, 2008 5:08 PM
To: 'Calomel'
Cc: pf@benzedrine.cx
Subject: RE: CARP failover problem
Calomel,
Wow. Lots of stuff to look at!
1. state information is being transferred between machines.
2. A Thanks! I was just going through step three when I noticed
something that I never
:43 AM
To: Fred Newtz
Cc: pf@benzedrine.cx
Subject: Re: CARP failover problem
Fred,
Did you also enable net.inet.carp.preempt?
net.inet.carp.preempt equaling one(1) allows hosts within a redundancy group
that have a better advbase and advskew to preempt the
master. In addition, this option also
Sorry I forgot to do reply to all!
-Original Message-
From: Fred Newtz [mailto:[EMAIL PROTECTED]
Sent: Thursday, April 03, 2008 11:10 AM
To: 'Calomel'
Cc: 'pf@benzedrine.cx'
Subject: RE: CARP failover problem
Calomel,
Thanks for the response. Here is my sysctl.conf file
[mailto:[EMAIL PROTECTED]
Sent: Thursday, April 03, 2008 10:43 AM
To: Fred Newtz
Cc: pf@benzedrine.cx
Subject: Re: CARP failover problem
Fred,
Did you also enable net.inet.carp.preempt?
net.inet.carp.preempt equaling one(1) allows hosts within a redundancy group
that have a better advbase
:56 PM
To: Fred Newtz
Cc: pf@benzedrine.cx
Subject: Re: CARP failover problem
Fred,
If you use pftop on both machines do you see the states from the MASTER
firewall being transfered to the BACKUP?
Are you binding all of your ip addresses to your physical interfaces?
What do your carp hostname
to pass specific carp interfaces to specific
internal addresses.
Thanks,
Fred
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fred Newtz
Sent: Thursday, April 03, 2008 5:08 PM
To: 'Calomel'
Cc: pf@benzedrine.cx
Subject: RE: CARP failover problem
On Mon, Jan 29, 2007 at 04:33:45PM +0100, Thomas Althoff wrote:
I did the crash procedure on 3.9 and found that this is the line
causing the problem
if (!r-max_states || r-states r-max_states)
I have upgraded my boxes to 4.0-current, no change.
If you can reproduce it with a recent
-Original Message-
From: Daniel Hartmeier [mailto:[EMAIL PROTECTED]
Sent: den 29 januari 2007 19:00
To: Thomas Althoff
Cc: pf@benzedrine.cx
Subject: Re: Carp/pfsync kernel panic
On Mon, Jan 29, 2007 at 04:33:45PM +0100, Thomas Althoff wrote:
I did the crash procedure on 3.9 and found
On 2006/11/28 14:34, Jakob Praher wrote:
is there a way to force both carp interfaces to have the same state,
e.g. if carp0 is master so has to be carp1 master ?
yes, set net.inet.carp.preempt=1 in /etc/sysctl.conf, there's a little
discussion about this in carp(4).
Stuart Henderson schrieb:
On 2006/11/28 14:34, Jakob Praher wrote:
is there a way to force both carp interfaces to have the same state,
e.g. if carp0 is master so has to be carp1 master ?
yes, set net.inet.carp.preempt=1 in /etc/sysctl.conf, there's a little
discussion about this in carp(4).
On 2/9/06, Per-Olov Sjöholm [EMAIL PROTECTED] wrote:
Look at the following output:
[EMAIL PROTECTED]:~#ifconfig fxp0 inet alias 192.168.21.2 netmask
255.255.255.0
broadcast 192.168.21.255 up
[EMAIL PROTECTED]:~#ifconfig fxp0 inet alias 192.168.22.2 netmask
255.255.255.0
broadcast
On Fri, February 10, 2006 20:10, Jon Simola wrote:
On 2/9/06, Per-Olov Sjöholm [EMAIL PROTECTED] wrote:
Look at the following output:
[EMAIL PROTECTED]:~#ifconfig fxp0 inet alias 192.168.21.2 netmask
255.255.255.0
broadcast 192.168.21.255 up
[EMAIL PROTECTED]:~#ifconfig fxp0 inet alias
top post... ok
I *think* I have tracked it down...
I had dmz4-dmz6 100% configured but no cables connected to the switch. The
carp interfaces for them were in init state as they could not talk to each
other. Although it all seemed to work as it should for all other interfaces.
