Hello Theo,
It's disheartening to see the disparity in treatment between entities like
OpenBSD and larger corporations within these governance structures.
However, your resolve in the face of such challenges is commendable. The
creation of CARP, under the circumstances you described, not only serv
Greetings,
I have now attained a deeper understanding of the topic at hand; thank you
for your insights. It appears that my requirements necessitate
communication between a Cisco router and VRRP, rather than CARP. Upon
reviewing the open-source projects you've recommended, here are my findings:
T
Stuart Henderson wrote:
> On 2024-02-13, Samuel Jayden wrote:
> > From the information provided in the link, it appears that CARP and VRRP
> > protocols aren't inherently interoperable.
>
> They are different protocols - they *had* to be different because VRRP
> was subject to patents. And if c
On 2024-02-13, Samuel Jayden wrote:
> From the information provided in the link, it appears that CARP and VRRP
> protocols aren't inherently interoperable.
They are different protocols - they *had* to be different because VRRP
was subject to patents. And if carp was changed now, it wouldn't be
in
Am 13.02.2024 19:07 schrieb Samuel Jayden:
Also I've another question:
Is it feasible to achieve CARP and VRRP interoperability through a
user-space application?
One step back.. you're looking for using one cisco router and one
OpenBSD box as a redundant pair? I've no idea and in over 20y I did
Hello Marcus,
Thank you for your response.
>From the information provided in the link, it appears that CARP and VRRP
protocols aren't inherently interoperable.
While Cisco may have attempted to address this by introducing a command
like "disable-loop-detection carp" in its Nexus 1000V virtual rou
Hello Samuel,
samueljaydan1...@gmail.com (Samuel Jayden), 2024.02.13 (Tue) 17:35 (CET):
> I am reaching out to seek guidance on creating redundancy between a Cisco
> Router and OpenBSD. After conducting extensive research on the subject, I
> find myself in need of clarification on a specific poin
Followup...
On 5/12/23 08:17, Stuart Henderson wrote:
On 2023-05-12, Nick Holland wrote:
...
I had several other people suggest network problems. I'm not going to
say "impossible" or even "unlikely", but my understanding is that the
two machines are both plugged into the same switch, in the
On 16/05/2023 00:11, Lyndon Nerenberg (VE7TFX/VE6BBM) wrote:
Nick, spare yourself the pain and just designate one machine as the
master. This is how we run all our proxy server pairs (nginx,
squid, other stuff). For a pair fooa/foob, 'a' is the master, and
gets advskew 100. The 'b' host gets 15
Nick, spare yourself the pain and just designate one machine as the
master. This is how we run all our proxy server pairs (nginx,
squid, other stuff). For a pair fooa/foob, 'a' is the master, and
gets advskew 100. The 'b' host gets 150. Make sure preemption is
enabled.
When it's upgrade time, up
On 12/05/2023 14:43, Nick Holland wrote:
> I had several other people suggest network problems. I'm not going to
> say "impossible" or even "unlikely", but my understanding is that the
> two machines are both plugged into the same switch, in the same rack.
>
> Several people pointed out I was usin
On 2023-05-12, Nick Holland wrote:
> On 5/12/23 03:28, Stuart Henderson wrote:
>> On 2023-05-12, Nick Holland wrote:
>>> Here's the problem I've seen: I have my two machines flipping state
>>> randomly(?). This bothers me because that means it is breaking people's
>>> downloads. Longest perio
On 5/12/23 03:28, Stuart Henderson wrote:
On 2023-05-12, Nick Holland wrote:
Here's the problem I've seen: I have my two machines flipping state
randomly(?). This bothers me because that means it is breaking people's
downloads. Longest period betweek flips was less than two weeks.
So ... I
On 2023-05-12, Nick Holland wrote:
> Here's the problem I've seen: I have my two machines flipping state
> randomly(?). This bothers me because that means it is breaking people's
> downloads. Longest period betweek flips was less than two weeks.
