* Sebastian John ba...@fukz.de [2013-11-19 19:00]:
try to use the correct network mask in alias configuration:
inet alias 200.200.200.163 255.255.255.240
try to not give wrong advice. all-ones netmask is EXACTLY the right
thing here.
probably even for the first (main) address, unless carpdev is
Hello,
I'm having trouble returning a server to be master with trade in advskew via
ifstated.
The following scenario:
##
server1
##
carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:01
priority: 0
carp: MASTER
alias 200.200.200.166 255.255.255.255
inet alias 200.200.200.167 255.255.255.255
After restart the fw, I can not access the router (gateway). I think it has=
problems default route in between.
Searching the internet, I found the post http://openbsd.7691.n7.nabble.com/=
Carp-with-aliases-route
restart the fw, I can not access the router (gateway). I think it has=
problems default route in between.
Searching the internet, I found the post http://openbsd.7691.n7.nabble.com/=
Carp-with-aliases-route-problem-td84179.html, Todd T. Fries-2, saying that =
in /etc/netstart interface carp
it
has=
problems default route in between.
Searching the internet, I found the post
http://openbsd.7691.n7.nabble.com/=
Carp-with-aliases-route-problem-td84179.html, Todd T. Fries-2, saying
that =
in /etc/netstart interface carp rises after the physical and do not know
the post http://openbsd.7691.n7.nabble.com/=
Carp-with-aliases-route-problem-td84179.html, Todd T. Fries-2, saying that =
in /etc/netstart interface carp rises after the physical and do not know if=
it is necessary to change this sequence.
Anyone have an environment with carp and alias working
On Wednesday, April 1, 2009 5:41:30 PM UTC+11, Sheldon Jones wrote:
Hi all,
=20
I'm having trouble with carpnodes and nating outgoing traffic to the=20
external
carp interface. I'm trying to get traffic leaving my LAN thru the=20
firewall to
have the external carp1 address xxx.yyy.60.21
failing over a group
of interfaces together in the event that
one interface goes down. If one physical
CARP-enabled interface goes down, CARP
will increase the demotion counter
Karl O. Pinc wrote:
I didn't notice _any_ reference to pfsync in the original
post. Perhaps this is part of the problem?
I originally wrote:
I have a pair of OpenBSD firewall/routers in a reasonably vanilla
pf + pfsync + CARP configuration...
It sounds like using 'defer' may allow pf
it was in this state, the interface would look perfectly normal,
but it would not pass any traffic. I callously worked around this by
administratively cycling each network interface on the affected machine(s)
on a weekly basis.
If we ran into this failure mode with our CARP firewalls, I'm assuming
I have a pair of OpenBSD firewall/routers in a reasonably vanilla
pf + pfsync + CARP configuration, each straddling two routed networks.
The CARP interface on the internal network is the default gateway for
that subnet. The CARP interface on the external network is the default
destination
On Mon, Apr 23, 2012 at 11:49:14AM -0700, Kyle Lanclos wrote:
Where this presents a problem is if the current CARP master loses a single
network interface (cable unplugged, isolated hardware failure, sysadmin
failure, etc.), as opposed to the CARP master failing entirely. The slave
On 2012/04/23 11:49, Kyle Lanclos wrote:
In order for our firewall to operate effectively, we use 'keep state'
pf rules. We empirically determined that we must have CARP preemption
enabled, otherwise pf cannot properly establish state for new TCP
connections. If pfsync could be told
Daniel Hartmeier wrote:
Yes, it will:
net.inet.carp.preempt Allow virtual hosts to preempt each other.
It is also used to failover carp interfaces
as a group. When the option is enabled
I'm having a hell of a time using Extreme Networks Summit 400-24t
switches with IP balancing of any type.
I've tried OpenBSD 5.0 and a -current snapshot from Feb 02. I've
tried all the modes, but none of them work. There's not a good way
I'm aware of to do port mirroring for ip-unicast, but I
Hello everybody,
I need help regarding the following situation. I have four OpenBSD
firewalls configured to do load-balancing ( in and out) using
ip-stealth. I have two CARP interfaces (internal and external) on each
firewall. See the configuration below.