This means all
Right. When preempt is set any carp interface which has a real interface
down causes all carps to use 240 for the skew. At this point I think it is
simply a race to see which interface takes MASTER. That is why I used
preempt on only one FW. This insures that, in a situation like the one
As I understand it, preempt is all or nothing. So if I have FW's configured
like,
ISP switch
/ \
| |
FW1-- DMZ --FW2 [That's one DMZ switch]
| switch |
\ /
LAN switch
If I wish FW1 to be primary and FW2 to be secondary I set advskew on FW1 to
be
I had a similar issue. I ended up using net.inet.carp.preempt=1 on the
primary firewall and net.inet.carp.preempt=0 on the secondary.
If the primary has an issue, the secondary becomes the master on all
interfaces. I must confess I haven't fully tested the configuration.
-Steve S.
[EMAIL
On 1/26/06, Per-Olov Sjöholm [EMAIL PROTECTED] wrote:
[EMAIL PROTECTED]:~#more /etc/hostname.carp1
192.168.8.1 255.255.252.0 192.168.11.255 vhid 2 pass mypassword
Try adding carpdev into your hostname files, and in my experience
creating the carp and adding the IP address to it in seperate
On Thursday 26 January 2006 23.49, you wrote:
On 1/26/06, Per-Olov Sjöholm [EMAIL PROTECTED] wrote:
[EMAIL PROTECTED]:~#more /etc/hostname.carp1
192.168.8.1 255.255.252.0 192.168.11.255 vhid 2 pass mypassword
Try adding carpdev into your hostname files, and in my experience
creating the
On 01/26/2006 04:49:28 PM, Jon Simola wrote:
Try adding carpdev into your hostname files, and in my experience
creating the carp and adding the IP address to it in seperate commands
works better, ala:
# cat /etc/hostname.em0
inet 10.0.3.4 255.255.252.0 NONE
# cat /etc/hostname.carp8
carpdev
On Jan 27, 2006, at 10:48 AM, Karl O. Pinc wrote:
On 01/26/2006 04:49:28 PM, Jon Simola wrote:
Try adding carpdev into your hostname files, and in my experience
creating the carp and adding the IP address to it in seperate
commands
works better, ala:
# cat /etc/hostname.em0
inet 10.0.3.4
On Thu, Dec 08, 2005 at 11:32:39PM +, ed wrote:
Hello,
Has anyone written scripts to ensure that preempt fail over fails over
all the carp interfaces to backup upon one becoming backup, I have found
often that a single interface will become backup leaving the remaining
interfaces as
On Thu, Nov 17, 2005 at 03:02:56PM +1100, Alex Strawman wrote:
ok, now this makes sense, how is the next hop meant to send packets
back? it sends them to the mac address the carp0 is broadcasting,
which the master happily accepts, only to see its not in its state
table, and drops it.
the
Traffic shouldn't even be getting OUT on the backup in this situation.
i agree - there is no correct solution without using an ip addr for
each real interface.
would be nice to for example use an external ntp server to sync with,
but unless it uses another route (rather than ip-less carp'd
On Thu, Nov 17, 2005 at 10:02:46PM +1100, Alex Strawman wrote:
Traffic shouldn't even be getting OUT on the backup in this situation.
i agree - there is no correct solution without using an ip addr for
each real interface.
would be nice to for example use an external ntp server to sync
On 10/19/05, Jason Dixon [EMAIL PROTECTED] wrote:
I wouldn't be surprised if they're incompatible on the same segment.
They use the same protocol number, and I'm willing to be you have
identical VRID/VHID's in there. Even if the ID's are not the same,
the OS is trying to make sense of what it
On 10/19/05, Zack Lawson [EMAIL PROTECTED] wrote:
Hey everyone,
I am having an issue where CARP interfaces on the same network segment
as VRRP interfaces (on our ISP's routers) are causing the CARP
interfaces to malfunction.
I also get the following errors in /var/log/messages:
/bsd:
On Sat, 1 Oct 2005, Ryan McBride wrote:
On Fri, Sep 30, 2005 at 04:40:26PM +0200, Henning Brauer wrote:
* Charles Sprickman [EMAIL PROTECTED] [2005-09-29 22:51]:
The design seems to assume that one MAC address can
only exist on one port at a time, correct?
no, not at all. There have been
Hi,
This question never comes to my mind but here is what I can tell you
on CARP in fail-over mode. The switch is not seeing the same virtual
MAC address on two ports, it using only seeing virtual MAC address
moving from one port to another when a failover occurs.