>
> So ... I cranked up the carp logging to 5 an
--- Original Message ---
On Friday, April 14th, 2023 at 7:14 AM, Janne Johansson
wrote:
> Not impossible to have switches(*) that dislike/filter/bug on
> multicast too I guess, so I would suggest rigging the carps up (at
> least temporary) with carppeer against the "real" ip of the remot
--- Original Message ---
On Friday, April 14th, 2023 at 10:50 AM, Markus Wernig
wrote:
Thank you Markus for your answer, as mentioned to Janne it was the switch the
problem. For the sake of documenting I answered your questions below.
> - Do the two fw actually have a link on their car
for my external carp interface both firewalls show master as status
The config is below for reference:
/etc/hostname.carp0 on fw1
inet x.x.x.114 255.255.255.240 x.x.x.127 vhid 40 carpdev em2 pass password
advskew 1
inet alias x.x.x.115 0xfff0
inet alias x.x.x.116 0xfff0
/etc/hostname
On Sun, Jan 8, 2023 at 5:23 PM Nick Holland
wrote:
>
> Does this actually maintain state? I'm thinking pfsync might
> not work properly when the external interface "changes" like that.
> It wouldn't actually matter much in *my case*, but I'm wondering
> about the more general case.
>
>
>
I no ex
On 1/6/23 02:31, Christer Solskogen wrote:
On Mon, Jan 2, 2023 at 5:14 PM Nick Holland
wrote:
hiya.
Goal: home (i.e., DHCP external network config) redundant
firewalls with CARP and PFSYNC.
Totally doable. I've been running it like that for the last 7 years at
home.
My ISP doesn't like i
On Mon, Jan 2, 2023 at 5:14 PM Nick Holland
wrote:
> hiya.
>
> Goal: home (i.e., DHCP external network config) redundant
> firewalls with CARP and PFSYNC.
>
>
Totally doable. I've been running it like that for the last 7 years at
home.
My ISP doesn't like it when the two firewalls have differen
On Tue, Jun 28, 2022 at 2:58 PM Stuart Henderson
wrote:
>
> So for this you would need to monitor the interface status and change
> the default route, you couldn't rely on /etc/mygate.
>
>
I don't. I use ifstated :-)
On 2022-06-28, Christer Solskogen wrote:
> On Tue, Jun 28, 2022 at 12:18 PM Łukasz Moskała wrote:
>
>> You wanted to set the CARP IP as default gateway on both master and
>> backup, right?
>>
>>
> No, the master is the gateway. So what would not make sense as all.
> I would like to have the CARP
On Tue, Jun 28, 2022 at 12:18 PM Łukasz Moskała wrote:
> You wanted to set the CARP IP as default gateway on both master and
> backup, right?
>
>
No, the master is the gateway. So what would not make sense as all.
I would like to have the CARP IP as default gateway on the backup. (And
vice-versa,
Dnia Tue, Jun 28, 2022 at 11:36:55AM +0200, Christer Solskogen napisał(a):
> On Tue, Jun 28, 2022 at 10:44 AM Stuart Henderson
> wrote:
>
> >
> > It makes no sense to set your own address as the default gateway?
> >
> >
> It would *if* backup didn't respond to the carp IP. But it does, so no it
On Tue, Jun 28, 2022 at 10:44 AM Stuart Henderson
wrote:
>
> It makes no sense to set your own address as the default gateway?
>
>
It would *if* backup didn't respond to the carp IP. But it does, so no it
does not make sense.
The reason I was hoping it would work was the wording in the FAQ.
On 2022-06-28, Christer Solskogen wrote:
> On Tue, Jun 28, 2022 at 10:21 AM Łukasz Moskała wrote:
>
>>
>> What problem are you trying to solve?
>>
>>
> Having identical config files on both the master and backup when it comes
> to setting up the default gateway. I was hoping I could just use the
On Tue, Jun 28, 2022 at 10:21 AM Łukasz Moskała wrote:
>
> What problem are you trying to solve?