Load-balancing works perfectly for non
Hi list!
We're playing around with two 4.6 boxes, running carp and relayd. We
successfully got a basic DSR setup running, and it seems to be working
fine! However, when failing over to the secondary box, it fails.
All inbound packets goes nicely through the box, and return packets
from
Hi all,
I'm having trouble with carpnodes and nating outgoing traffic to the
external
carp interface. I'm trying to get traffic leaving my LAN thru the
firewall to
have the external carp1 address xxx.yyy.60.21 instead of the $ext_if
60.18 or
60.19 depending on which firewall carp picked
On Thu, Aug 07, 2008 at 12:40:37PM -0700, Wadner Cadet wrote:
Hi,
I am experiencing an issue with my two OpenBSD firewalls. I have two carp
interfaces (carp1 and carp2). On carp2, there are 6 ip aliases (external ip
addresses). The two carp interfaces belong to the same carp group. When one
Hi,
Thanks for your replies.
carp.preempt is enabled on both firewalls. See this
# sysctl -a | grep carp
net.inet.carp.allow=1
net.inet.carp.preempt=1
net.inet.carp.log=1
net.inet.carp.arpbalance=0
Here is also the configuration of the carp interfaces
FW1
/etc/hostname.carp1
inet 10.10.1.1
Hi,
Thanks for your replies.
carp.preempt is enabled on both firewalls. See this
# sysctl -a | grep carp
net.inet.carp.allow=1
net.inet.carp.preempt=1
net.inet.carp.log=1
net.inet.carp.arpbalance=0
Here is also the configuration of the carp interfaces
FW1
/etc/hostname.carp1
inet 10.10.1.1
Hello Wadner:
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Wadner Cadet
Sent: Thursday, August 07, 2008 12:41 PM
To: pf@benzedrine.cx
Subject: Problem with carp group failover
Hi,
I am experiencing an issue with my two OpenBSD firewalls. I
Hi,
OpenBSD 4.2 stable patched to Feb 27, 2008
I've two firewalls with carp failover between them.
One is configured with the carp interfaces having an
advskew of 100, so that machine is normally the backup.
Something happened and the backup has become the master,
and the master has a demotion
On 2008/07/14 10:14, Ryan McBride wrote:
I see this in the 4.2-4.3 changelogs:
Changed rc(8) and netstart(8) so pfsync(4) is not brought up before the
working ruleset has been loaded
I don't believe this is critical, but it means that if your rulesets are
identical across firewalls the
would help prevent shutting down the master when the standby
is not yet synchronized.
Don't shut your master down until all it's carp interfaces are in
the
MASTER state.
The case I'm now concerned about is shutting down the active
firewall before the standby firewall has synchronized it's
state
that it starts after
the (secondary, local ,caching) nameserver so that I can
use the dns names of my domain in pf.conf.
This is clearly going to cause a problem because
I also don't allow forwarding until after pf is up,
so as soon as the carp interfaces become master
the clients will start receiving
forwarding until after pf is up,
so as soon as the carp interfaces become master
the clients will start receiving icmp unreachable messages
in response to traffic.
Which brings me back to the question of how the demotion
counter works, so I can do something to use it to keep
the carp interfaces out
from the other firewall(s). Until this update is complete, it
increases the carp demotion counter, preventing carp from taking over
the virtual IP address. When the bulk update completes or times out, the
demotion counter is decreased again. (The demotion counter is also
twiddled in /etc/rc
Fred,
Each ip address you have is assigned to a carp virtual interface. If you
have 10 ips then you could have 10 carp interfaces. Lets say we have an
external ip 33.33.33.33 assigned to carp1 ...
cat /etc/hostname.carp1
inet 33.33.33.33 255.255.255.0 33.33.33.255 vhid 1 advskew 1 carpdev em0
# 1=Enable carp(4) preemption
net.inet.carp.log=1 # 1=Enable logging of carp(4) packets
I have just double checked and both machines are setup with the same
four entries.
