Re: [pfSense] Bug in pfSense v2.1
On Thu, Nov 8, 2012 at 3:28 AM, Oliver Schad oliver.sc...@automatic-server.com wrote: Hi all, I've found a bug in the latest development version v2.1 If you use a carp device a NAT rule is generated which source nats any outgoing packet to the carp IP. You can do that if the device is in master mode but you shouldn't do this if the device is in the backup mode. The rule is active in both cases. This results in a wrong return path for all outgoing packets on the backup device (which returns all to the master device). In my opinion this shouldn't happen and is a bug. Can you describe the scenario on this? Why you are expecting traffic on the backup to be rolling normally when the device its for HA? Regards Oli ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Bug in pfSense v2.1
On Thu, 8 Nov 2012 09:14:50 +0100 Ermal Luçi e...@pfsense.org wrote: Can you describe the scenario on this? Why you are expecting traffic on the backup to be rolling normally when the device its for HA? There are many reasons - debugging network (does the second device work? if the first device has a problem, does the second one have the same problem?) - making updates of a package/firmware - fetch some information from somewhere if you extended the pfsense - keep ssh tunnels alive after a switch Regards Oli signature.asc Description: PGP signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Bug in pfSense v2.1
On Thu, 8 Nov 2012 09:53:55 +0100 Oliver Schad oliver.sc...@automatic-server.com wrote: On Thu, 8 Nov 2012 09:14:50 +0100 Ermal Luçi e...@pfsense.org wrote: Can you describe the scenario on this? Why you are expecting traffic on the backup to be rolling normally when the device its for HA? There are many reasons - debugging network (does the second device work? if the first device has a problem, does the second one have the same problem?) - making updates of a package/firmware - fetch some information from somewhere if you extended the pfsense - keep ssh tunnels alive after a switch Additionally the ping tests from the backup device to the gateways are a little bit senseless if they never succeeds cause of this nat rule. Regards Oli signature.asc Description: PGP signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Bug in pfSense v2.1
On Thu, Nov 8, 2012 at 10:47 AM, Oliver Schad oliver.sc...@automatic-server.com wrote: On Thu, 8 Nov 2012 09:53:55 +0100 Oliver Schad oliver.sc...@automatic-server.com wrote: On Thu, 8 Nov 2012 09:14:50 +0100 Ermal Luçi e...@pfsense.org wrote: Can you describe the scenario on this? Why you are expecting traffic on the backup to be rolling normally when the device its for HA? There are many reasons - debugging network (does the second device work? if the first device has a problem, does the second one have the same problem?) - making updates of a package/firmware - fetch some information from somewhere if you extended the pfsense - keep ssh tunnels alive after a switch Additionally the ping tests from the backup device to the gateways are a little bit senseless if they never succeeds cause of this nat rule. The problem with this is that you will have double monitoring traffic with that change. Some might consider it problematic! Regards Oli ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Bug in pfSense v2.1
On Thu, 8 Nov 2012 12:44:11 +0100 Ermal Luçi e...@pfsense.org wrote: On Thu, Nov 8, 2012 at 9:53 AM, Oliver Schad oliver.sc...@automatic-server.com wrote: On Thu, 8 Nov 2012 09:14:50 +0100 Ermal Luçi e...@pfsense.org wrote: Can you describe the scenario on this? Why you are expecting traffic on the backup to be rolling normally when the device its for HA? There are many reasons - debugging network (does the second device work? if the first device has a problem, does the second one have the same problem?) - making updates of a package/firmware - fetch some information from somewhere if you extended the pfsense https://github.com/bsdperimeter/pfsense/commit/7466cd71f6747bbc93588adb7ee8ec36a6cf01b3 happy? Great. Looks fine, I will test it and report my results. Regards Oli signature.asc Description: PGP signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Bug in pfSense v2.1