>
>
Having identical config files on both the master and backup when it comes
to setting up the default gateway. I was hoping I could just use the carp
address as default gateway.
--
chs
Dnia Tue, Jun 28, 2022 at 10:03:25AM +0200, Christer Solskogen napisał(a):
> On Tue, Jun 28, 2022 at 9:52 AM Łukasz Moskała wrote:
>
> > Run tcpdump on master, ping on backup. If you see pings in tcpdump, then
> > master is responding.
> > If not, backup is responding to itself.
> >
> >
> Good ca
On Tue, Jun 28, 2022 at 9:52 AM Łukasz Moskała wrote:
> Run tcpdump on master, ping on backup. If you see pings in tcpdump, then
> master is responding.
> If not, backup is responding to itself.
>
>
Good catch.
The backup is responding to it self. But should it? In the FAQ I find this:
"The maste
Dnia Tue, Jun 28, 2022 at 09:47:40AM +0200, Christer Solskogen napisał(a):
> if you ping the carp ip from the backup, does the master respond or the
> backup it self?
>
> --
> chs
Hi,
Run tcpdump on master, ping on backup. If you see pings in tcpdump, then master
is responding.
If not, backup
On 9/24/21 6:13 PM, Don Tek wrote:
Would there be any ‘problem’ with configuring a 2-machine CARP
setup and then just keeping one machine powered-off until needed?
I realize this defeats live failover, but this is not a requirement
for my customer.
I just want them to be able to, in the eve
On 2021-09-25, leonard wrote:
> What is the power draw? I use a 1500 VA apc backups with 6 outlets on ups and
> 5 on surge protection. As long as your total draw is less than 1200 VA, for <
> $200 canadian you have a cheap simple solution. Just put on on the ups side
> and the other on the surg
@on the road
Original message From: Don Tek Date:
2021-09-25 11:40 (GMT-05:00) To: jslee Cc:
misc@openbsd.org Subject: Re: CARP Cold Spare I'm not sure why the hardware
matters, but the two machines are a couple HP 1U Gen 8 Xeon servers. Suffice
to say, they are ident
an 1200 VA, for <
> $200 canadian you have a cheap simple solution. Just put on on the ups side
> and the other on the surge suppressor side. Or buy 2.
>
>
>
> leonard@on the road
>
>
> Original message ----
> From: Don Tek
> Date: 2021-
I'm not sure why the hardware matters, but the two machines are a couple HP 1U
Gen 8 Xeon servers. Suffice to say, they are identical and have supported
hardware configurations for OpenBSD.
Of course I _could_ run one off direct power, but it would be a terrible idea.
The location is notoriou
Hi,
You haven’t said anything about your hardware platform, but could you run one
of them on non-UPS power? Then you’d still have one online when (*not* if) the
UPS fails, and also they’ll both normally be online for maintenance, syspatch,
config changes etc
I do recall installing a pair of id
> On Sep 24, 2021, at 6:16 PM, Don Tek wrote:
>
> Would there be any ‘problem’ with configuring a 2-machine CARP setup and
> then just keeping one machine powered-off until needed?
>
> I realize this defeats live failover, but this is not a requirement for my
> customer.
