> On 2019/02/22 20:45, Charles Amstutz wrote:
> > > Not sure if it will give any additional clues but can you show dmesg
> please?
> >
> > Sure, however, they are quite lengthy, are you wanting the whole thing? I
> apologize not sure of protocol here.
>
> Yes please, the whole thing is fine (and p
On 2019/02/22 20:45, Charles Amstutz wrote:
> > Not sure if it will give any additional clues but can you show dmesg please?
>
> Sure, however, they are quite lengthy, are you wanting the whole thing? I
> apologize not sure of protocol here.
Yes please, the whole thing is fine (and preferable t
> Not sure if it will give any additional clues but can you show dmesg please?
Sure, however, they are quite lengthy, are you wanting the whole thing? I
apologize not sure of protocol here.
Not sure if it will give any additional clues but can you show
dmesg please?
On 2019-02-21, Charles Amstutz wrote:
>> congestion 1777154 11.1/s
>>
> The actual problem that we are seeing is that OpenBSD is faili
> Charles Amstutz(charl...@binary.net) on 2019.01.30 23:16:17 +:
> > Hello
> >
> > We are running into an issue with a lot of dropped packets where states
> are failing to be created. We have noticed that it coincides with a fair
> amount
> of congestion, around 10-15/s according to 'pfctl -si
Charles Amstutz(charl...@binary.net) on 2019.01.30 23:16:17 +:
> Hello
>
> We are running into an issue with a lot of dropped packets where states are
> failing to be created. We have noticed that it coincides with a fair amount
> of congestion, around 10-15/s according to 'pfctl -si'.
>
Charles Amstutz(charl...@binary.net) on 2019.01.30 23:16:17 +:
> Hello
>
> We are running into an issue with a lot of dropped packets where states are
> failing to be created. We have noticed that it coincides with a fair amount
> of congestion, around 10-15/s according to 'pfctl -si'.
>
>
Charles Amstutz(charl...@binary.net) on 2019.01.30 23:16:17 +:
> Hello
>
> We are running into an issue with a lot of dropped packets where states are
> failing to be created. We have noticed that it coincides with a fair amount
> of congestion, around 10-15/s according to 'pfctl -si'.
>
>
Hello
We are running into an issue with a lot of dropped packets where states are
failing to be created. We have noticed that it coincides with a fair amount of
congestion, around 10-15/s according to 'pfctl -si'.
We finally tried disabling our Carp Interfaces (we are using carp for failover)
On Sat, Sep 11, 2010 at 09:27:51AM -0600, Andy Bradford wrote:
> Thus said Claudio Jeker on Sat, 11 Sep 2010 11:28:31 +0200:
>
> > Wrong UDP is normaly not a fully defined 4 touple. Especially the
> > listening sockets (on port 53) can be slammed with packets. On the
> > other hand, if th
* Martin Pelikan [2010-09-09 12:24]:
> It depends on what do you need. The defaults suffice for most cases,
> but on our most loaded router we use tcp both 256k and udp send space
which is bullshit on a router, since rcv/send space is for sockets and
irrelevant for forwarded traffic - no sockets
Thus said Claudio Jeker on Sat, 11 Sep 2010 11:28:31 +0200:
> Wrong UDP is normaly not a fully defined 4 touple. Especially the
> listening sockets (on port 53) can be slammed with packets. On the
> other hand, if the recvbuffer overflows then packets just get dropped.
Thank you for the
On Fri, Sep 10, 2010 at 08:20:30PM -0600, Andy Bradford wrote:
> Thus said Claudio Jeker on Fri, 10 Sep 2010 21:36:16 +0200:
>
> > Because on busy servers you need to queue quite a few packets to
> > handle bursts.
>
> I was under the impression that UDP is connectionless and therefore
Thus said Claudio Jeker on Fri, 10 Sep 2010 21:36:16 +0200:
> Because on busy servers you need to queue quite a few packets to
> handle bursts.
