top. I have 4 public IPS available (193.x.x.89, 193.x.x.90, 193.x.x.91, 193.x.x.92). I have two redundant router/firewall running FreeBSD 12 with CARP and PF with the following: (1) which works well, but all traffic goes through the same interface. So I'd like to switch to something like (2), which will not work (lines 5 and 13 are not valid) and I'm wondering if I could use something like (3) ..? Thank you! Julien (1) https://gist.github.com/silenius/4f6173a9b6690292c2174ab3bb89d292 (2) https://gist.github.com/silenius/da9be7e74e9861fa55f927d194e3e410 (3) https://gist.github.com/silenius/b237565b0d181248ff80ea296e5537db ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
[Bug 240787] netgraph/ng_bridge: Replace NG_BRIDGE_MAX_LINKS with auto-incrementing (Unlimited) links
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=240787 Gleb Smirnoff changed: What|Removed |Added Status|In Progress |Closed Resolution|--- |FIXED --- Comment #13 from Gleb Smirnoff --- I totally agree with Mark. -- You are receiving this mail because: You are on the CC list for the bug. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: CARP and NAT question
On Tue, Oct 08, 2019 at 10:20:34AM -0500, Matthew Grooms wrote: > Hi Julien, Hi Matthew, > > It's not clear why you are trying to assign multiple carp IP address to > two different interfaces from within the same IP subnet. Are you trying > to fail over a 2nd carp address or are you trying to improve > throughput/redundancy? If you just want to fail over a 2nd carp address, > assign a 2nd alias to your first interface. If your trying to improve > throughput/redundancy, assign both interfaces to a lagg and build your > carp interfaces on top of that instead. > Currently outbound traffic from $net1 and $net2 (two private networks) pass through the same network interface (igb0) (as you can see in (1) in my previous post) on the router. I'd like to prevent that $net2 saturates the interface and slow down traffic from $net1 (which is more important). I could lagg and build CARP on top of that but it wouldn't prevent $net2 to saturate the interface (unless I'm plugin ALTQ of course, which I'd like to avoid). > -Matthew > > On 10/8/2019 8:48 AM, Julien Cigar wrote: > > Hello, > > > > I'd like to NAT outbound traffic from two different private networks > > through two different interfaces, with CARP on top. I have 4 public IPS > > available (193.x.x.89, 193.x.x.90, 193.x.x.91, 193.x.x.92). > > > > I have two redundant router/firewall running FreeBSD 12 with CARP and > > PF with the following: (1) which works well, but all traffic > > goes through the same interface. > > > > So I'd like to switch to something like (2), which will not work (lines > > 5 and 13 are not valid) and I'm wondering if I could use something like > > (3) ..? > > > > Thank you! > > Julien > > > > (1) https://gist.github.com/silenius/4f6173a9b6690292c2174ab3bb89d292 > > (2) https://gist.github.com/silenius/da9be7e74e9861fa55f927d194e3e410 > > (3) https://gist.github.com/silenius/b237565b0d181248ff80ea296e5537db > > > ___ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" -- Julien Cigar Belgian Biodiversity Platform (http://www.biodiversity.be) PGP fingerprint: EEF9 F697 4B68 D275 7B11 6A25 B2BB 3710 A204 23C0 No trees were killed in the creation of this message. However, many electrons were terribly inconvenienced. signature.asc Description: PGP signature
[Bug 240787] netgraph/ng_bridge: Replace NG_BRIDGE_MAX_LINKS with auto-incrementing (Unlimited) links
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=240787 --- Comment #14 from Ed Maste --- Too late for 12.1, but merging to stable/12 before 12.2 is probably feasible -- You are receiving this mail because: You are on the CC list for the bug. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: CARP and NAT question
On 10/8/2019 10:58 AM, Julien Cigar wrote:
On Tue, Oct 08, 2019 at 10:20:34AM -0500, Matthew Grooms wrote:
Hi Julien,
Hi Matthew,
It's not clear why you are trying to assign multiple carp IP address to
two different interfaces from within the same IP subnet. Are you trying
to fail over a 2nd carp address or are you trying to improve
throughput/redundancy? If you just want to fail over a 2nd carp address,
assign a 2nd alias to your first interface. If your trying to improve
throughput/redundancy, assign both interfaces to a lagg and build your
carp interfaces on top of that instead.