The interfaces fail over properly. The problem is on the second
machine the traffic gets
Sorry I forgot to do reply to all!
-Original Message-
From: Fred Newtz [mailto:[EMAIL PROTECTED]
Sent: Thursday, April 03, 2008 11:10 AM
To: 'Calomel'
Cc: 'pf@benzedrine.cx'
Subject: RE: CARP failover problem
Calomel,
Thanks for the response. Here is my sysctl.conf file
Fred,
If you use pftop on both machines do you see the states from the MASTER
firewall being transfered to the BACKUP?
Are you binding all of your ip addresses to your physical interfaces?
What do your carp hostname files contain?
cat /etc/hostname.carp0
cat /etc/hostname.carp1
cat /etc
Calomel,
Wow. Lots of stuff to look at!
1. state information is being transferred between machines.
2. A Thanks! I was just going through step three when I noticed
something that I never thought to look at. For some
reason I had bound all of the ips to one of my carp
to pass specific carp interfaces to specific
internal addresses.
Thanks,
Fred
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fred Newtz
Sent: Thursday, April 03, 2008 5:08 PM
To: 'Calomel'
Cc: pf@benzedrine.cx
Subject: RE: CARP failover problem
Hello:
Every so often we see a run of these messages where the address
'x.x.x.x' below is a CARP interface address. There will be a
corresponding message for each of the 62 CARP interfaces on the machine.
This server is the backup in a failover pair (not load balanced). The
addresses
,d0de8b00,0,d08b1000,30) at ipv4_input+0x4f1
ipintr(d0200058,d08b0010,10,d08b0010,d08b1000) at ipintr+0x70
Bad frame pointer: 0xd0b2e24
I don't have serial console, so my trace is written down by hand, one
small typo could exist.
I get the trap when the carp backup machine comes up. Eg. 10-120
seconder
On Mon, Jan 29, 2007 at 04:33:45PM +0100, Thomas Althoff wrote:
I did the crash procedure on 3.9 and found that this is the line
causing the problem
if (!r-max_states || r-states r-max_states)
I have upgraded my boxes to 4.0-current, no change.
If you can reproduce it with a recent
Daniel,
Question: What happens if you run pfsync/carp and your clock is totally
off ?
My backup carp machine have crashed with panic 20-30-40 times since
yesterday
when i started my upgrade from 3.8 to 4.0 (and later 4.0-current).
After sending my email, I made two changes
1
hi all,
i am using 2 firewalls via carp.
in my design all the external addresses are physically defined on the
firewall and are destination natted by the firewall.
so i have 2 carp interfaces
carp0 - ext
carp1 - int
and on a separate interface i do pfsynch.
i looked at converting pf rules
On 2006/11/28 14:34, Jakob Praher wrote:
is there a way to force both carp interfaces to have the same state,
e.g. if carp0 is master so has to be carp1 master ?
yes, set net.inet.carp.preempt=1 in /etc/sysctl.conf, there's a little
discussion about this in carp(4).
Stuart Henderson schrieb:
On 2006/11/28 14:34, Jakob Praher wrote:
is there a way to force both carp interfaces to have the same state,
e.g. if carp0 is master so has to be carp1 master ?
yes, set net.inet.carp.preempt=1 in /etc/sysctl.conf, there's a little
discussion about this in carp(4
Hello,
I have problem with policy routing. My infrastructure looks like: 2
firewalls with carp failover, Internet obtained from ISP via 3 different
VLANs.
Simple schema looks like:
/-VLAN A - CARP A --\
(WAN)---BGE0---VLAN B - CARP B ---BGE1 (LAN)
\-VLAN C - CARP
Hi,
I have some problems with carp and vlans I think. I have four physical
interfaces in my two firewalls, one for pfsync, one to the Internet, DMZ
and LAN. At the LAN interface seven VLAN interfaces are configured. The
Internet and DMZ interfaces are on em(4) and the pfsync and LAN vlans
network as addresses used in carp. But this don't
represent any problem as everything works fine. I'll do some long
downloads to check whether pfsync works or not.
