I've currently been running a redundant firewall solution in our
Production environment using OpenBSD (version 4.5-stable) with CARP (4),
PF (4), PFsync (4) and SAsyncd (8) which syncs the pf rules and IPSEC
security associations via the cross-over cable method. We're also
running an IPSEC (4)
On Thu, Jun 4, 2009 at 5:49 AM, Georg Kahest wrote:
> I think i have figured it out, the pfctl -vsi checksums are identical,
> everything works if I load filter rules via include(include
> "/etc/pf.filter ) , but when filter rules are loaded into B anchor ( load
> anchor shape from "/etc/pf.filter
I think i have figured it out, the pfctl -vsi checksums are identical,
everything works if I load filter rules via include(include
"/etc/pf.filter ) , but when filter rules are loaded into anchor ( load
anchor shape from "/etc/pf.filter") ,then after sync the ongoing
traffic wont hit right queue
* Georg Kahest [2009-06-02 10:01]:
> The rules look identical to me at the moment, but i will doublecheck
> them, one thing thou i dont have same interface names at both boxes,
that is your problem.
checksum in pfctl -vsi must be identical.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
B
Hello again
I made identical configurations to both boxes pf wise only difference
was the physical interface under the vlan interfaces on top of what carp
was built, and i couldnot get carp/pfsync to work correctly, ongoing
traffic at failover didnot hit right queue, only new traffic did.
Note:
A little update, the filter rules are these, except the interface name
they are identical, and queue names are identical aswell, only
difference is on what interface the queues are present.
Node1
pass in log on vlan0 inet from zzz.xxx.yyy./30 to any flags S/SA
keep state queue(zzz.xxx.yyy.
Hello
The rules look identical to me at the moment, but i will doublecheck
them, one thing thou i dont have same interface names at both boxes,
thou the rules/queues are identical (they are built of out script for
both boxes) only exception is that interface names are macros rather
then static val
* Georg Kahest [2009-06-01 15:21]:
> Yes the rulesets are identical, strange thing is from pftop it seems
> that it hits default queue (25mbit queue) but somehow the client gets
> 10~MB/s what seems more of interface root queue value rather then that
> default queue. Thou the real queue it should
Yes the rulesets are identical, strange thing is from pftop it seems
that it hits default queue (25mbit queue) but somehow the client gets
10~MB/s what seems more of interface root queue value rather then that
default queue. Thou the real queue it should use is at 8mbit.
On E, 2009-06-01 at 15:09
On 2009/06/01 15:57, Georg Kahest wrote:
> Okey now that the failover seems to be work i have hit another problem,
> the thing is when failover occurs and other node takes over, the client
> connection wont hit right ALTQ queue anymore, rather it goes
> unqueued(full speed) , and only the new conne
Okey now that the failover seems to be work i have hit another problem,
the thing is when failover occurs and other node takes over, the client
connection wont hit right ALTQ queue anymore, rather it goes
unqueued(full speed) , and only the new connections initated after
failover will hit the right
Okey i think i figured it out, the problem was with my switch spanning
tree, when i disabled it for appropiate vlans everything started to work
correctly.
On E, 2009-06-01 at 13:14 +0200, Stuart Henderson wrote:
> On 2009/06/01 12:55, Georg Kahest wrote:
> > # $OpenBSD: netstart,v 1.122 200
i had modified rc conf a little and last log paste was because of that
modification, this is the current log, but still the client behind lan
carp loses its packets, first to his gateway with host uncreachable and
after few packets its timeout, and then everything starts working okey.
Jun 1 15:2
This log from prefered (master node), it seems that the problem is carp0
takes master even before carp1 has went to backup, how to resolve it, so
that they would go master at the same time.