I was under the impression that UDP is connectionless and therefore
does not behave the same as a TCP connection. I would guess that
s
Martin Pelik??n [martin.peli...@gmail.com] wrote:
> 2010/9/10, Chris Cappuccio :
> > Stop using ALTQ on your DNS server, perhaps? That may be what is causing
> > the back-pressure that you're seeing.
>
> Why do you think it would help? Those lots of packets would arrive
> anyway, only the decent
2010/9/10, Chris Cappuccio :
> Stop using ALTQ on your DNS server, perhaps? That may be what is causing
> the back-pressure that you're seeing.
Why do you think it would help? Those lots of packets would arrive
anyway, only the decent user will wait longer for his website to load.
Fortunately alt
Martin Pelik??n [martin.peli...@gmail.com] wrote:
> 2010/9/10, Andy Bradford
> :
> > Why would you need 65k UDP for DNS? Almost all UDP based DNS responses
> > are under 512 bytes, those that are larger are required to set the
> > truncated bit and the client restart the query using TCP.
>
On Fri, Sep 10, 2010 at 08:35:04AM -0600, Andy Bradford wrote:
> Thus said =?UTF-8?Q?Martin_Pelik=C3=A1n?= on Thu, 09 Sep 2010 12:21:17 +0200:
>
> > It depends on what do you need. The defaults suffice for most cases,
> > but on our most loaded router we use tcp both 256k and udp send space
> >
2010/9/10, Andy Bradford
:
> Why would you need 65k UDP for DNS? Almost all UDP based DNS responses
> are under 512 bytes, those that are larger are required to set the
> truncated bit and the client restart the query using TCP.
We have probably too many wild users because the logs were fl
Thus said =?UTF-8?Q?Martin_Pelik=C3=A1n?= on Thu, 09 Sep 2010 12:21:17 +0200:
> It depends on what do you need. The defaults suffice for most cases,
> but on our most loaded router we use tcp both 256k and udp send space
> 65k (lots of dns). Just test it somewhere.
Why would you need 65k UDP
2010/9/10, Stuart Henderson :
> these affect traffic sourced from the box itself, *not* routed through it.
We had to do quite extensive link testing because of strange packet
loss on the SDH circuit. The buffer sizes really mattered :-) But
thanks to the information as the link appears to be okay
On 2010-09-09, Martin Pelik??n wrote:
> 2010/9/9, Joe Warren-Meeks :
>> recv/send:
>> net.inet.tcp.recvspace=16384
>> net.inet.udp.recvspace=41600
>> j...@f1:/home/joe> sysctl -a |grep send
>> net.inet.tcp.sendspace=16384
>> net.inet.udp.sendspace=9216
>>
>>
>> Too low? What is a good value for th
Joe Warren-Meeks wrote:
Hey guys,
I'm running two HPDL360 G5 servers with OpenBSD 4.6+carp+pf+pfsync as
an active/passive firewall pair.
Both are running: (full dmesg at bottom, along with edited pf.conf, in
case it's relevant)
j...@f2:/home/joe> uname -a
OpenBSD f2 4.6 GENERI
2010/9/9, Joe Warren-Meeks :
> Well, the machine has 6Gb of RAM and is only pushing 10Mbit/s of
> traffic at peak. It does need to maintain a largeish state table, as
> it is predominatly web traffic, but I've run much much larger and
> busier sites behind much smaller hardware with the same config
2010/9/9 Martin Pelikan :
Hello Martin,
> I thought the same when I played with TCP buffers set to 1M and after
> some heavy load tests I went out of RAM quite soon :-) The machine had
> 2G.
Well, the machine has 6Gb of RAM and is only pushing 10Mbit/s of
traffic at peak. It does need to maintai
2010/9/8, Joe Warren-Meeks :
> I've had a weird problem happen twice now. It seems after about 4 - 6
> weeks of running very happily, both servers lock up completely at the
> same time. Both consoles show no error messages, but the cursor is
> blinking away happily. Neither console will take any in
Hey guys,
I'm running two HPDL360 G5 servers with OpenBSD 4.6+carp+pf+pfsync as
an active/passive firewall pair.