Another question: Can P2P traffic create such a great amount of
connections that we might run out of resources to keep the state of
them? Could that be the reason of our problem with pfsync?
No...
And you have of course global limits for states etc i pf.conf as well...
Thanks again.
as external interfaces and fxp as internal interfaces
for carp. Pfsync interfaces are rl, too.
We might get a different setup for pf with pfsync and carp from a
sysadmin. We will check the differences between his setup and ours, as
he swears everything works perfect with his setup.
Another question
After hours of thinking, reading manuals and googling I decided to
send a mail to this list.
We have two OpenBSD firewalls using CARP + PFSYNC to provide
redundance. The problem is that long downloads stall randomly. For
example, downloading a 700 MB ISO stalls at about 120 MB, although
We are using OpenBSD 3.7 with carp preemption and we have checked that
all interfaces are connected while booting. Carp preemptive failover
works perfectly: we tested it unplugging the ethernet cable from the
nics which are used for carp.
We also experienced that ARP thing during the migration
We are using OpenBSD 3.7 with carp preemption and we have checked that
all interfaces are connected while booting. Carp preemptive failover
works perfectly: we tested it unplugging the ethernet cable from the
nics which are used for carp.
We also experienced that ARP thing during
After hours of thinking, reading manuals and googling I decided to
send a mail to this list.
We have two OpenBSD firewalls using CARP + PFSYNC to provide
redundance. The problem is that long downloads stall randomly. For
example, downloading a 700 MB ISO stalls at about 120 MB, although
broadcast 192.168.21.255
Do you need IP addresses on your vlan devices? carp will bind fine to
any interface with the carpdev parameter.
carp0: flags=8803UP,BROADCAST,SIMPLEX,MULTICAST mtu 1500
description: GW 21
carp: INIT carpdev vlan0 vhid 21 advbase 1 advskew 0
groups
description: VLAN 21
vlan: 21 parent interface: fxp0
groups: vlan
inet6 fe80::2d0:b7ff:fec8:cbeb%vlan0 prefixlen 64 scopeid 0x12
inet 192.168.21.2 netmask 0xff00 broadcast 192.168.21.255
Do you need IP addresses on your vlan devices? carp will bind fine to
any
Hi
Are there any known problems with VLAN and CARP?
(I use x86 3.8 with all cvs stable updates up to jan 30)
Look at the following output:
[EMAIL PROTECTED]:~#ifconfig fxp0 inet alias 192.168.21.2 netmask 255.255.255.0
broadcast 192.168.21.255 up
[EMAIL PROTECTED]:~#ifconfig fxp0 inet alias
top post... ok
I *think* I have tracked it down...
I had dmz4-dmz6 100% configured but no cables connected to the switch. The
carp interfaces for them were in init state as they could not talk to each
other. Although it all seemed to work as it should for all other interfaces.
This means all
Right. When preempt is set any carp interface which has a real interface
down causes all carps to use 240 for the skew. At this point I think it is
simply a race to see which interface takes MASTER. That is why I used
preempt on only one FW. This insures that, in a situation like the one
to
be smaller than FW2. If I set preempt on both firewalls and I lose power to
DMZ switch, then both FW1 and FW2 change the advskew to 240. So in this
case which is MASTER? The mentioned carp/INIT bug didn't help here:-) I
dont know the answer as to why. I only know my workaround was to set
preempt
)
em0, em1 and em2 run at gig speed. All other at 100.
I use carp on all interfaces [ except pfsync ;-) ].
I also have net.inet.carp.preempt=1
The primary fw is master for all carp interfaces and everything *mostly* works
perfect.
THE PROBLEM:
Sometimes when I reboot one of the firewalls not all
-4 (soekris pci quad)
em0, em1 and em2 run at gig speed. All other at 100.
I use carp on all interfaces [ except pfsync ;-) ].