CARP is done trough Virtual
* Charles Sprickman [EMAIL PROTECTED] [2005-09-29 22:51]:
The design seems to assume that one MAC address can
only exist on one port at a time, correct?
no, not at all. There have been so-called multicast MAC addresses from
the stone age on, and that is what carp uses.
besides, switches work
On Sep 29, 2005, at 4:26 PM, Charles Sprickman wrote:
Hi,
This is somewhat off-topic, but the question has really been
nagging me ever since someone brought it up at NYCBSDCon (http://
www.nycbsdcon.org/index.php?NAV=Speakers) after Jason Dixon's CARP
demo. The demo was really cool, BTW
On Thu, 29 Sep 2005 16:26:21 -0400 (EDT)
Charles Sprickman [EMAIL PROTECTED] wrote:
The question that was posed was along the lines of how does a
standard ethernet switch handle carp?. The questioner wasn't too
clear and I'm not sure Jason really knew exactly what the guy was
asking. So
On Mar 8, 2005, at 9:40 AM, Amir S Mesry wrote:
Jason, I think you missed the OT part of my post. I was just asking
the status of it, not saying it was or wasn't needed. From your post, I
take it there are no plans whatsoever to include it, and indirect
answer, but I got the answer.
You didn't
PROTECTED]
Sent: Monday, March 07, 2005 6:21 PM
To: Amir S Mesry
Cc: PF Mailing List List
Subject: Re: CARP Failover
On Mar 7, 2005, at 1:54 PM, Amir S Mesry wrote:
Ot, but what is the status of Ifstated being included by default in
the install?
What does this have to do with the rest
Ot, but what is the status of Ifstated being included by default in the
install?
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Siju George
Sent: Friday, March 04, 2005 8:21 AM
To: Phusion
Cc: pf@benzedrine.cx
Subject: Re: CARP Failover
Hi Eric,
On Thu
On Mar 7, 2005, at 1:54 PM, Amir S Mesry wrote:
Ot, but what is the status of Ifstated being included by default in the
install?
What does this have to do with the rest of the thread? As has been
discussed numerous times on this list, ifstated is not necessary for
proper operation of failover
A running ssh or telnet session will just freeze for a second or so and then
continue when a failover happens. When it comes to ftp I think you have a
problem if you use any userland proxies.
/Per-Olov
--
GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
On Mar 6, 2005, at 6:17 PM, Per-Olov Sjöholm wrote:
A running ssh or telnet session will just freeze for a second or so
and then
continue when a failover happens. When it comes to ftp I think you
have a
problem if you use any userland proxies.
Ftpsesame is good in this respect. It grabs packets
Hi Eric,
On Thu, 3 Mar 2005 22:11:34 -0600, Phusion [EMAIL PROTECTED] wrote:
Hi, I was wondering about CARP failover. For an example, say we have
two OpenBSD pf firewalls. When the main firewall fails for some
reason, how long of a delay is there before the backup firewall takes
over as the
On Thu, 2005-03-03 at 22:11:34 -0600, Phusion proclaimed...
Hi, I was wondering about CARP failover. For an example, say we have
two OpenBSD pf firewalls. When the main firewall fails for some
reason, how long of a delay is there before the backup firewall takes
over as the main firewall?
On Dec 23, 2004, at 5:28 PM, ed wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello again, sorry to bother you all again.
I have a question, we have two DSL connections, and I plan on using two
boxes, which are carped. But, I'd like to do this in a fashion such
that
I can failover to a
On Thu, 2004-12-23 at 17:28, ed wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello again, sorry to bother you all again.
I have a question, we have two DSL connections, and I plan on using two
boxes, which are carped. But, I'd like to do this in a fashion such that
I can failover
On Thu, Dec 16, 2004 at 08:54:54PM -0500, Jason Dixon wrote:
There is probably a good reason for this, but might be hard to
determine a) for an experienced user without access to your network, or
b) for an inexperienced user *with* access to your network. ;-)
I suggest monitoring your
On Dec 17, 2004, at 1:47 PM, Ryan McBride wrote:
I suggest larger advskew differences. You can only go as high as the
size of your segment (256-1 for /24, for example). If you're only
using 2 firewalls, I suggest advskews of 0 and 100. This isn't
documented anywhere, and is only based on my own
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, 17 Dec 2004 18:47:47 +
Ryan McBride [EMAIL PROTECTED] wrote:
$ ifconfig -a
$ sysctl net.inet.carp
$ netstat -sp carp
Thankyou I will provide this with my next post.