Both are running: (full dmesg at bottom, along with edited pf.conf, in
case it's relevant)
j...@f2:/home/joe> uname -a
OpenBSD f2 4.6 GENERIC.MP#81 amd64
I've h
Oh I see, so carp_up would be when its acting as master and carp_down for when
its acting as a backup?
Stu
--- On Thu, 5/8/10, Claer wrote:
From: Claer
Subject: Re: CARP + PF
To: misc@openbsd.org
Date: Thursday, 5 August, 2010, 16:59
On Thu, Aug 05 2010 at 50:12, Z Wing wrote:
[...]
>
On Thu, Aug 05 2010 at 50:12, Z Wing wrote:
[...]
> The question I have is how do I get dhclient working with the cable modem,
> given that the IP address is dynamic? dhclient doesn't work when the carp
> interface is in INIT mode and I'm not sure how to get carp to "share" the IP
> address between
Hi all,
I have a cable modem and an ADSL line at home; the DSL line gives me a static
ip but the cable modem gives me a dynamic one. My plan was to use 2 openbsd
boxes as network routers with CARP for failover, the idea being that I would
plug the cable modem into a switch and plug both boxes into
Hi,
I have been trying a carp setup today and I am consistently getting
the following panic:
Stopped at Xrecurse_legacy5+0x30: pushl $0
ddb> trace
Xrecurse_legacy5() at Xrecurse_legacy5+0x30
--- interrupt ---
0:
It doesn't seem to happen at any noticeable (or that I have noticed)
key
it is highly recommended you cruise the DNS rfcs and/or read the dns
bible.. these are problems solved 20 years ago
On 8/28/07, reje <[EMAIL PROTECTED]> wrote:
> In the sense of expanding DNS infrastructure, your
> comments seem sane enough (you definitely read that
> DNS & BIND book :-)
>
> On th
On Tue, 28 Aug 2007, reje wrote:
>On the other side, I really need to introduce
>_additional_ availability of DNS servers/resolvers.
>This is especially true for resolvers as they are the
>first layer users are facing. Assume the situation
>when ordinary Windows user tries to access a web page
>no
On 8/27/07, reje <[EMAIL PROTECTED]> wrote:
> I'm wondering is there a way to scale DNS service
> using OpenBSD's CARP and loadbalancing/pool features
> of pf ? How about hoststated(8) ? (as I know
> hoststated(8) doesn't support UDP right now)
You can do it with a pf table and with a small progra
In the sense of expanding DNS infrastructure, your
comments seem sane enough (you definitely read that
DNS & BIND book :-)
On the other side, I really need to introduce
_additional_ availability of DNS servers/resolvers.
This is especially true for resolvers as they are the
first layer users are f
reje wrote:
Yes, we have that much DNS requests hiting our servers
(we are not experiencing any DoS but from legitimate
user requests :-)
Furthermore, the DNS infrastructure tiemouts are
unacceptable in our scenario. Registering additinal NS
records is also unacceptable.
FYI: our primary DNS ex
Please take a look at this Cisco document regarding
Scaling DNS services and CSM:
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns377/c649/cdccont_0900aecd800eb95d.pdf
p.s.- long ago read DNS & BIND but this book assumes
tolerance to DNS timeouts and availability of more
than two DNS IP
Yes, we have that much DNS requests hiting our servers
(we are not experiencing any DoS but from legitimate
user requests :-)
Furthermore, the DNS infrastructure tiemouts are
unacceptable in our scenario. Registering additinal NS
records is also unacceptable.
FYI: our primary DNS experiences cca.
reje wrote:
Please take a look at this Cisco document regarding
Scaling DNS services and CSM:
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns377/c649/cdccont_0900aecd800eb95d.pdf
It a while since I had such a good laugh.
The cisco doc above requires more than one device, but as IO
reje wrote:
Hi there,
I'm wondering is there a way to scale DNS service
using OpenBSD's CARP and loadbalancing/pool features
Don't ever load balance DNS in anyway.
Read the DNS & BIND book.