I also have net.inet.carp.preempt=1
On 1/26/06, Per-Olov Sjöholm [EMAIL PROTECTED] wrote:
[EMAIL PROTECTED]:~#more /etc/hostname.carp1
192.168.8.1 255.255.252.0 192.168.11.255 vhid 2 pass mypassword
Try adding carpdev into your hostname files, and in my experience
creating the carp and adding the IP address to it in seperate
the carp and adding the IP address to it in seperate commands
works better, ala:
# cat /etc/hostname.em0
inet 10.0.3.4 255.255.252.0 NONE
# cat /etc/hostname.carp8
carpdev em0 vhid 8 pass bloogh advbase 200 advskew 1
inet 10.0.0.8 255.255.252.0
up
OpenBSD 3.8
--
Jon Simola
Systems
On 01/26/2006 04:49:28 PM, Jon Simola wrote:
Try adding carpdev into your hostname files, and in my experience
creating the carp and adding the IP address to it in seperate commands
works better, ala:
# cat /etc/hostname.em0
inet 10.0.3.4 255.255.252.0 NONE
# cat /etc/hostname.carp8
carpdev
On Jan 27, 2006, at 10:48 AM, Karl O. Pinc wrote:
On 01/26/2006 04:49:28 PM, Jon Simola wrote:
Try adding carpdev into your hostname files, and in my experience
creating the carp and adding the IP address to it in seperate
commands
works better, ala:
# cat /etc/hostname.em0
inet 10.0.3.4
Hi
I have been using two firewalls with a carp+pfsync (6 interfaces + a dedicated
pfsync) setup in a company environment based on OpenBSD 3.6 for a year. Now I
have upgraded to 3.8 an see *really* strange things...
The LAN is a supernet 192.168.8.0 with a /22 mask which seems to be a problem
Hi, i have such problem.
I am using carp balancing on the gate to the Internet.
preempt=1
arpabalance=1
Firstly, on 3.8 arpbalansing didn`t work.
I saw this article
http://www.isi.qut.edu.au/people/mbradfor/openbsd-carp-arpbalance.html
I recompile the kernel with a patch IP-Based
Balancing.
Now
On 12/31/05, ed [EMAIL PROTECTED] wrote:
On Thu, 29 Dec 2005 14:41:38 +0100
Marcin Miksowski [EMAIL PROTECTED] wrote:
Is there any solution to resolve my problems with carp? If there is
necessary to show You more informations on my current configuration I
will do everything what I only
Hello All,
We have 3 systems connected to the net with ip addresses x.y.z/28
mask. We are
planning to go with pf with carp and pfsync redundancy.
We are planning to use two systems with 3 nic cards for this. We
would like to have
aliases for both the m/c listening to x.y.z/28 all ip
On Jan 5, 2006, at 3:18 PM, Kilaru Sambaiah wrote:
unease. Carp interface can have aliases? Is it a good idea?
What is
the best way to go
about it?
Yes.
$ cat /etc/hostname.carp0
inet 10.0.0.2 255.255.255.0 10.0.0.255 carpdev em0 vhid 1 pass foo
inet alias 10.0.0.3 255.255.255.0
carpdev em0
advskew 240 pass 31337
# cat /etc/hostname.carp3
inet 111.111.111.16 255.255.255.0 111.111.111.255 vhid 4 carpdev em0
advskew 240 pass 31337
I noticed in your original email that fw2 had advskews of 10's and
100's. This suggests that CARP may not be setup the way you think
On 1/5/06, Karl O. Pinc [EMAIL PROTECTED] wrote:
I have not been following your problem.
You have net.inet.carp.preempt=1 in /etc/sysctl.conf?
If not then that's likely your problem. (Then reboot
or man sysctl.)
Yes, I have preempt enabled:
fw1:
# sysctl net.inet.carp.preempt
hello,
I noticed in your original email that fw2 had advskews of 10's and
100's. This suggests that CARP may not be setup the way you think it
is (based on the asvskew 240 in the hostname files).
The difference appear, when I have testing various configurations. Now
I have advskew equal
On Thu, 29 Dec 2005 14:41:38 +0100
Marcin Miksowski [EMAIL PROTECTED] wrote:
Is there any solution to resolve my problems with carp? If there is
necessary to show You more informations on my current configuration I
will do everything what I only can.