Currently outbound traffic from $net1 and $net2 (two private networks)
pass through the same network interface (igb0) (as you can see in (1)
in my previous post) on the router. I'd like to prevent that
$net2 saturates the interface and slow down traffic from $net1 (which is
more important). I could lagg and build CARP on top of that but it
wouldn't prevent $net2 to saturate the interface (unless I'm plugin ALTQ
of course, which I'd like to avoid).
Well, I'm not sure how well it will work but I think what you are
looking for is the route-to pf rule option. You can specify that certain
traffic be transmitted via a specific network interface to a specific
next hop. However, I believe you'll need to match traffic as it's
received on the internal interface, ie. before the kernel determines the
egress interface.
table internal_networks { $net1, $net2 }
pass in on $internal_interface route-to( igb0 $default_gw ) from $net1
to !
pass in on $internal_interface route-to( igb1 $default_gw ) from $net2
to !
Hope this helps,
-Matthew
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
[Bug 240608] iflib: Panic with INVARIANTS: Memory modified after free (12.1-pre-QA)
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=240608 Ed Maste changed: What|Removed |Added Blocks||240700 Referenced Bugs: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=240700 [Bug 240700] [META] FreeBSD 12.1-RELEASE blockers -- You are receiving this mail because: You are on the CC list for the bug. You are the assignee for the bug. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
[Bug 240609] iflib: Panic with INVARIANTS: sleeping in an epoch section (12.1-pre-QA) (vlan + lagg involved)
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=240609 Ed Maste changed: What|Removed |Added Blocks||240700 Referenced Bugs: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=240700 [Bug 240700] [META] FreeBSD 12.1-RELEASE blockers -- You are receiving this mail because: You are on the CC list for the bug. You are the assignee for the bug. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
[Bug 236724] igb(4): Interfaces fail to switch active to inactive state
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=236724 --- Comment #17 from Harald Schmalzbauer --- I'd like to add that marius@'s approach in https://reviews.freebsd.org/D21924 has the same effect – from the operator's view – like the original tested D21769. Once the interface was "up", link state change is correctly detected (again tested with 82574L (em) and igb(4)s 82576, i210, i350). If the interface wasn't configured/brought up, link state changes to "active" but never back, which seems to be by design, according to that report: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=240818 Thanks, -harry -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
ipsec on multicore VM
Hi All I have FreeBSD 11.2-STABLE #0 r343863 VM with 2 CPU and vxnet3 NIC. This host uses many if_ipsec and strongswan-5.7.2 to make site-to-site ipsec connections. When I use `tcpdump -nn -i src and esp` then I got many reordered IPsec packets. Does tcpdump give me a real picture and I have reordering somewhere "on the wire" or packets may be reordered due more then one CPU read packets from NIC ? -- CU, Victor Gamov ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: CARP and NAT question
On 10/8/19 8:58 AM, Julien Cigar wrote: On Tue, Oct 08, 2019 at 10:20:34AM -0500, Matthew Grooms wrote: Hi Julien, Hi Matthew, It's not clear why you are trying to assign multiple carp IP address to two different interfaces from within the same IP subnet. Are you trying to fail over a 2nd carp address or are you trying to improve throughput/redundancy? If you just want to fail over a 2nd carp address, assign a 2nd alias to your first interface. If your trying to improve throughput/redundancy, assign both interfaces to a lagg and build your carp interfaces on top of that instead. Currently outbound traffic from $net1 and $net2 (two private networks) pass through the same network interface (igb0) (as you can see in (1) in my previous post) on the router. I'd like to prevent that $net2 saturates the interface and slow down traffic from $net1 (which is more important). I could lagg and build CARP on top of that but it wouldn't prevent $net2 to saturate the interface (unless I'm plugin ALTQ of course, which I'd like to avoid). -Matthew On 10/8/2019 8:48 AM, Julien Cigar wrote: Hello, I'd like to NAT outbound traffic from two different private networks through two different interfaces, with CARP on top. I have 4 public IPS available (193.x.x.89, 193.x.x.90, 193.x.x.91, 193.x.x.92). I have two redundant router/firewall running FreeBSD 12 with CARP and PF with the following: (1) which works well, but all traffic goes through the same interface. So I'd like to switch to something like (2), which will not work (lines 5 and 13 are not valid) and I'm wondering if I could use something like (3) ..? Thank you! Julien (1) https://gist.github.com/silenius/4f6173a9b6690292c2174ab3bb89d292 (2) https://gist.github.com/silenius/da9be7e74e9861fa55f927d194e3e410 (3) https://gist.github.com/silenius/b237565b0d181248ff80ea296e5537db ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" can you draw it? ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
[Bug 240787] netgraph/ng_bridge: Replace NG_BRIDGE_MAX_LINKS with auto-incrementing (Unlimited) links
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=240787 Julian Elischer changed: What|Removed |Added CC||jul...@freebsd.org --- Comment #15 from Julian Elischer --- it changes the API (and the cookie that identifies the API revision) so old binanries will not work. This sort of disqualifies it from 12.anything.. remember that we keep API along a branch lifetime. For now we should just increase the default number of links in 12. -- You are receiving this mail because: You are on the CC list for the bug. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
[Bug 240787] netgraph/ng_bridge: Replace NG_BRIDGE_MAX_LINKS with auto-incrementing (Unlimited) links
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=240787 --- Comment #16 from Julian Elischer --- though one could implement the old cookie too and translate to some set of defaults in the new scheme. -- You are receiving this mail because: You are on the CC list for the bug. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
panic: sleeping in an epoch section
Tried updating from r353072 to r353334 and getting the following panic reproducibly on boot (starting dhclient?): panic: sleeping in an epoch section cpuid = 5 time = 1570591558 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfe00af780140 vpanic() at vpanic+0x19d/frame 0xfe00af780190 panic() at panic+0x43/frame 0xfe00af7801f0 _sleep() at _sleep+0x463/frame 0xfe00af780290 pause_sbt() at pause_sbt+0x10f/frame 0xfe00af7802d0 e1000_write_phy_reg_mdic() at e1000_write_phy_reg_mdic+0xee/frame 0xfe00af780310 e1000_enable_phy_wakeup_reg_access_bm() at e1000_enable_phy_wakeup_reg_access_bm+0x2b/frame 0xfe00af780330 e1000_update_mc_addr_list_pch2lan() at e1000_update_mc_addr_list_pch2lan+0x3a/frame 0xfe00af780370 em_if_multi_set() at em_if_multi_set+0x1d4/frame 0xfe00af7803c0 iflib_if_ioctl() at iflib_if_ioctl+0x100/frame 0xfe00af780430 if_addmulti() at if_addmulti+0x2af/frame 0xfe00af7804d0 in_joingroup_locked() at in_joingroup_locked+0x235/frame 0xfe00af780570 in_joingroup() at in_joingroup+0x5c/frame 0xfe00af7805d0 in_control() at in_control+0xadf/frame 0xfe00af780680 ifioctl() at ifioctl+0x40f/frame 0xfe00af780750 kern_ioctl() at kern_ioctl+0x295/frame 0xfe00af7807b0 sys_ioctl() at sys_ioctl+0x15d/frame 0xfe00af780880 amd64_syscall() at amd64_syscall+0x2b9/frame 0xfe00af7809b0 fast_syscall_common() at fast_syscall_common+0x101/frame 0xfe00af7809b0 --- syscall (54, FreeBSD ELF64, sys_ioctl), rip = 0x80048051a, rsp = 0x7fffe3e8, rbp = 0x7fffe430 --- ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
