True indeed. complexity does bring in the failure as it has for me.
I've reverted back to one master and one backup and it works like a
charm. I guess the electricity we have to pay for on the backup is the
price we pay for high availability. Perhaps I could make the backup
useful for DNS caching/m
"Vivek Ayer" <[EMAIL PROTECTED]> writes:
> I got that snippet from the pf book. What should I change it to?
actually "The Book of PF" leaves the definition of the carpdevs macro
as an excercise to the reader. The main reason to mention it at all is
to alert the reader that carp traffic needs to p
I may actually end up just turning off load balancing on the router
for now and just leave it on the web servers. Then again, it would be
nice if the router did some work since it'll be on all the time using
all that electricity. Is there a clever cron script I could write to
manually change the ma
I got that snippet from the pf book. What should I change it to?
On Tue, Nov 18, 2008 at 4:32 AM, Marco Pfatschbacher <[EMAIL PROTECTED]> wrote:
> On Thu, Nov 13, 2008 at 05:51:49PM -0800, Vivek Ayer wrote:
>> Yay! I got ssh and http to work on the CARP interface. Thanks.
>>
>> However, the httpd
On Thu, Nov 13, 2008 at 05:51:49PM -0800, Vivek Ayer wrote:
> Yay! I got ssh and http to work on the CARP interface. Thanks.
>
> However, the httpd redirect is not working just yet on the CARP
> interface for one of the computers. Does IP balancing mess up
> redirect?
Well, that depends.
IP balan
I suspect I'm getting this connection reset error because:
IN--->ROUTER>S--->WEB SERVER1
T--->ROUTER>W--->WEB SERVER2
SW is switch here.
If one router is on, it has carp0 and carp1 on either side and it can
send the request to the servers which may be load-balanced which is
fine. But whe
So any resolution on the apache redirection? When I go to the website,
I get the "Connection Interrupted" error. This only occurs when both
routers are on. Oddly enough, when I ssh into the virtual IP, ssh
traffic doesn't get jumbled up because of the ip balancing. I suspect
I may have to up the ad
Confirmed. If I have both routers on, the http redirection on the CARP
interface doesn't work. But when I only have one on, then the
redirection works just fine. Is CARP getting confused with the
packets?
On Thu, Nov 13, 2008 at 5:51 PM, Vivek Ayer <[EMAIL PROTECTED]> wrote:
> Yay! I got ssh and h
Yay! I got ssh and http to work on the CARP interface. Thanks.
However, the httpd redirect is not working just yet on the CARP
interface for one of the computers. Does IP balancing mess up
redirect?
When I only have one router up doing the redirect, the CARP interface
works, but when I have both
Oh ok. That kind of makes sense.
Thanks
On Thu, Nov 13, 2008 at 2:11 AM, Marco Pfatschbacher <[EMAIL PROTECTED]> wrote:
> On Wed, Nov 12, 2008 at 11:40:36AM -0800, Vivek Ayer wrote:
>> i don't think I understand. Clarify. you mean carpdev is like your
>> physical interface..eth0, re0, etc.?
>
> s
On Wed, Nov 12, 2008 at 11:40:36AM -0800, Vivek Ayer wrote:
> i don't think I understand. Clarify. you mean carpdev is like your
> physical interface..eth0, re0, etc.?
say you have a carp configured like:
carp0: flags=8843 mtu 1500
lladdr 00:00:5e:00:01:04
carp: MASTER carpdev em0
On 2008/11/12 14:35, Vivek Ayer wrote:
> then, what about this: pass on $carpdev proto carp keep state
the "proto carp" packets are all strictly on the parent interfaces,
that is the only place you need to pass them.
> Looks like it's filtering on the $carpdev, which is carp0 and carp1 in
> this
then, what about this: pass on $carpdev proto carp keep state
Looks like it's filtering on the $carpdev, which is carp0 and carp1 in
this case. It's just what I read in the pf book. I'd like to resolve
this soon so I can go ahead an launch my website. I feel like there's
a lot of carp in the pf fi
On 2008-11-12, Vivek Ayer <[EMAIL PROTECTED]> wrote:
> i don't think I understand. Clarify. you mean carpdev is like your
> physical interface..eth0, re0, etc.?
yes
> On Wed, Nov 12, 2008 at 12:40 AM, Marco Pfatschbacher <[EMAIL PROTECTED]>
> wrote:
>> On Tue, Nov 11, 2008 at 03:53:54PM -0800,
i don't think I understand. Clarify. you mean carpdev is like your
physical interface..eth0, re0, etc.?
On Wed, Nov 12, 2008 at 12:40 AM, Marco Pfatschbacher <[EMAIL PROTECTED]> wrote:
> On Tue, Nov 11, 2008 at 03:53:54PM -0800, Vivek Ayer wrote:
> [...]
>> # macros
> [...]
>> carpdevs = "{ carp0
On Tue, Nov 11, 2008 at 03:53:54PM -0800, Vivek Ayer wrote:
[...]
> # macros
[...]