From experience CARP can behave odly
. Now they are running OpenBSD 3.8, but earlier I have
setup with 3.7. Systems installations are almost default, with default
kernels.
I have configured 35 carp addresses. Thay are filtered and redirected
to internal network on firewalls. Both machines have identical pf.conf
and almost identical
Hello,
Has anyone written scripts to ensure that preempt fail over fails over
all the carp interfaces to backup upon one becoming backup, I have found
often that a single interface will become backup leaving the remaining
interfaces as master, which obviously messes things up.
--
Regards, Ed
On Thu, Dec 08, 2005 at 11:32:39PM +, ed wrote:
Hello,
Has anyone written scripts to ensure that preempt fail over fails over
all the carp interfaces to backup upon one becoming backup, I have found
often that a single interface will become backup leaving the remaining
interfaces
On Thu, Nov 17, 2005 at 03:02:56PM +1100, Alex Strawman wrote:
ok, now this makes sense, how is the next hop meant to send packets
back? it sends them to the mac address the carp0 is broadcasting,
which the master happily accepts, only to see its not in its state
table, and drops it.
the
one small problem with carp and ip-less interfaces..
scenario: you have no ip address bound to each of the real interfaces,
and carp is sharing the one address for you (isp only gives you 1
address).
only the master can craft packets out (assuming this shared carp'ed
address is the external
Traffic shouldn't even be getting OUT on the backup in this situation.
i agree - there is no correct solution without using an ip addr for
each real interface.
would be nice to for example use an external ntp server to sync with,
but unless it uses another route (rather than ip-less carp'd
interfaces and ensure
that you can pass traffic between the two. Configure pf on both boxes
to NAT traffic out over its external carp'd IP address when it is coming
in on $pfsync_if from $pfsync_net.
This allows your carp backup to still have outbound net so things like
NTP, mail and external DNS
it believes to be a CARP
packet, but really isn't. The CARP packet format is described in src/
sys/netinet/ip_carp.h. The VRRP packet format is in the RFC (http://
www.faqs.org/rfcs/rfc2338.html).
It does work, I have this type of setup at work. However I also only
allow CARP packets in from
On 10/19/05, Zack Lawson [EMAIL PROTECTED] wrote:
Hey everyone,
I am having an issue where CARP interfaces on the same network segment
as VRRP interfaces (on our ISP's routers) are causing the CARP
interfaces to malfunction.
I also get the following errors in /var/log/messages:
/bsd: carp
Hello,
In my firewall-setup, I use two OpenBSD 3.7 machines, each with two carp
interfaces (outside/inside).
Preemption is enabled in sysctl.conf on both machines, my intention was
that if one interface goes down or to BACKUP, the other one should do so,
too. So on one machine, both interfaces
Hey everyone,
I am having an issue where CARP interfaces on the same network segment
as VRRP interfaces (on our ISP's routers) are causing the CARP
interfaces to malfunction.
I also get the following errors in /var/log/messages:
/bsd: carp: received len 8 36 on carp2
last message repeated 3005
-called multicast MAC addresses from
the stone age on, and that is what carp uses.
Actually, the carp virtual mac address is not a multicast address. Only
the carp advertisements use multicast.
The switch knows where to send the packet because the master carp host
sends out gratuitous arp replys
Hello Everyone,
Thanks in advance to anyone who can assist me with this issue. If there
is a CARP mailing list that I should be posting this to, please let me
know.
My issue is this. I have two firewalls that share multiple virtual IP's
via CARP. These firewalls are doing NAT for multiple
On Wed, Oct 05, 2005 at 02:23:29PM -0700, Zack Lawson wrote:
As soon as I add a carp
interface with more than one digit (ie carp10, carp11 or carp23), the
backup host (with the higher advskew value) starts switching between
MASTER and BACKUP on seemingly random carp interfaces. The fact that I
Hi,
This question never comes to my mind but here is what I can tell you
on CARP in fail-over mode. The switch is not seeing the same virtual
MAC address on two ports, it using only seeing virtual MAC address
moving from one port to another when a failover occurs.