Jun 1 14:45:54 node1 /bsd: carp0: state transition: INIT -> BACKUP
Jun 1 14:45:54 node1 /bsd: carp: carp0
On 2009/06/01 12:55, Georg Kahest wrote:
> # $OpenBSD: netstart,v 1.122 2008/07/23 16:05:47 sthen Exp $
>
> # $OpenBSD: rc,v 1.318 2008/07/09 20:23:47 djm Exp $
>
> # uname -a
> OpenBSD node1 4.4 GENERIC.MP#1 amd64
It's not what I was thinking it might be then (there was a change
to
# $OpenBSD: netstart,v 1.122 2008/07/23 16:05:47 sthen Exp $
# $OpenBSD: rc,v 1.318 2008/07/09 20:23:47 djm Exp $
# uname -a
OpenBSD node1 4.4 GENERIC.MP#1 amd64
On P, 2009-05-31 at 19:32 +0200, Stuart Henderson wrote:
> On 2009-05-28, Georg Kahest wrote:
> > Hello, i have strange p
On 2009-05-28, Georg Kahest wrote:
> Hello, i have strange problem with my Carp/Pfsync, when i manualy
> failover via carpdemote or ifconfig carpX down, then the failover works
> okey, it even works okey when one box goes down, but when the prefered
> master comes up again and starts to act as car
Hi Georg
I think I remember something like this ... could it be that carp takes
over the interface before pfsync has finished updating the booted
machine's connection table?
TCP (and many other protocols) takes care of such situations by simply
retransmitting, so any TCP connections should rec
Hello, i have strange problem with my Carp/Pfsync, when i manualy
failover via carpdemote or ifconfig carpX down, then the failover works
okey, it even works okey when one box goes down, but when the prefered
master comes up again and starts to act as carp master, then client who
has carp as its ga
On Monday 04 June 2007 17:19:10 David Newman wrote:
> OK, but how then to get redundancy across the firewalls?
STP - see brconfig(8).
--
Antoine
On 2007/06/04 08:19, David Newman wrote:
> Stuart Henderson wrote:
> > On 2007/06/04 07:11, David Newman wrote:
> >> I could divide the /26 into smaller netblocks and configure pf to route
> >> between them but I'm reluctant to do that given that I'd burn a network
> >> and broadcast address for ea
* David Newman <[EMAIL PROTECTED]> [2007-06-04 16:27]:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Henning Brauer wrote:
> > * David Newman <[EMAIL PROTECTED]> [2007-06-04 03:59]:
> >> but it says carp doesn't work with bridging
> >
> > carp alows two hosts to share an IP.
> > now expla
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Stuart Henderson wrote:
> On 2007/06/04 07:11, David Newman wrote:
>> I could divide the /26 into smaller netblocks and configure pf to route
>> between them but I'm reluctant to do that given that I'd burn a network
>> and broadcast address for each n
On 2007/06/04 07:11, David Newman wrote:
> I could divide the /26 into smaller netblocks and configure pf to route
> between them but I'm reluctant to do that given that I'd burn a network
> and broadcast address for each netblock, and a /26 is small enough as it is.
>
> Is there a better way? Tha
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Henning Brauer wrote:
> * David Newman <[EMAIL PROTECTED]> [2007-06-04 03:59]:
>> but it says carp doesn't work with bridging
>
> carp alows two hosts to share an IP.
> now explain me how that is supposed to work with bridges, where the
> forwarding
* David Newman <[EMAIL PROTECTED]> [2007-06-04 03:59]:
> but it says carp doesn't work with bridging
carp alows two hosts to share an IP.
now explain me how that is supposed to work with bridges, where the
forwarding does not happen at the IP layer.
--
Henning Brauer, [EMAIL PROTECTED], [EMAIL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Thanks in advance for guidelines on using pf with carp and pfsync boxes
that bridge rather than route.
I found this guide:
http://www.seattlecentral.edu/~dmartin/docs/bridge.html
but it says carp doesn't work with bridging and to use spanning tree
i
--- Quoting Gilles Chehade on 2007/04/18 at 22:23 +0200:
> Hi misc@,
>
> I am trying to setup a set of "carp"-ed firewalls as follow:
>
>
>
> ISP 1 ISP 2
> | |
>\ /
> _ SWITCH # 1 _
>
Hi misc@,
I am trying to setup a set of "carp"-ed firewalls as follow:
ISP 1 ISP 2
| |
\ /
_ SWITCH # 1 _
/ || \
/ || \
bge
29 matches
Mail list logo
