On 6/16/09 4:36 PM, Jason Dixon wrote:
> On Tue, Jun 16, 2009 at 03:47:47PM -0700, David Newman wrote:
>> Running 4.5/i386 on a pair of firewalls using pf and carp and pfsync
>> (and also multiple VLANs).
>>
>> After a reboot, either system will hang at 'starting network' until
>> pressing Ctrl-C at the console. (By 'hang' I means no action for at
>> least 60 minutes; I have not waited longer than that.)
>>
>> Initially I thought this was because of a hostname resolution problem,
>> but pf.conf and resolv.conf contain only IP addresses, not hostnames.
>>
>> Also, 'pfctl -f /etc/pf.conf' runs OK from the console. Same deal with
>> 'sh /etc/netstart' and the OpenVPN stuff in rc.local, pasted below.
>>
>> Presumably something is broken after /etc/rc says 'starting network',
>> but what? I've read on this list one should never edit /etc/rc.
>
> You've given us no information about your hostname.* files
With addresses and passwords obfuscated, these are pasted below.
. How could
> we possibly help diagnose problems starting your network?
>
>> ps. FWIW I've pasted the contents of /etc/rc.local below. Addresses and
>> passwords have been obfuscated.
>
> Why are you starting your network interfaces and adding routes in
> rc.local?
I maintain these systems, but did not do the initial setup or
configuration.
> Have you read the FAQ to learn how OpenBSD networking is
> configured?
Yes, and read the ifconfig and rc and pf.conf manpages and searched the
misc mailing list on marc.info. I saw info on pf and carp and pfsync and
VLANs, but not on how they work together.
dn
hostname.bge0 -- unprotected physical interface
inet 666.1.2.188 255.255.255.192 NONE
hostname.bge1 -- protected physical interface
inet 10.0.127.1 255.255.255.0 NONE
hostname.carp1 -- unprotected logical interface
inet 666.1.2.130 255.255.255.192 666.1.2.191 vhid 202 carpdev bge0
advskew 1 pass sekret123
hostname.em0 -- pfsync physical interface
inet 192.18.0.1 255.255.255.0 NONE media autoselect
hostname pfsync0 -- pfsync logical interface
up syncdev em0
and here is /etc/rc.local again. I do not know why the consultant who
set up these machines put some carp interfaces here rather than in
hostname files.
echo -n 'starting local daemons:'
# Add your local startup actions here.
echo '.'
# VLAN config
ifconfig vlan10 10.0.0.2 netmask 255.255.255.0 vlan 10 vlandev bge1
ifconfig vlan11 10.0.1.2 netmask 255.255.255.0 vlan 11 vlandev bge1
ifconfig vlan12 10.0.2.2 netmask 255.255.255.0 vlan 12 vlandev bge1
ifconfig vlan13 10.0.3.2 netmask 255.255.255.0 vlan 13 vlandev bge1
ifconfig vlan14 10.0.128.2 netmask 255.255.255.0 vlan 14 vlandev bge1
# 07/16/06 CARP config is here to avoid hacking netstart
ifconfig carp2 inet 10.0.0.1 netmask 255.255.255.0 broadcast 10.0.0.255 vhid
203 advskew 1 pass seekret123 carpdev vlan10
ifconfig carp3 inet 10.0.1.1 netmask 255.255.255.0 broadcast 10.0.1.255 vhid
204 advskew 1 pass seekret123 carpdev vlan11
ifconfig carp4 inet 10.0.2.1 netmask 255.255.255.0 broadcast 10.0.2.255 vhid
205 advskew 1 pass seekret123 carpdev vlan12
ifconfig carp5 inet 10.0.3.1 netmask 255.255.255.0 broadcast 10.0.3.255 vhid
206 advskew 1 pass seekret123 carpdev vlan13
ifconfig carp6 inet 10.0.128.1 netmask 255.255.255.0 broadcast 10.0.128.255
vhid 207 advskew 1 pass seekret123 carpdev vlan14
# sample static routes
/sbin/route add -net 10.0.0.0/16 10.0.1.158
# to do -- add other static routes
# DHCP helper addresses
dhcrelay -i vlan10 10.0.0.103
dhcrelay -i vlan11 10.0.0.103
dhcrelay -i vlan12 10.0.0.103
dhcrelay -i vlan13 10.0.0.103
dhcrelay -i vlan14 10.0.0.103
# start openvpn
#
if [ -x /usr/local/sbin/openvpn ]; then
/usr/local/sbin/openvpn --config /opt/openvpn-2.0/server.conf &&
echo 'opening openvpn server...' &
else
echo 'ERROR: cannot start openvpn; file /usr/local/sbin/openvpn is missing.'
fi
# start bacula
if [ -x /usr/local/libexec/bacula/bacula-ctl-fd ]; then
/usr/local/libexec/bacula/bacula-ctl-fd start
echo -n ' bacula-fd'
fi
# start net-snmp
if [ -x /usr/local/sbin/snmpd ]; then
echo -n ' snmpd'; /usr/local/sbin/snmpd
fi
# start apcupsd
# Start the UPS daemon. Do not remove the 'TAG_APCUPSD' text
if [ -x /etc/rc.apcupsd ]; then # TAG_APCUPSD
/etc/rc.apcupsd start # TAG_APCUPSD
fi # TAG_APCUPSD
