packet loss with carp on 6.2
Hi guys, I have had a FreeBSD 6.2 (-p1 - yes I know :) firewall running for a while, with pf fw rules. It has worked fine, and was a replacement for a fbsd 4.x ipfw firewall. Now I just replaced the 6.2 pf firewall, with a 6.2 (-p7) and carp interfaces enabled. It's using the same cables and the same type of network cards (bge and em). The new one, is a HP dl385 (amd) where the old one, was a HP dl380 (Intel). On the new one, fping (and ping -f) pinging through the firewall, gives me a packet loss. fping in nagios, reports up to 55% packet loss :( - a ping -f gives me 1-3%, but bad enough :( pinging from the firewall itself, to one of the hosts, that packets are lost to (when pinging from other networks) does not give any packet loss. The old 6.2, had polling enabled - and I've tried to disable polling on the new, but to no effect. Any ideas what else to try? -- Regards, Klavs Klavsen, GSEC - [EMAIL PROTECTED] - http://www.vsen.dk PGP: 7E063C62/2873 188C 968E 600D D8F8 B8DA 3D3A 0B79 7E06 3C62 "Those who do not understand Unix are condemned to reinvent it, poorly." --Henry Spencer ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
packet loss with carp on 6.2
Hi guys, I have had a FreeBSD 6.2 (-p1 - yes I know :) firewall running for a while, with pf fw rules. It has worked fine, and was a replacement for a fbsd 4.x ipfw firewall. Now I just replaced the 6.2 pf firewall, with a 6.2 (-p7) and carp interfaces enabled. It's using the same cables and the same type of network cards (bge and em). The new one, is a HP dl385 (amd) where the old one, was a HP dl380 (Intel). On the new one, fping (and ping -f) pinging through the firewall, gives me a packet loss. fping in nagios, reports up to 55% packet loss :( - a ping -f gives me 1-3%, but bad enough :( pinging from the firewall itself, to one of the hosts, that packets are lost to (when pinging from other networks) does not give any packet loss. The old 6.2, had polling enabled - and I've tried to disable polling on the new, but to no effect. Any ideas what else to try? -- Regards, Klavs Klavsen, GSEC - [EMAIL PROTECTED] - http://www.vsen.dk PGP: 7E063C62/2873 188C 968E 600D D8F8 B8DA 3D3A 0B79 7E06 3C62 "Those who do not understand Unix are condemned to reinvent it, poorly." --Henry Spencer -- Regards, Klavs Klavsen, GSEC - [EMAIL PROTECTED] - http://www.vsen.dk PGP: 7E063C62/2873 188C 968E 600D D8F8 B8DA 3D3A 0B79 7E06 3C62 "Those who do not understand Unix are condemned to reinvent it, poorly." --Henry Spencer ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: packet loss with carp on 6.2
I tried to just disable carp on the new machine (simply comment out carp config from /etc/rc.conf.local) and now the packet loss is gone - and hasn't been there for half an hour, so far. Seems the carp network interfaces has bugs. On Thu, October 18, 2007 10:33, Klavs Klavsen said: > Hi guys, > > I have had a FreeBSD 6.2 (-p1 - yes I know :) firewall running for a > while, with pf fw rules. It has worked fine, and was a replacement for a > fbsd 4.x ipfw firewall. > > Now I just replaced the 6.2 pf firewall, with a 6.2 (-p7) and carp > interfaces enabled. It's using the same cables and the same type of > network cards (bge and em). The new one, is a HP dl385 (amd) where the old > one, was a HP dl380 (Intel). > > On the new one, fping (and ping -f) pinging through the firewall, gives me > a packet loss. fping in nagios, reports up to 55% packet loss :( - a ping > -f gives me 1-3%, but bad enough :( > > pinging from the firewall itself, to one of the hosts, that packets are > lost to (when pinging from other networks) does not give any packet loss. > > The old 6.2, had polling enabled - and I've tried to disable polling on > the new, but to no effect. > > Any ideas what else to try? > > -- > Regards, > Klavs Klavsen, GSEC - [EMAIL PROTECTED] - http://www.vsen.dk > PGP: 7E063C62/2873 188C 968E 600D D8F8 B8DA 3D3A 0B79 7E06 3C62 > > "Those who do not understand Unix are condemned to reinvent it, poorly." > --Henry Spencer > > ___ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > -- Regards, Klavs Klavsen, GSEC - [EMAIL PROTECTED] - http://www.vsen.dk PGP: 7E063C62/2873 188C 968E 600D D8F8 B8DA 3D3A 0B79 7E06 3C62 "Those who do not understand Unix are condemned to reinvent it, poorly." --Henry Spencer ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: packet loss with carp on 6.2
On Thu, October 18, 2007 12:50, Max Laier said:
> On Thursday 18 October 2007, Klavs Klavsen wrote:
>> I tried to just disable carp on the new machine (simply comment out
>> carp config from /etc/rc.conf.local) and now the packet loss is gone -
>> and hasn't been there for half an hour, so far.