>
> I just want t
MJ J(mikedotjack...@gmail.com) on 2021.05.23 17:58:47 +0300:
> Hi,
>
> I have a carp master and backup on a pair of one-armed Rapsberry Pi 4B
> devices (router1 and router2) and when I ssh to the backup using the
> carp IP as my gateway, it repeatedly throws me out after a few seconds
> with the m
Many thanks for your help Giannis ... I am not using oVirt to manage this KVM
host, only default installed tools: libvirtd, virsh ... In any case there is
not any filter applied in libvirtd
On 12/1/21, 20:13, "owner-m...@openbsd.org on behalf of Kapetanakis Giannis"
wrote:
On 12/01/
On 12/01/2021 18:58, Carlos Lopez wrote:
Thanks Gianni, but about what interface ? KVM bridges? In theory, MAC spoofing
is avoided using this option:
bridge.ageing-time: 300
On 12/1/21, 17:47, "owner-m...@openbsd.org on behalf of Kapetanakis Giannis"
wrote:
Check t
Thanks Gianni, but about what interface ? KVM bridges? In theory, MAC spoofing
is avoided using this option:
bridge.ageing-time: 300
On 12/1/21, 17:47, "owner-m...@openbsd.org on behalf of Kapetanakis Giannis"
wrote:
Check that you have mac spoofing filter disabled on
Check that you have mac spoofing filter disabled on that interface.
G
On 12/01/2021 15:30, Carlos Lopez wrote:
Hi David and misc@,
Sorry to disturb with this.I have realized several tests this morning with two
OpenBSD 6.8 carp'ed firewalls (fully patched) as kvm guests and result is the
same
Hi David and misc@,
Sorry to disturb with this.I have realized several tests this morning with two
OpenBSD 6.8 carp'ed firewalls (fully patched) as kvm guests and result is the
same: carp load balancing doesn't work. My host is a RedHat Enterprise Linux
8.3 with kernel .18.0-240.10.1.el8_3.x86_
On 21 Oct 07:12, Carlos Lopez wrote:
> Hi all,
>
> Before upgrade from OpenBSD 6.7 to OpenBSD 6.8, my pair firewalls was using
> carp in IP balance mode without problems from several months. These firewalls
> are installed in a RHEL 8.2 (fully patched) KVM host.
>
> After upgrading to OpenBSD 6
Ok, done. I have already sent the bug report.
On 21/10/2020, 11:11, "Uwe Werler" wrote:
On 21 Oct 07:12, Carlos Lopez wrote:
> Hi all,
>
> Before upgrade from OpenBSD 6.7 to OpenBSD 6.8, my pair firewalls was
using carp in IP balance mode without problems from several months.
On 24/10/2019 10:41, Axel Rau wrote:
> Hi all,
>
> does a CARP setup with 2 firewll boxes with an upstream /30 transfer net i
> feasible?
> E.g.
>
> 5.6.7.232/30
>
> 5.6.7.232 if box1
> 5.6.7.233 upstream router
> 5.6.7.234 if box2
> 5.6.7.235 if CARP
>
> Quick answer would be very helpfull.
>
Were you able to resolve?
I have a SCVMM environment and I ran into a similar issue, there is a bug
in VMM 2016 with the NDIS extension but I believe its resolved in 1807.
I have not been able to test, but would like to know if you had any
success, as I was not able to use CARP at all in Hyper-V a
Hi Ricardo,
You must set the VM's network adapter to 'Enable MAC address spoofing'
under 'Advanced Features'.
nope this isn't solving the problem. I can only ping the virtual ip from
the local machine still. It might need the NDIS Extention enabled on the
vSwitch too but I did't changed that
Hi Markus,
You must set the VM's network adapter to 'Enable MAC address spoofing'
under 'Advanced Features'.
/mestre
On 10:03 Tue 16 Oct , Markus Rosjat wrote:
> Hi there,
>
> i just have a question to CARP on Hyper-V VMs. It seems there was a
> problemwith the virtual IP not be reachable f
On 17/04/18 02:06, jungle Boogie wrote:
> Hi All,
>
> I have a very simple carp setup - basically I want ssh access if the
> master goes offline.
> In theory, this are functioning correctly. In practice, it seems the
> backup is taking over way too often - the backup takes over way too
> often, ev
Hi Frank,
On Wed, 21 Dec 2016 12:41:43 +0100 Frank White wrote:
> Does 2 nodes clustered openbsd firewall work with squid?
> Is there any specific configuration?