2012/11/8 Ermal Luçi e...@pfsense.org: On Thu, Nov 8, 2012 at 9:53 AM, Oliver Schad oliver.sc...@automatic-server.com wrote: On Thu, 8 Nov 2012 09:14:50 +0100 Ermal Luçi e...@pfsense.org wrote: Can you describe the scenario on this? Why you are expecting traffic on the backup to be rolling normally when the device its for HA? There are many reasons - debugging network (does the second device work? if the first device has a problem, does the second one have the same problem?) - making updates of a package/firmware - fetch some information from somewhere if you extended the pfsense https://github.com/bsdperimeter/pfsense/commit/7466cd71f6747bbc93588adb7ee8ec36a6cf01b3 happy? Sorry if i disturb. does this also mean: it results in a complete filter reload at the take over time? -- = = = http://michael-schuh.net/ = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Bug in pfSense v2.1
On Thu, Nov 8, 2012 at 1:16 PM, Michael Schuh michael.sc...@gmail.comwrote: 2012/11/8 Ermal Luçi e...@pfsense.org: On Thu, Nov 8, 2012 at 9:53 AM, Oliver Schad oliver.sc...@automatic-server.com wrote: On Thu, 8 Nov 2012 09:14:50 +0100 Ermal Luçi e...@pfsense.org wrote: Can you describe the scenario on this? Why you are expecting traffic on the backup to be rolling normally when the device its for HA? There are many reasons - debugging network (does the second device work? if the first device has a problem, does the second one have the same problem?) - making updates of a package/firmware - fetch some information from somewhere if you extended the pfsense https://github.com/bsdperimeter/pfsense/commit/7466cd71f6747bbc93588adb7ee8ec36a6cf01b3 happy? Sorry if i disturb. does this also mean: it results in a complete filter reload at the take over time? Normally it works like that. Triggered by carp status change. -- = = = http://michael-schuh.net/ = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Bug in pfSense v2.1
On Thu, Nov 8, 2012 at 12:54 PM, Oliver Schad oliver.sc...@automatic-server.com wrote: On Thu, 8 Nov 2012 12:45:20 +0100 Ermal Luçi e...@pfsense.org wrote: On Thu, Nov 8, 2012 at 10:47 AM, Oliver Schad oliver.sc...@automatic-server.com wrote: On Thu, 8 Nov 2012 09:53:55 +0100 Oliver Schad oliver.sc...@automatic-server.com wrote: On Thu, 8 Nov 2012 09:14:50 +0100 Ermal Luçi e...@pfsense.org wrote: Can you describe the scenario on this? Why you are expecting traffic on the backup to be rolling normally when the device its for HA? There are many reasons - debugging network (does the second device work? if the first device has a problem, does the second one have the same problem?) - making updates of a package/firmware - fetch some information from somewhere if you extended the pfsense - keep ssh tunnels alive after a switch Additionally the ping tests from the backup device to the gateways are a little bit senseless if they never succeeds cause of this nat rule. The problem with this is that you will have double monitoring traffic with that change. Some might consider it problematic! Yes I know. There are some parts of pfSense especially in additional packets which doesn't work fine. For example the zabbix proxy module as you mentioned (which is a little bit buggy cause it interprets active/passive mode wrong and doesn't offer to choose a port for passive mode - patched that myself). Normally ports know when something has changed since you can hook into filter reload. That is the place to do these things. Yes I usually build some scripts around or fix it myself for me. Regards Oli ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Bug in pfSense v2.1
2012/11/8 Ermal Luçi e...@pfsense.org: On Thu, Nov 8, 2012 at 1:16 PM, Michael Schuh michael.sc...@gmail.com wrote: 2012/11/8 Ermal Luçi e...@pfsense.org: On Thu, Nov 8, 2012 at 9:53 AM, Oliver Schad oliver.sc...@automatic-server.com wrote: On Thu, 8 Nov 2012 09:14:50 +0100 Ermal Luçi e...@pfsense.org wrote: Can you describe the scenario on this? Why you are expecting traffic on the backup to be rolling normally when the device its for HA? There are many reasons - debugging network (does the second device work? if the first device has a problem, does the second one have the same problem?) - making updates of a package/firmware - fetch some information from somewhere if you extended the pfsense https://github.com/bsdperimeter/pfsense/commit/7466cd71f6747bbc93588adb7ee8ec36a6cf01b3 happy? Sorry if i disturb. does this also mean: it results in a complete filter reload at the take over time? Normally it works like that. Triggered by carp status change. Ok, many thanks. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Strange problem after auto update
Hi, Just to let you know that this 2.1 snapshot : FreeBSD 8.3-RELEASE-p4 #1: Thu Nov 8 11:35:37 EST 2012 Fixes my problem. Now the slave can ping and do DNS queries at will, as expected (at least as I expected). bye, and thanks for your work guys ! -- Jérôme Alet - jerome.a...@univ-nc.nc - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list