CARP is done trough Virtual
* Charles Sprickman [EMAIL PROTECTED] [2005-09-29 22:51]:
The design seems to assume that one MAC address can
only exist on one port at a time, correct?
no, not at all. There have been so-called multicast MAC addresses from
the stone age on, and that is what carp uses.
besides, switches work
On Sep 29, 2005, at 4:26 PM, Charles Sprickman wrote:
Hi,
This is somewhat off-topic, but the question has really been
nagging me ever since someone brought it up at NYCBSDCon (http://
www.nycbsdcon.org/index.php?NAV=Speakers) after Jason Dixon's CARP
demo. The demo was really cool, BTW
Hi,
This is somewhat off-topic, but the question has really been nagging me
ever since someone brought it up at NYCBSDCon
(http://www.nycbsdcon.org/index.php?NAV=Speakers) after Jason Dixon's CARP
demo. The demo was really cool, BTW - failover with IPSEC.
The question that was posed
On Thu, 29 Sep 2005 16:26:21 -0400 (EDT)
Charles Sprickman [EMAIL PROTECTED] wrote:
The question that was posed was along the lines of how does a
standard ethernet switch handle carp?. The questioner wasn't too
clear and I'm not sure Jason really knew exactly what the guy was
asking. So
Neil wrote:
Hi everyone,
Just chat with someone in #pf and found out that pf at the moment cannot
maintain state on TCP connections from internal machine to external
machine when network cable on master firewall's external interface is
removed.
Anyways, most connections are coming from
this in very detail.
Please stop top-posting.
Always start at the man pages; there is an example given (man 4
carp). There is a similar configuration in my NYC BSD Con slides
(http://www.dixongroup.net/NYCBSDCON/); see the Advanced Example.
--
Jason Dixon
DixonGroup Consulting
http
and the practical
solution(s) to it. I'd love to be able to explain why interfaces
recovering from INIT don't reclaim MASTER faster than they do (approx
30 seconds in my tests), but I don't understand the code-level
logistics of everything. Hint: This is only a problem using single
CARP
and the practical
solution(s) to it. I'd love to be able to explain why interfaces
recovering from INIT don't reclaim MASTER faster than they do (approx 30
seconds in my tests), but I don't understand the code-level logistics of
everything. Hint: This is only a problem using single CARP
. Hint: This is only a problem
using single CARP hosts with preemption.
PROBLEM:
With a simple CARP design using a single CARP host on each segment
and preemption enabled, failover occurs as expected in the case of
any system offline condition (server crashes, admin reboots, etc
On Sep 26, 2005, at 11:07 AM, Chad M Stewart wrote:
On Sep 25, 2005, at 9:39 PM, Jason Dixon wrote:
On Sep 25, 2005, at 8:30 AM, Neil wrote:
Yep, the same behavior when the master dies. The solution that
the person in #pf told me is use routing but I don't know how to
implement. He told
Hi everyone,
Just chat with someone in #pf and found out that pf at the moment cannot
maintain state on TCP connections from internal machine to external machine
when network cable on master firewall's external interface is removed.
Anyways, most connections are coming from outside to inside
On 00:21, Sun 25 Sep 05, Neil wrote:
Hi everyone,
Just chat with someone in #pf and found out that pf at the moment cannot
maintain state on TCP connections from internal machine to external machine
when network cable on master firewall's external interface is removed.
Anyways, most
Hi Joel,
I just created a new email post. :)
Thanks,
neil
j knight writes:
Neil wrote:
Yup that did the fix for the inbound. Now, I tried connecting to an ssh
server from the internal machine to the external machine running openssh
and i disconnected the cable, however, the ssh
Neil wrote:
Ok guys. I will do it tonight once I reach home. I will also send my
pf.conf file.
Also, does it matter since I have different interfaces on FW1 and FW2?
FW1, xl0, fxp0 and fxp1
FW2: rl0, fxp0 and ne3
You're using 'set state-policy if-bound' so yes, that does matter.
Remove that
1 - 100 of 210 matches
Mail list logo