>
carp may not be needed as:
*) PAC files can list multiple proxies
*) A DNS entry can have multiple IP addresses
See the Squid FAQ:
On Wed, Dec 21, 2016 at 12:41:43PM +0100, Frank White wrote:
> Hi, does 2 nodes clustered openbsd firewall work with squid ?
> is there any specific configuration ?
If squid on each node would have its own cache dir, ie. not sharing
data, then pointing your clients to squid hostname linked to CARP
Hi Bryan,
Thank you for the great message. I will re-read it in more detail
over the next few days and have a go at getting all the pieces of the
jigsaw put together !
Thanks again.
On 11 December 2016 at 18:12, Bryan Vyhmeister wrote:
> On Sun, Dec 11, 2016 at 09:45:08AM +, Bob Jones wrot
On Sun, Dec 11, 2016 at 09:45:08AM +, Bob Jones wrote:
> I have a planned network topology that will run on OpenBSD that (at
> the moment) will constitute of three boxes :
>
> 1 x Router (Openbsd running bgpd for connection to the outside world)
> 2 x Firewalls (running Openbsd)
>
> I can't q
On 2016 Oct 04 (Tue) at 09:27:50 +0200 (+0200), Jasper Siepkes wrote:
:Hi list!
:
:I'm experimenting with CARP and I'm a bit puzzled by the following
:behavior; I have 2 hosts setup in an active/passive way with CARP.
:Host A has an advskew of 0 and becomes master, Host B has an
:advskew of 100 an
Silly me... I forgot the 'net.inet.carp.preempt' sysctl variable.
I thought it was only for forcing demotion of other CARP interfaces if a
single one failed. But it's also for "claiming" the master spot.
Sorry for the noise :-(
> Op 4 oktober 2016 om 9:27 schreef Jasper Siepkes :
>
> Hi list!
Thank you,
This (having unique VHID) was the solution.
I had considered originally that since each carp device is on its own VLAN,
that would represent a unique broadcast domain and it wouldn't be violating
anything - but without your suggestion I'm not sure I would have gone back
to review that
All your carp devices have the same VHID. As two share the same network,
that could cause problems.
On 08/23/2016 01:40 PM, Andrew Seguin wrote:
> Hi,
>
> I'm building up an OpenBSD router/firewall (migrating away from FreeBSD)
> but have been blocked by a behavior of carp in combination with V
Kim Zeitler(kim.zeit...@konzept-is.de) on 2016.04.15 11:41:07 +0200:
> Hello
>
> maybe a stupid question, but is it possible to run a carp(4) interface
> on vlan(4) interfaces?
yes
> In the following setup we have the problem that both boxes can be pinged
> on their address associated with th
Josh Grosse wrote:
On 2016-02-01 11:32, sven falempin wrote:
Dear Readers,
Without IP carp is marked as inactive,
See https://sites.google.com/site/bsdstuff/dhcarp and adapt
to your requirements.
The Book of PF, 3rd Edition
A No-Nonsense Guide to the OpenBSD Firewall
by Peter N. M. Hanst
On 2016-02-01 11:32, sven falempin wrote:
Dear Readers,
Without IP carp is marked as inactive,
i tried to set up a stupid IP on it and then call dhclient.
It sends packet but does configure interface.
:'(
Any particular reason for this ?
Thank you.
Carp requires static addresses. You can establ
On Tue, Jan 26, 2016 at 6:29 PM, sven falempin
wrote:
> Dear readers,
>
> How bridge and carp interfaces works together ?
>
> can i bridge an interface that is a carpdev ?
> or should i bridge the carpdev ??
> will the different physical be advertise and
> would be able to contact the carp interf
...I don't believe it...
I ssh'd all the time to the gateways and never had a look to the
bootmessages
2x "ifconfig invalid argument" was the hint at boot.
The fault (syntax typo?) was included in hostname.carp[0,1] -
"\" for a 2-liner didn't work... despite the usage of blanks only.