- --
/-- _| | Regards. Please note, my PGP key ID has changed.
|--
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wed, 15 Dec 2004 07:33:51 -0500
Jason Dixon [EMAIL PROTECTED] wrote:
Sorry for this lengthy reply, I hope you all can forgive me for
this, but as I am but a beginner with PF/CARP I hope we can avoid
hostility.
I have two boxes, with
On Dec 16, 2004, at 5:12 PM, ed wrote:
Things are nearly fully functional for me now, however, I don't seem to
have perfect throughput when a box is shot in the head, sometimes
things
work OK for the client, and some times they don't and connections
either
lag to the point of timeout, or just
On Dec 14, 2004, at 4:02 PM, ed wrote:
Sorry for this lengthy reply, I hope you all can forgive me for this,
but as I am but a beginner with PF/CARP I hope we can avoid hostility.
I have two boxes, with similar configs, on IP addresses 10.10.1.131 and
10.10.1.134, both /16.
[snip]
What is working
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sun, 12 Dec 2004 10:54:28 -0500
Jason Dixon [EMAIL PROTECTED] wrote:
On Dec 12, 2004, at 8:54 AM, ed wrote:
Anyway, I have a /etc/pf.conf file which was originally for a single
firewall, which worked for a normal layout with two interfaces.
On Dec 12, 2004, at 8:54 AM, ed wrote:
Anyway, I have a /etc/pf.conf file which was originally for a single
firewall, which worked for a normal layout with two interfaces. I am
now
attempting to do the following:
[snip]
The two boxes have two interfaces, although most documentation suggests
using
On Sun, Oct 17, 2004 at 08:21:56PM -0700, Yuri wrote:
Heyo
I have a failover firewall setup with 2 boxes using CARP. Everything
works ok, but i have a question about ftp-proxy...
Box #1 has external ip: 100.100.100.2 and internal ip: 10.0.0.2
Box #2 has external ip: 100.100.100.3 and
I'm not sure what benefit you think you're getting from forcing the
ftp to come from the carp address. If the machines swap state (master
fails), the ftp will fail also as it's relying on a userland process
to facilitate it. You might want to check out ftpsesame
Jason Opperisano wrote:
On Thu, 2004-09-16 at 08:58, Steven S. wrote:
the above seems to be the result of a blocked packet with set
block-policy return or a block return ... rule ...SYN goes out but
SYN-ACK coming back in gets a RST...
I have no such policies. It is my understanding that
Another tip:
Try to type a / in the end.
Like this: http://HOST/subdir/
worked for me
--
Michiel van Baak
http://lunteren.vanbaak.info
[EMAIL PROTECTED]
Two of the most famous products of Berkeley are LSD and BSD. I don't think that this
is a coincidence.
Hi Jeff,
Anybody know what part of httpd.conf tells Apache to do this redirection?
I'm looking for a directive that says, No, really, my hostname is not
`hostname` but HOST!
What does ServerName say? Either A or B, or HOST? Mine says HOST.
Also, check UseCanonicalName. I've switched it
On Fri, Jun 18, 2004 at 11:55:37AM +0200, Marin Vidakovic wrote:
[EMAIL PROTECTED] wrote:
Does anybody protect any oracle rdbms (sqlnet protocol) using
obsd 3.5 + carp + pfsync ? Does it work ? Is it problematic ?
Can you be more specific? Are you talking about 2 oracle rdbms + 2
At 06:00 AM 6/16/2004, [EMAIL PROTECTED] wrote:
Does anybody protect any oracle rdbms (sqlnet protocol) using
obsd 3.5 + carp + pfsync ? Does it work ? Is it problematic ?
I assume you want to do a redundant DB correct? Databases are not suited
to this kind of failover, due to the lack of
On Mon, Jun 21, 2004 at 02:28:26AM -0500, James Cammarata wrote:
At 06:00 AM 6/16/2004, [EMAIL PROTECTED] wrote:
Does anybody protect any oracle rdbms (sqlnet protocol) using
obsd 3.5 + carp + pfsync ? Does it work ? Is it problematic ?
I assume you want to do a redundant DB correct?
[EMAIL PROTECTED] said:
On Mon, Jun 21, 2004 at 02:28:26AM -0500, James Cammarata wrote:
At 06:00 AM 6/16/2004, [EMAIL PROTECTED] wrote:
Does anybody protect any oracle rdbms (sqlnet protocol) using
obsd 3.5 + carp + pfsync ? Does it work ? Is it problematic ?