> carpdevs = "{ carp0 , carp1 }"
[...]
> # pass rules
[...]
> pass in on $carpdevs inet proto tcp from any to ($ext_if) \
>port $tcp_services flags S/SA keep state # Allow SSH Access from Outside
just from a qu
I can access the web servers from the Internet on the two
internet-facing ext_if, but not the CARP interface yet. I assume I
just have to add an rdr rule which includes carp as well?
On Tue, Nov 11, 2008 at 4:58 PM, Vivek Ayer <[EMAIL PROTECTED]> wrote:
> I can ssh from the outside into the non-CA
I can ssh from the outside into the non-CARP interface. Actually, this
is weird, but I can now ssh from the outside into the CARP address.
But as far rdr goes in my pf.conf, I still can't reach the webserver
from the outside. I can reach the web server inside my network, but
the rdr in the router p
On Wed, Nov 12, 2008 at 12:53 AM, Vivek Ayer <[EMAIL PROTECTED]> wrote:
> Here's my current configuration for my entire network. Two routers
> working as one using IP balancing and two web servers on the inside
> working as one using IP balancing. I'm still getting issues as to
> reaching the web s
Here's my current configuration for my entire network. Two routers
working as one using IP balancing and two web servers on the inside
working as one using IP balancing. I'm still getting issues as to
reaching the web servers from the outside. I just feel like it's
gotten too complicated CARPing th
On 2008/10/20 14:19, Vivek Ayer wrote:
> I'll give that a shot. But in the meanwhile, it appears ntpd doesn't
> listen on the carp interface.
unlikely, unless you restricted in the "listen on..." line.
$ grep ^listen /etc/ntpd.conf
listen on *
$ ifconfig carp83|grep
On Mon, 2008-10-20 at 14:19 -0700, Vivek Ayer wrote:
> So far, I can't ssh into the carp from the outside, can't ntp from the
Try:
% sudo tcpdump -ttt -e -vvv -n -i pflog0 -s 1024
--
Brian A. Seklecki <[EMAIL PROTECTED]>
Collaborative Fusion, Inc.
IMPORTANT: This message contains confident
I'll give that a shot. But in the meanwhile, it appears ntpd doesn't
listen on the carp interface. I set up ntpd on the carp firewalls, but
internally, I had to provide the two physical addresses to sync time
instead of the one carp interface. Could this also be due my current
pf.conf?
So far, I c
On 2008-10-19, Vivek Ayer <[EMAIL PROTECTED]> wrote:
> block in
make this "block log in", then look at the tcpdump command line
for "Display the logs in real time" shown in pflogd(8).
So you're saying I need to explicitly pass traffic to $carpdevs too?
Would that let me ssh into the carp interface then?
On Sun, Oct 19, 2008 at 2:52 PM, Bryan Irvine <[EMAIL PROTECTED]> wrote:
>
>
>> # pass rules
>> block in
>> pass out keep state
>> pass in inet proto icmp all icmp-type $icmp_t
> # pass rules
> block in
> pass out keep state
> pass in inet proto icmp all icmp-type $icmp_types keep state
> pass in quick on $int_if
> pass in on $ext_if inet proto tcp from any to ($ext_if) \
> port $tcp_services flags S/SA keep state
> pass in on $ext_if inet proto tcp from any to $webse
Here's my pf.conf:
# $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
# m
On Sun, Oct 19, 2008 at 01:04:35PM +0530, Girish Venkatachalam wrote:
> On 22:45:49 Oct 18, Vivek Ayer wrote:
> > Actually, I feel kind of stupid for asking the question. Of course you
> > can never ssh into the virtual carp interface, which is what I was
> > trying to do. SSHing into the physical
On 2008-10-19, Vivek Ayer <[EMAIL PROTECTED]> wrote:
> The only thing you can do to the CARP interface (which is the public
> IP in this case) is ping it, right?
No, you can run services on it too.
On 22:45:49 Oct 18, Vivek Ayer wrote:
> Actually, I feel kind of stupid for asking the question. Of course you
> can never ssh into the virtual carp interface, which is what I was
> trying to do. SSHing into the physical interface still works no
> problem. Then again, it would be Yay..CARP is worki
On 21:26:51 Oct 18, Vivek Ayer wrote:
> [demime 1.01d removed an attachment of type application/octet-stream which
> had a name of pf.conf]
>
> [demime 1.01d removed an attachment of type application/x-trash which had a
> name of pf.conf.BAK]
>
This list does not allow attachments.
You can
Actually, I feel kind of stupid for asking the question. Of course you
can never ssh into the virtual carp interface, which is what I was
trying to do. SSHing into the physical interface still works no
problem. Then again, it would be Yay..CARP is working 100%.
The only thing you can do to the CAR
Hey guys,
So after I setup CARP on my routers/firewalls, I've been having some
problems. CARP for the most part works. There was a minor glitch that
both CARP systems saw themselves as Master, but that was solved.
The main problem now is I can't ssh from the Internet into them.
Before CARP, I was
33 matches
Mail list logo