Rolf Sommerhalder(rolf.sommerhal...@alumni.ethz.ch) on 2015.08.01 17:17:42
+0200:
> After upgrading a firewall cluster from 5.6 to 5.7, I observed that
> carpX interfaces failed to come up with their settings.
>
> A manual start 'sh /etc/netstart carpX' ran without errors, although
> carpX still
On 2015-03-14, pixelfairy wrote:
> OpenBSD r0 5.6 GENERIC#0 i386
> soekris net6501, dmesg below
>
> r0:/etc# cat hostname.trunk1
> trunkproto failover trunkport em4 trunkport em5
> up
> r0:/etc# cat hostname.vlan111
> inet 10.1.11.2 255.255.255.0 10.1.11.255 vlandev trunk1
> up
> r0:/etc# cat host
Did you check layer 2 connectivity it seems the secondary firewall do not
receive any carp pack et
Mike
Message original
Objet : CARP problem
De : Jeff
à : misc@openbsd.org
Cc :
I've been using CARP for years and it's always done exactly what I
wanted and
expected. We re
> > Will try it during the weekend...
>
After reconnecting the firewalls differently, I got it fixed.
Logically, the connections are the same, but apparently the 5300xl had a hard
time with its arp table...
Instead of connecting both firewalls directly on the routing switch, I made a
trunk back
if you can do a quick test on a different switch, that would at least
rule that out as your issue. if not, try disabling STP and retest
That was my guess, using a trunk to link the vlan to an edge switch not
affected by stp, and connecting the firewalls there.
This way, the 5300xl won't have to
On Fri, 30 Jan 2015 17:18:07 -0500
"Leclerc, Sebastien" wrote:
>> Rebooted fw2 at 3h02, fw1 kept master state, but had downtime until
>> 3h12 Rebooted fw1 at 3h15, got downtime until 4h10, fw1 got master
>> state at 3h16, fw2 got backup state at the same time
>>
>
>Inspecting further my logs, I
> Rebooted fw2 at 3h02, fw1 kept master state, but had downtime until 3h12
> Rebooted fw1 at 3h15, got downtime until 4h10, fw1 got master state at 3h16,
> fw2 got backup state at the same time
>
Inspecting further my logs, I see that smtp services were functioning between
wan and dmz during th
Jan 30, 2015; 8:10am Stuart Henderson wrote :
>>/etc/hostname.carp0
>>advskew 0 carpdev em0 carppeer 192.168.3.10 pass secret1 state master
>>vhid 1 inet 192.0.2.2/28
>Maybe unrelated, but it's not usual to set "state master" like this.
I know, it was not in the config at first, I added it to te
On 2015-01-27, Christopher Barry wrote:
> On Tue, 27 Jan 2015 12:01:37 -0500
> "Leclerc, Sebastien" wrote:
>>/etc/hostname.carp0
>>advskew 0 carpdev em0 carppeer 192.168.3.10 pass secret1 state master
>>vhid 1 inet 192.0.2.2/28
Maybe unrelated, but it's not usual to set "state master" like this
On Tue, 27 Jan 2015 12:01:37 -0500
"Leclerc, Sebastien" wrote:
>Hi,
>
>I have two firewalls in a carp failover setup, but the failover does
>not work as expected... The problem happens when I reboot the backup
>firewall (while in backup state). Just after the reboot, I have these
>entries in dmes
On 2015-01-05 18:38, etie...@magickarpet.org wrote:
On 2015-01-05 19:51, Ted Unangst wrote:
I would like to know if there is any trigger in CARP, any way to run
a
script on a CARP interface status change? I could monitor
/var/log/messages for that, but is there any cleaner, more efficient
way?
On 2015-01-05 19:51, Ted Unangst wrote:
I would like to know if there is any trigger in CARP, any way to run a
script on a CARP interface status change? I could monitor
/var/log/messages for that, but is there any cleaner, more efficient
way?
ifstated?