>
> I supposed you also had to change your firewall rules? Otherwise your
> ruleset might not be ready to deal with carp and that could be the reason
> why you get the bad results?
I added these rules:
# Allow pfsync Updates In/Out
pass quick on $if_mgmt proto pfsync keep state
# Allow CARP Advertisements In/Out
pass quick on {$if_mgmt, $if_fwnet, $if_inet} proto carp keep state
I wasn't running any performance tests or anything - just normal traffic.
also - I had an "pass log on $if_XX all" enabled - which matches all the
traffic that wasn't specifically matched (ie. expected) traffic.
And no backup CARP host running - but I don't see why, NOT having the
spare CARP host up, should cause a packet loss.
>Start debugging by looking at "netstat -ssp
> carp" on either machine and take a careful look at your pf.conf. I also
> suggest that you add "log" to all you block rules and watch tcpdump on
> pflog0 while pinging.
>
I just looked through the pflog file (26MB for 55 minutes) - primarily
passes - only 14 k. blocks. The blocks were broadcasts, and cisco hsrp
stuff (and pfsync, until I just "allowed it for all - as above" - but
since the secondary host wasn't up - pfsync wouldn't work anyways).
>> Seems the carp network interfaces has bugs.
>
> That's a pretty bold assertion given the limited debugging you have
> done ;)
>
fair enough - I said "it seems" :)
I see no obvious explanation though, why using a carp interface, vs. a
normal interface, would somehow give me a packet loss. if a block/pass
rule somehow did not match the packages through the new interfaces, I'd
expect to get a 100% packet loss :)
--
Regards,
Klavs Klavsen, GSEC - [EMAIL PROTECTED] - http://www.vsen.dk
PGP: 7E063C62/2873 188C 968E 600D D8F8 B8DA 3D3A 0B79 7E06 3C62
"Those who do not understand Unix are condemned to reinvent it, poorly."
--Henry Spencer
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
[SOLVED ]Re: packet loss with carp on 6.2
Hi, Just to close this thread - I've confirmed that it was indeed a switch problem. The "funny" thing, is howcome only CARP triggered it. On Thu, October 18, 2007 9:33, Klavs Klavsen said: > Hi guys, > > I have had a FreeBSD 6.2 (-p1 - yes I know :) firewall running for a > while, with pf fw rules. It has worked fine, and was a replacement for a > fbsd 4.x ipfw firewall. > > Now I just replaced the 6.2 pf firewall, with a 6.2 (-p7) and carp > interfaces enabled. It's using the same cables and the same type of > network cards (bge and em). The new one, is a HP dl385 (amd) where the old > one, was a HP dl380 (Intel). > > On the new one, fping (and ping -f) pinging through the firewall, gives me > a packet loss. fping in nagios, reports up to 55% packet loss :( - a ping > -f gives me 1-3%, but bad enough :( > > pinging from the firewall itself, to one of the hosts, that packets are > lost to (when pinging from other networks) does not give any packet loss. > > The old 6.2, had polling enabled - and I've tried to disable polling on > the new, but to no effect. > > Any ideas what else to try? > > -- > Regards, > Klavs Klavsen, GSEC - [EMAIL PROTECTED] - http://www.vsen.dk > PGP: 7E063C62/2873 188C 968E 600D D8F8 B8DA 3D3A 0B79 7E06 3C62 > > "Those who do not understand Unix are condemned to reinvent it, poorly." > --Henry Spencer > > ___ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > -- Regards, Klavs Klavsen, GSEC - [EMAIL PROTECTED] - http://www.vsen.dk PGP: 7E063C62/2873 188C 968E 600D D8F8 B8DA 3D3A 0B79 7E06 3C62 "Those who do not understand Unix are condemned to reinvent it, poorly." --Henry Spencer ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Anyone using CARP on vlans?
Hi guys, I can see that there's been problems in the past with CARP and vlan support. I would be happy, if you could tell me if you have any experience with running carp on vlan interfaces? I intend to run it on a FreeBSD 6.2 with em interfaces. This works fine for another firewall, but it has no vlans. -- Regards, Klavs Klavsen, GSEC - [EMAIL PROTECTED] - http://www.vsen.dk PGP: 7E063C62/2873 188C 968E 600D D8F8 B8DA 3D3A 0B79 7E06 3C62 "Those who do not understand Unix are condemned to reinvent it, poorly." --Henry Spencer ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