I assume you want to do a
[EMAIL PROTECTED] wrote:
Does anybody protect any oracle rdbms (sqlnet protocol) using
obsd 3.5 + carp + pfsync ? Does it work ? Is it problematic ?
Can you be more specific? Are you talking about 2 oracle rdbms + 2
openbsd fw or just 1 oracle rdbms behind 2 or more openbsd fw?
[EMAIL PROTECTED] wrote:
Does anybody protect any oracle rdbms (sqlnet protocol) using
obsd 3.5 + carp + pfsync ? Does it work ? Is it problematic ?
I think for database failover, you'd better use the DB own features.
For example, a quick google grep gave me that:
If you have multiple addresses,
hi,
for your rules you have to use the physically interface not the carp
interface (but if you like to refer to the ip addresses associated with
the carp interface then you have to take the carp interface)
best regards
wolfgang
Am Do, den 03.06.2004 schrieb Bryan Irvine um 22:30:
I'm
hi,
i think i now have found out what was causing the below described
problem. I have a setup as described in
http://www.countersiege.com/doc/pfsync-carp/
I now found out that if the two machines are running (and syncing there
states with pfsync - and sending out carp advertisments) and you
for the record
I've got it running with:
machine A:
sis0 inet 83.64.16.134 netmask 83.64.16.248
carp0 inet 83.64.16.130 netmask 83.64.16.248
machine B:
sis0 inet 83.64.16.133 netmask 83.64.16.248
carp0 inet 83.64.16.130 netmask 83.64.16.248
its now working fine ;-)
But one thing is left - with
in my pf.conf i don't have more than these two lines - i also don't have
a starting block all rule - so i think it passes all by default - or i
am wrong ?
i already found the main problem - the switch i've used for testing
purpose seems to be broken - i've changed that switch and then the carp
On Thu, 15 Apr 2004 15:08:52 +0200
Wolfgang Pichler [EMAIL PROTECTED] wrote:
[snip]
my pf.conf on both machines is:
--pf.conf-
ext_if=sis0
int_if=sis1
cross_if=sis2
pass quick on { $cross_if } proto pfsync
pass on { $ext_if $int_if } proto carp keep state
On Wed, Apr 14, 2004 at 09:34:06AM +0200, Tobias Wigand wrote:
i am thinking of to replacing my single firewall setup with a failover
pair using carp/pfsync. right now it?s one box with 3 nics
(internal/external/dmz). i am natting the dmz hosts on the external
interface 1:1, thus have a lot
On Sun, Apr 11, 2004 at 04:45:40PM +0100, Greg Hennessy wrote:
On 11 Apr 2004 07:16:03 -0700, [EMAIL PROTECTED] (Role Account for
SysAdmin) wrote:
4) $air /30 (a nic to a wireless router, part of my wireless gateway).
inet 10.1.1.1 255.255.255.252 NONE
Will CARP work with my
On 12 Apr 2004 06:02:08 -0700, [EMAIL PROTECTED] (Ray) wrote:
Will CARP work with my routable /30 address, which connects me to my ISP,
It wont, you dont have a spare address for the failover system, letalone a
virtual IP.
What's wrong with 10.2.0.0/24?
Its on a completely different
What is 10.2.0.0/24 ? Which network is it?
The problem is with the /30 network connected to your ISP
On Sun, Apr 11, 2004 at 04:45:40PM +0100, Greg Hennessy wrote:
On 11 Apr 2004 07:16:03 -0700, [EMAIL PROTECTED] (Role Account for
SysAdmin) wrote:
4) $air /30 (a nic to a wireless router, part of
On Sun, Apr 11, 2004 at 07:48:40AM -0600, Role Account for SysAdmin wrote:
In my network I have 4 NICs
1) $ext /30
inet xxx.xxx.xxx.xxx 255.255.255.252 NONE
2) $dmz (part of a routable /26)
inet xxx.xxx.xxx.xxx 255.255.255.192 NONE
On 11 Apr 2004 07:16:03 -0700, [EMAIL PROTECTED] (Role Account for
SysAdmin) wrote:
4) $air /30 (a nic to a wireless router, part of my wireless gateway).
inet 10.1.1.1 255.255.255.252 NONE
Will CARP work with my routable /30 address, which connects me to my ISP,
It wont, you dont
71 matches
Mail list logo