Packet Loss on FW1 but not FW2 (CARP + PF on FBSD8)
onnections
nat on $ext_if inet from $int_if:network to any -> $office_ext
### port forwards
rdr on $ext_if proto tcp from any to $office_ext port X -> $pab port 22
rdr on $ext_if proto tcp from any to $office_ext port X -> $pab port 3389
### ruleset
block in log all# default deny
block in log quick from urpf-failed # spoofed address protection
block in log quick from { , }
pass log from { lo0, $int_if:network, $ext_if, $carp_extif,
$carp_intif } to any keep state
pass in quick from keep state
pass log inet proto icmp all icmp-type $icmp_types
pass quick on $pfs_if proto pfsync keep state (no-sync) #
enable pfsync
pass on { $int_if, $ext_if } proto carp keep state (no-sync)# enable CARP
FW1 ifconfig (carp0 and carp1 are down, packet loss happens regardless):
soekris1# ifconfig
vr0: flags=8943 metric
0 mtu 1500
options=280b
ether 00:00:24:cc:cb:94
inet 98.xxx.xxx.59 netmask 0xfff8 broadcast 98.xxx.xxx.63
media: Ethernet autoselect (100baseTX )
status: active
vr1: flags=8943 metric
0 mtu 1500
options=280b
ether 00:00:24:cc:cb:95
inet 192.168.1.10 netmask 0xff00 broadcast 192.168.1.255
media: Ethernet autoselect (100baseTX )
status: active
vr2: flags=8843 metric 0 mtu 1500
options=280b
ether 00:00:24:cc:cb:96
inet 10.0.10.12 netmask 0xff00 broadcast 10.0.10.255
media: Ethernet autoselect (100baseTX )
status: active
pfsync0: flags=41 metric 0 mtu 1460
pfsync: syncdev: vr2 syncpeer: 10.0.10.13 maxupd: 128
carp0: flags=8 metric 0 mtu 1500
inet 98.xxx.xxx.61 netmask 0xfff8
inet 98.xxx.xxx.62 netmask 0xfff8
inet 98.xxx.xxx.58 netmask 0xfff8
carp: INIT vhid 1 advbase 1 advskew 0
carp1: flags=8 metric 0 mtu 1500
inet 192.168.1.1 netmask 0xff00
carp: INIT vhid 2 advbase 1 advskew 0
FW2 ifconfig (carp0 and carp1 are up and in failover mode):
---
soekris2# ifconfig
vr0: flags=8943 metric
0 mtu 1500
options=280b
ether 00:00:24:ca:40:60
inet 98.xxx.xxx.60 netmask 0xfff8 broadcast 98.xxx.xxx.63
media: Ethernet autoselect (100baseTX )
status: active
vr1: flags=8943 metric
0 mtu 1500
options=280b
ether 00:00:24:ca:40:61
inet 192.168.1.11 netmask 0xff00 broadcast 192.168.1.255
media: Ethernet autoselect (100baseTX )
status: active
vr2: flags=8843 metric 0 mtu 1500
options=280b
ether 00:00:24:ca:40:62
inet 10.0.10.13 netmask 0xff00 broadcast 10.0.10.255
media: Ethernet autoselect (100baseTX )
status: active
pfsync0: flags=41 metric 0 mtu 1460
pfsync: syncdev: vr2 syncpeer: 10.0.10.12 maxupd: 128
carp0: flags=49 metric 0 mtu 1500
inet 98.xxx.xxx.61 netmask 0xfff8
inet 98.xxx.xxx.62 netmask 0xfff8
inet 98.xxx.xxx.58 netmask 0xfff8
carp: MASTER vhid 1 advbase 1 advskew 100
carp1: flags=49 metric 0 mtu 1500
inet 192.168.1.1 netmask 0xff00
carp: MASTER vhid 2 advbase 1 advskew 100
Regardless if I flip IPs, flip ports on the switch, anything plugged
into vr0 on FW1 at the office causes 70% packet loss, yet it's fine on
FW2. FW1 vr0 works fine at my house using one of my localnet IPs.
Any suggestions on how to track down where this packet loss is coming
from? I appreciate any input!
Thanks!
Patrick
This message was sent using IMP, the Internet Messaging Program.