--
Craig Skinner [EMAIL PROT
On Mon, 27 Aug 2007 05:03:40 -0700 (PDT), reje <[EMAIL PROTECTED]> wrote:
> Hi there,
>
> I'm wondering is there a way to scale DNS service
> using OpenBSD's CARP and loadbalancing/pool features
> of pf ? How about hoststated(8) ? (as I know
> hoststated(8) doesn't support UDP right now)
Is it re
Hi there,
I'm wondering is there a way to scale DNS service
using OpenBSD's CARP and loadbalancing/pool features
of pf ? How about hoststated(8) ? (as I know
hoststated(8) doesn't support UDP right now)
Here is the lab setup I tried but ran into problems:
1) setup two OpenBSD 4.1 servers with tw
On 9/7/06, Chris Cameron <[EMAIL PROTECTED]> wrote:
Have two 3.8 firewalls in a CARP setup, and through this firewall I'm
unable to get to ticketmaster.ca or .com. They both have different IPs.
On the master CARP firewall, with tcpdump on the external interface:
It might be useful if you post
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> I didn't see any "Can't access Tickmaster.ca" entries; but I
> think I have the rest covered.
>
> No other sites have this problem. The firewall sits in front
> of an office of 15 or so, so I believe I would have heard
> something. Logging is
Chris Cameron wrote:
On Thu, 2006-09-07 at 10:46 -0400, Asenchi wrote:
On 9/7/06, Chris Cameron <[EMAIL PROTECTED]> wrote:
Have two 3.8 firewalls in a CARP setup, and through this firewall I'm
unable to get to ticketmaster.ca or .com. They both have different IPs.
But make
Again, does anyone have any ideas? Can other people access ticketmaster
through their CARP'd NAT firewall?
Yeah it works fine over here. How about cranking PF's debugging and
watching syslog? pfctl -x loud
Tim
On Thu, 2006-09-07 at 10:46 -0400, Asenchi wrote:
> On 9/7/06, Chris Cameron <[EMAIL PROTECTED]> wrote:
> > Have two 3.8 firewalls in a CARP setup, and through this firewall I'm
> > unable to get to ticketmaster.ca or .com. They both have different IPs.
> But make sure you have read and understand
On 9/7/06, Chris Cameron <[EMAIL PROTECTED]> wrote:
Have two 3.8 firewalls in a CARP setup, and through this firewall I'm
unable to get to ticketmaster.ca or .com. They both have different IPs.
On the master CARP firewall, with tcpdump on the external interface:
If you want help you are going
Sorry, hit Ctrl+Enter.
192.168.0.1 - CARP IP
192.168.0.2 - Master firewall IP
On the master CARP firewall, with tcpdump on the external interface:
Connecting behind firewall:
08:18:30.705631 192.168.0.1.53119 > 209.104.48.144.80: S
4111080674:4111080674(0) win 16384 (DF) [tos 0x10]
08:18:30.
Have two 3.8 firewalls in a CARP setup, and through this firewall I'm
unable to get to ticketmaster.ca or .com. They both have different IPs.
On the master CARP firewall, with tcpdump on the external interface:
Jason Stubbs wrote:
From what I understand of the theory, it should work but I was hoping
to get a "yes, I'm doing it" from somebody. Unless there's a reason it
won't work, I'll be having a go and getting it set up in the first week
of March and will write back with the results.
Ok, I had tr
Joseph C. Bender wrote:
Jason Stubbs wrote:
Hi,
I'm looking to set up redundant firewalls in pretty much the same way
as is detailed in the PF FAQ. For discussion purposes, I've reproduced
the basic network layout below.
From your description and questions below, it looks like you're no
Jason Stubbs wrote:
Hi,
I'm looking to set up redundant firewalls in pretty much the same way as
is detailed in the PF FAQ. For discussion purposes, I've reproduced the
basic network layout below.
From your description and questions below, it looks like you're not
trying to do it the same w
Hi,
I'm looking to set up redundant firewalls in pretty much the same way as
is detailed in the PF FAQ. For discussion purposes, I've reproduced the
basic network layout below.
+| WAN/Internet |+
||
em2||em2
54 matches
Mail list logo