Thanks! Sorry, I promise, none of my se
On Mon, Jan 05, 2015 at 19:43, etie...@magickarpet.org wrote:
> Hello list,
>
> I would like to know if there is any trigger in CARP, any way to run a
> script on a CARP interface status change? I could monitor
> /var/log/messages for that, but is there any cleaner, more efficient
> way?
ifstated
Please excuse typos, sent from my phone
> On 15 Oct 2014, at 19:13, Marko Cupać wrote:
>
> On Thu, 02 Oct 2014 18:02:23 +0100
> Andy wrote:
>
>> Hi
>>
>> Try setting the advskew to a number greater than 200 and less then
>> 254. This seems to be the most stable.
>>
>> For best practice our p
Please excuse typos, sent from my phone
> On 15 Oct 2014, at 19:13, Marko Cupać wrote:
>
> On Thu, 02 Oct 2014 18:02:23 +0100
> Andy wrote:
>
>> Hi
>>
>> Try setting the advskew to a number greater than 200 and less then
>> 254. This seems to be the most stable.
>>
>> For best practice our p
On Wed, Oct 15, 2014 at 2:13 PM, Marko Cupać wrote:
>> Oct 14 15:21:19 bgp1 /bsd: carp2: state transition: MASTER -> BACKUP
>> Oct 14 15:21:19 bgp1 /bsd: carp1: state transition: MASTER -> BACKUP
>> Oct 14 15:21:22 bgp1 /bsd: carp1: state transition: BACKUP -> MASTER
>> Oct 14 15:21:22 bgp1 /bsd:
On Thu, 02 Oct 2014 18:02:23 +0100
Andy wrote:
> Hi
>
> Try setting the advskew to a number greater than 200 and less then
> 254. This seems to be the most stable.
>
> For best practice our primary runs with carp and pfsync values of
> '1'. And the backup runs with carp and pfsync values of '2'
PS; I would recommend setting the carpdemote to be a maximum (lowest) of
1, becuase then if something happens to the primary box, and you can't
get into it for some reason, at least you could set the carp demotion
counters on the backup to 0' and "remotely" preempt your primary.
On 02/10/14
Hi
Try setting the advskew to a number greater than 200 and less then 254.
This seems to be the most stable.
For best practice our primary runs with carp and pfsync values of '1'.
And the backup runs with carp and pfsync values of '2'.
We do this for two reasons.
1) it is extremely stable!
On Thu, Oct 2, 2014 at 11:03 AM, Marko Cupać wrote:
> I have posted advskew values in initial mail (0 on masters, 100 on
> backups).
That shows me what they are supposed to be.
That does not show me what they actually are.
ifconfig output will show what they actually are.
--
“Don't eat anyth
On Thu, 2 Oct 2014 09:59:10 -0400
Alan McKay wrote:
> You have not yet shown the output of "ifconfig"
>
> Check the "advskew" values on the interfaces.
>
> When carpdemote values are equal then advskew determines who is MASTER
>
Hi Alan,
I have posted advskew values in initial mail (0 on mas
You have not yet shown the output of "ifconfig"
Check the "advskew" values on the interfaces.
When carpdemote values are equal then advskew determines who is MASTER
On Thu, 02 Oct 2014 10:37:19 +0100
Andy wrote:
> nat1 will only preempt the nat2 after a fail-over to nat2 if the
> "carp" group and the "pfsync" group have the same demotion counter.
> ifconfig -g carp
> ifconfig -g pfsync
>
> So if the failover which is happening for some "unknown reason" is
nat1 will only preempt the nat2 after a fail-over to nat2 if the "carp"
group and the "pfsync" group have the same demotion counter.
ifconfig -g carp
ifconfig -g pfsync
So if the failover which is happening for some "unknown reason" is
affecting the demotion counters in anyway, preemption back
Hi all,
thanks for all your input to my small question about how to keep the pf.conf
in sync!