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: Packet Loss on FW1 but not FW2 (CARP + PF on FBSD8)
Quoting Pyun YongHyeon : On Fri, May 14, 2010 at 02:56:12PM -0400, l...@cykotix.com wrote: Hello, I recently just purchased 2 Soekris5501 with identical 120gb 2.5" WD Scorpio HDDs. I'm using them for network failover, using CARP, PF and pfSync on FreeBSD 8-STABLE. The short version of my problem: I setup FW2 first, imaged its hard drive to FW1. I changed the necessary configs to update the IPs and ensure FW1 was carp MASTER. Using a known working port on the switch, I continue to get 70% packet loss on FW1 on vr0 (vr0 - extif, vr1 - intif, vr2 - pfsync). If I flip FW1 and FW2, the packet loss follows FW1. I took FW1 home, plugged it into my home network on vr0 and it works fine with 0% packet loss so the interface seems fine. I also took the IP bound to vr0 on FW1 and bound it to vr0 on FW2 and the ISP isn't the problem. Show me the output of "sysctl dev.vr.0.stats=1" and "netstat -ndI vr0". soekris1# sysctl dev.vr.0.stats=1 dev.vr.0.stats: -1 -> -1 soekris1# netstat -ndI vr0 NameMtu Network Address Ipkts IerrsOpkts Oerrs Coll Drop vr01500 00:00:24:cc:cb:9417491 014993 0 00 vr01500 98.xxx.xxx.56 98.xxx.xxx.59 992 - 9374 - -- soekris2# sysctl dev.vr.0.stats=1 dev.vr.0.stats: -1 -> -1 soekris2# netstat -ndI vr0 NameMtu Network Address Ipkts IerrsOpkts Oerrs Coll Drop vr01500 00:00:24:ca:40:60 575909 0 588703 0 00 vr01500 98.xxx.xxx.56 98.xxx.xxx.6010029 -53106 - -- Let me know if you need any other information! Thanks! Patrick This message was sent using IMP, the Internet Messaging Program. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: Packet Loss on FW1 but not FW2 (CARP + PF on FBSD8)
Quoting Pyun YongHyeon : >Show me the output of "sysctl dev.vr.0.stats=1" and "netstat -ndI vr0". soekris1# sysctl dev.vr.0.stats=1 dev.vr.0.stats: -1 -> -1 Please check the output of console. It would have printed some MAC counters maintained in driver. soekris1# netstat -ndI vr0 NameMtu Network Address Ipkts IerrsOpkts Oerrs Coll Drop vr01500 00:00:24:cc:cb:9417491 014993 0 00 vr01500 98.xxx.xxx.56 98.xxx.xxx.59 992 - 9374 - -- FW1: vr0 statistics: Outbound good frames : 14992 Inbound good frames : 17486 Outbound errors : 0 Inbound errors : 0 Inbound no buffers : 0 Inbound no mbuf clusters: 0 Inbound FIFO overflows : 0 Inbound CRC errors : 0 Inbound frame alignment errors : 0 Inbound giant frames : 0 Inbound runt frames : 0 Outbound aborted with excessive collisions : 0 Outbound collisions : 0 Outbound late collisions : 0 Outbound underrun : 0 PCI bus errors : 0 driver restarted due to Rx/Tx shutdown failure : 0 No Ierrs, so MAC counters would be more helpful here. soekris2# sysctl dev.vr.0.stats=1 dev.vr.0.stats: -1 -> -1 soekris2# netstat -ndI vr0 NameMtu Network Address Ipkts IerrsOpkts Oerrs Coll Drop vr01500 00:00:24:ca:40:60 575909 0 588703 0 00 vr01500 98.xxx.xxx.56 98.xxx.xxx.6010029 -53106 - -- FW2: vr0 statistics: Outbound good frames : 588054 Inbound good frames : 575353 Outbound errors : 0 Inbound errors : 0 Inbound no buffers : 0 Inbound no mbuf clusters: 0 Inbound FIFO overflows : 0 Inbound CRC errors : 0 Inbound frame alignment errors : 0 Inbound giant frames : 0 Inbound runt frames : 0 Outbound aborted with excessive collisions : 0 Outbound collisions : 0 Outbound late collisions : 0 Outbound underrun : 0 PCI bus errors : 0 driver restarted due to Rx/Tx shutdown failure : 0 Patrick This message was sent using IMP, the Internet Messaging Program. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
EMAIL LIST KENYA
Do you need to market your products or services in the most cost effective and efficient way? We have over 450,000 Valid Kenyan Email addresses and a Mass E-mailing software that can send up to 1000 emails per minute. With a one off cost of Ksh 35,000 you can acquire all this and increase your client base. For more information on how to get this please call 0724008640 ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Thank you for your feedback
Hello, This is an automated reply from Sun Microsystems. It was generated when a message was sent to one of our email aliases with this address as the 'Reply to:'. Thank you for your interest in Sun products and technologies and for taking the time to write. If you are seeking technical support or coding help, please see the resources listed here: http://developers.sun.com/ This email alias is no longer being monitored. We are now using a central feedback form to gather your comments and questions about the Web site. http://developers.sun.com/contact/index.jsp Your comments are important to us and help us improve our Web site and other services. However, due to the amount of mail that we receive, we will not be able to send individual responses to each email. Sincerely, The Source Web site team Sun Developer Network: The Source for Developers http://sun.com/developers/ ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Message ("The distribution of your message dated Sun, 08...")
The distribution of your message dated Sun, 08 May 2005 06:34:56 GMT with no subject has been postponed because the JNI list is held. No action is required from you; your message will be reprocessed automatically once the list owner releases the list. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Message ("The distribution of your message dated Sun, 08...")
The distribution of your message dated Sun, 08 May 2005 06:34:56 GMT with no subject has been postponed because the JAVA-AWT list is held. No action is required from you; your message will be reprocessed automatically once the list owner releases the list. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Output of your job "freebsd-net"
> ok ok ok, here is it Too many arguments specified - maximum is 2. Summary of resource utilization --- CPU time:0.000 sec Overhead CPU:0.000 sec CPU model: 4-CPU Ultra-80 Job origin: freebsd-net@FREEBSD.ORG ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Thank you for your feedback
Hello, This is an automated reply from Sun Microsystems. It was generated when a message was sent to one of our email aliases with this address as the 'Reply to:'. Thank you for your interest in Sun products and technologies and for taking the time to write. If you are seeking technical support or coding help, please see the resources listed here: http://developers.sun.com/ This email alias is no longer being monitored. We are now using a central feedback form to gather your comments and questions about the Web site. http://developers.sun.com/contact/index.jsp Your comments are important to us and help us improve our Web site and other services. However, due to the amount of mail that we receive, we will not be able to send individual responses to each email. Sincerely, The Source Web site team Sun Developer Network: The Source for Developers http://sun.com/developers/ ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
