Re: [pfSense] pfsync state full resync
On 2/17/2014 12:17 PM, Brian Candler wrote: > I don't know whether the version of pf in pfsense/FreeBSD 8.3 implements > this. If this functionality has been in there since the introduction of > pfsync then presumably it does. > > Also: pfsense optionally lets you configure an IP to unicast state table > updates to. If you do this, how does the second box send updates back to > the first box when it's master? You'd put different unicast destination > addresses on the two boxes? The source, as usual, is the best way to see this: https://github.com/pfsense/pfsense/blob/RELENG_2_1/etc/inc/interfaces.inc#L1921 Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsync state full resync
On 17/02/2014 14:33, Jim Thompson wrote: See your link http://www.openbsd.org/faq/pf/carp.html Yes I've read it. As far as I can see, it talks about "state change messages" and "state table updates" only. I see nothing about re-synchronising the entire state table; if that happens, under what circumstances it happens; nor whether CARP failover is delayed until the machine has completed synchronising its state table. I *have* now found a third-party document which says this happens: http://www.countersiege.com/doc/pfsync-carp/ "When the pfsync interface first comes up, pfsync broadcasts a request for a bulk update of the entire state table. After this, all updates to the state table are on a per-state, best effort basis. pfsync attempts to prevent carp from taking ownership of the common addresses until the bulk update has completed." I don't know whether the version of pf in pfsense/FreeBSD 8.3 implements this. If this functionality has been in there since the introduction of pfsync then presumably it does. Also: pfsense optionally lets you configure an IP to unicast state table updates to. If you do this, how does the second box send updates back to the first box when it's master? You'd put different unicast destination addresses on the two boxes? Regards, Brian. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsync state full resync
See your link http://www.openbsd.org/faq/pf/carp.html It's all in there. -- Jim > On Feb 16, 2014, at 12:03, rajan agarwal wrote: > > I was about to post the same question. Thanks Brian, been facing a problem > with this in my 2 pfsense setup. > > > >> On Sun, Feb 16, 2014 at 7:20 PM, Brian Candler wrote: >> I have a question about pfsync failover. >> >> Suppose you have a master/slave firewall pair; the master is broadcasting >> updates to its state table and the slave is picking them up. Then you reboot >> the master firewall. The slave firewall takes over. >> >> When the master firewall comes back, its state table will initiallly be >> empty. So does it have a way to request from the slave a dump of the current >> state table? And will this transfer be completed before it becomes master on >> any CARP interfaces? >> >> I can't see this situation described at >> http://www.openbsd.org/faq/pf/carp.html >> http://www.openbsd.org/cgi-bin/man.cgi?query=pfsync&sektion=4&manpath=OpenBSD+5.4 >> >> It talks about state change messages but not a full resync. >> >> However, I can find a hint of a bulk transfer here: >> http://www.freebsd.org/cgi/man.cgi?query=pfsync&sektion=4 >> and in this old posting: >> http://lists.freebsd.org/pipermail/freebsd-net/2006-May/010823.html >> >> Thanks, >> >> Brian. >> >> ___ >> List mailing list >> List@lists.pfsense.org >> http://lists.pfsense.org/mailman/listinfo/list > > ___ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsync state full resync
Hi Brian and Joel, I resolved the sync issue today in my environment, I just supplied the IP address of primary(Master) server in the secondary(Slave) server's pfsync config in the section for syncing state tables (I already had the sync state table enabled on secondary server), now if the master server goes down then the slave server becomes master temporarily. When master comes back up, it sync's the state table with the secondary server and the end-user's sessions remain unaffected. Works for me :) Please provide your views. On Mon, Feb 17, 2014 at 7:29 PM, Brian Candler wrote: > On 16/02/2014 20:25, Joel Robison wrote: > >> Hey guys- good questions! I remember asking myself the same question and >> what helped me was reading the RFC for VRRP/CARP. essentially when the old >> master domes back up it will pick up the changes because there will already >> be a master running on the pvid, what used to be the slave. >> >> That makes no sense. > > VRRP/CARP are responsible for failing over the virtual IP address - > nothing more. > > pfsync is responsible for keeping the firewall state tables on the master > and slave firewalls in sync. My question was how pfsync deals with the case > of a machine startup, when it has an empty state table. Does it request and > receive a full state dump from the other firewall, and does this happen > before CARP fails back? Otherwise, any existing sessions going through the > firewall will be dropped. > > > ___ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list > ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsync state full resync
On 16/02/2014 20:25, Joel Robison wrote: Hey guys- good questions! I remember asking myself the same question and what helped me was reading the RFC for VRRP/CARP. essentially when the old master domes back up it will pick up the changes because there will already be a master running on the pvid, what used to be the slave. That makes no sense. VRRP/CARP are responsible for failing over the virtual IP address - nothing more. pfsync is responsible for keeping the firewall state tables on the master and slave firewalls in sync. My question was how pfsync deals with the case of a machine startup, when it has an empty state table. