you could try using sloppy states like henning suggested. you'll still get to
write stateful rules and get the tcp state machine checks but not the tcp
window checks.
if it works with sloppy states it narrows the issue down to the pfsync state
merge code. at the moment im kind of guessing thats
On Thu, 04 Jul 2013 21:30:56 +0200
Loïc BLOT wrote:
> Hello all,
> thanks for this interesting debate about pf syncing.
> To remember my initial question:
>
> pfsync seems to sync states but not correctly on my BGP+OSPF routers.
> Because each BGP router is master/standby to 2 neighbors (full me
Hello all,
thanks for this interesting debate about pf syncing.
To remember my initial question:
pfsync seems to sync states but not correctly on my BGP+OSPF routers.
Because each BGP router is master/standby to 2 neighbors (full meshed
bgp) packets which are outgoing by one router can income by t
Henning, with all respect(!), I'd cut you off with this "home NATing".
My home is far more simple than need of active-active CARP (IT IS NOT as of
writing)
With all respect to ALL devs working and pushing new code upstreams,
we still have MP-problems. For sure, I'm not the one to fix this - I ta
My apologies for just being noise; I missed his first full post with
much more detail. I was picturing him trying to run redundant servers
without CARP and running into issues of states disappearing.
* BARDOU Pierre [2013-07-04 14:38]:
> I don't know if this may help you, but I have a working BGP setup with two
> routers active/active.
> I don't use pfsync, but keep state (sloppy).
>
> This is less secure according to pf.conf(5), but that's not really a concern
> for me as those routers are
* mxb [2013-07-03 17:33]:
> States ARE synced.
> IPs are not the same on node1 and node2 for external. The you
> initiated connection to ftp.fr, you done it via node1 with its external
> IP. On node2 those packets will be DROPPED as those do not belong to
> external NIC on node2 (IP)
again, WRO
[pfsync w/o carp]
* Mark Felder [2013-07-03 16:37]:
> First of all, the states of node 1 being synced to node 2 and vice
> versa is worthless because they have different IP addresses; the
> states wont match anything.
orly.
have you actually LOOKED at your state table?
pfctl -vvss to the rescue.
...
But maybe I am mistaking doing this ?
--
Cordialement,
Pierre BARDOU
-Message d'origine-
De : David Gwynne [mailto:da...@gwynne.id.au]
Envoyé : jeudi 4 juillet 2013 09:47
À : loic.b...@unix-experience.fr
Cc : misc@openbsd.org
Objet : Re: PF sync doesn't not work very well
On 03/07/2013, at 6:23 PM, Loïc Blot wrote:
> Okay, defer is now enabled on pfsync interface (sorry for my last idea,
> i haven't the man on me :) ).
> It seems the problem isn't resolved.
> The transfer starts but blocked at random time.
i have hit this too, despite being the person most respon
On 03/07/2013, at 10:11 PM, Mark Felder wrote:
> On Wed, 03 Jul 2013 07:00:02 -0500, Loïc Blot
> wrote:
>
>> Hello,
>> no carp is used at this time.
>
> pfsync needs to be used with carp... without it you're just playing
> whack-a-mole with your session table.
no it doesnt. pfsync just does
The connection is not done by my routers themselves but by DMZ servers
behind them !
--
Best regards,
Loïc BLOT, Engineering
UNIX Systems, Security and Networks
http://www.unix-experience.fr
Le mercredi 03 juillet 2013 à 17:32 +0200, mxb a écrit :
> States ARE synced.
> IPs are not the same o
States ARE synced.
IPs are not the same on node1 and node2 for external. The you initiated
connection to ftp.fr, you done it via node1 with its external IP. On node2
those packets will be DROPPED as those do not belong to external NIC on node2
(IP)
On 3 jul 2013, at 17:16, Loïc Blot wrote:
I don't understand why they can't be synced because if i have this
scheme:
server 1 - | Router 1 + Router 2 | remote
server 1 contact remote, outgoing by Router 1 and the return traffic
comes from Router 2.
The state may have "server 1 port A to remote port B", then the virtual
IP is useless in
On Wed, 03 Jul 2013 09:24:54 -0500, Loïc Blot
wrote:
For me pf table is (sorry for the missing precisions) the pf state
stable for stateful operations
First of all, the states of node 1 being synced to node 2 and vice versa
is worthless because they have different IP addresses; the states
Le Wed, 03 Jul 2013 07:11:08 -0500,
"Mark Felder" a écrit :
> On Wed, 03 Jul 2013 07:00:02 -0500, Loïc Blot
> wrote:
>
> > Hello,
> > no carp is used at this time.
>
> pfsync needs to be used with carp... without it you're just playing
> whack-a-mole with your session table.
I don't see w
For me pf table is (sorry for the missing precisions) the pf state
stable for stateful operations
--
Best regards,
Loïc BLOT, Engineering
UNIX Systems, Security and Networks
http://www.unix-experience.fr
Le mercredi 03 juillet 2013 à 08:22 -0500, Mark Felder a écrit :
> On Wed, 03 Jul 2013 07:
Sure it syncs, but
node1 has completely different IP addresses than node2(both external and
internal ??), if no CARP.
So storing states from node1, which passes/initiated connection to ftp.fr , on
node2 does not help.
In your case, you'd probably to decide to ever have MASTER-BACKUP or to have
On Wed, 03 Jul 2013 07:40:08 -0500, Loïc Blot
wrote:
It's not possible to sync pf table without CARP ?
In order to answer that I'll need to understand what you believe the "pf
table" is.
It's not possible to sync pf table without CARP ?
I must use it in some case, then those case will be fixed but the other
(OSPFd routing) may fail i think ?
--
Best regards,
Loïc BLOT, Engineering
UNIX Systems, Security and Networks
http://www.unix-experience.fr
Le mercredi 03 juillet 2013 à
On Wed, 03 Jul 2013 07:00:02 -0500, Loïc Blot
wrote:
Hello,
no carp is used at this time.
pfsync needs to be used with carp... without it you're just playing
whack-a-mole with your session table.
Hello,
no carp is used at this time.
My configuration on each router is simple:
em0 + em3 = trunk0
em1 + em2 = trunk1
4 interco vlan (at this time, only 2 are active, 1 for a BGP neighbor
IPv4, 1 for a BGP neighbor IPv6) on trunk0
vlan 50 + vlan 90 + vlan995 on trunk1
pfsync on vlan 995
--
Best
How does your CARP setup looks like. On both machines?
Can you send your ifconfig output?
What is your environment/setup for this 2-node CARP?
How interfaces (ext/int) are connected? What switches do you use?
On 3 jul 2013, at 10:23, Loïc Blot wrote:
> Okay, defer is now enabled on pfsync inte
Okay, defer is now enabled on pfsync interface (sorry for my last idea,
i haven't the man on me :) ).
It seems the problem isn't resolved.
The transfer starts but blocked at random time.
--
Best regards,
Loïc BLOT, Engineering
UNIX Systems, Security and Networks
http://www.unix-experience.fr
L
Hi,
Thanks for your reply. I wasn't careful about this section.
If i understand i must add defer option to my WAN iface (or i'm wrong i
must add it to my vlan995 iface ?) ?
I will test it this morning, and i return back to misc :)
--
Best regards,
Loïc BLOT,
UNIX systems, security and network exp
pfsync(4) explains this:
"… The pfsync interface will attempt to collapse multiple state updates into
a single packet where possible. The maximum number of times a single
state can be updated before a pfsync packet will be sent out is
controlled by the maxupd parameter
…"
and
Hi all
I have a strange issue (or i haven't read pfsync correctly but i don't
think this is the problem :D)
I'm using 2 OpenBSD as BGP+OSPF routers at the border of one site.
Those BGP routers are secure with strong PF in stateful mode, and the
stateful is working very well on each router. Becaus
27 matches
Mail list logo