I have to care for exactly one firewall cluster, so I would like to avoid
complex tools for this task. I will probably use rdist.
Have fun!
Regards
Christoph
Private Universit?t Witten/Herdecke gGmbH
Al
On Sat, Aug 02 2014 at 09:01, Nick Holland wrote:
> On 08/01/14 08:12, Claer wrote:
> > On Mon, Jul 28 2014 at 07:23, Nick Holland wrote:
> ...
> >> I'll leave you to develop the script.
>
> >> My design philosophy:
> >> 1) No additional hw, other than the two firewalls.
> >> 2) EITHER machine sh
* Kim Zeitler [2014-07-25 11:19]:
> we have a similar setup here, with only a /29 range of external addresses.
> Until now, we have had no problems so far running this using only one
> external carp IF (using a private IP) and adding all external addresses
> as aliases. But we do not use bi-nat fo
On 08/01/14 08:12, Claer wrote:
> On Mon, Jul 28 2014 at 07:23, Nick Holland wrote:
...
>> I'll leave you to develop the script.
>> My design philosophy:
>> 1) No additional hw, other than the two firewalls.
>> 2) EITHER machine should be able to act as master.
>> 3) EITHER machine should be able
Hi Giancarlo,
I would like to thank your background (:
Yes the important files is included @changelist and it's sha256, but as
firewall rules has modifications during all time, another nodes need be
updated. So, it's because of this I run the script every 5 min and I sync
it using SCP.
* My script
> > Configuration management tools, like Puppet, can quickly abstract
> > knowledge of a particular technology away from the user and isolate
> > understanding for said technology to a smaller group of people with
> > those skills. This is the nature of technology, though, is it not?
> > Abstracti
On 01-08-2014 09:32, sven falempin wrote:
> actually if you dont put a + it is plain diff and a backup in /var,
> the security could be run more often (it is called in the cron), and
> because the script is present there is no need to write it again.
security(8) is called by daily(8). You could cal
On Fri, Aug 1, 2014 at 8:22 AM, Giancarlo Razzolini
wrote:
> On 01-08-2014 09:07, sven falempin wrote:
>> doh !
>> this is done in daily/security
>> look at /etc/changelist
> It's not md5, it's sha256. md5 should not be used anymore. But what
> Romeo does is to run a script from cron every 5 minut
On 01-08-2014 09:07, sven falempin wrote:
> doh !
> this is done in daily/security
> look at /etc/changelist
It's not md5, it's sha256. md5 should not be used anymore. But what
Romeo does is to run a script from cron every 5 minutes. Daily runs,
obviously, daily. It's not suited for the task at han
Hello,
On Mon, Jul 28 2014 at 07:23, Nick Holland wrote:
> On 07/28/14 07:50, Peus, Christoph wrote:
> > Hi all,
> >
> >
> >
> > is there a standard or recommended way to keep the pf.conf on the CARP
> > cluster
> > members in sync?
> >
> > Thanks!
>
> No one standard or recommended way, but
On Fri, Aug 1, 2014 at 4:56 AM, R0me0 *** wrote:
> I wrote a little script sometime ago and it run from crontab every 5 min
> and do:
>
> check and generate md5 of important files like hostname.if , pf include
> files, etc ...
doh !
this is done in daily/security
look at /etc/changelist
>
> All
I wrote a little script sometime ago and it run from crontab every 5 min
and do:
check and generate md5 of important files like hostname.if , pf include
files, etc ...
All necessaries modification is monitored natively by OpenBSD, but there is
an ossec in deployment as well.
ifstated is used to
On 31-07-2014 19:47, Zach Leslie wrote:
> Yes, and Puppet can exec those commands for you. Tools like fail2ban
> can manage the local system's table, but can't (to my knowledge)
> distribute the contents of that table to other systems in the
> environment dynamically. PuppetDB gives you this and
1 - 100 of 676 matches
Mail list logo
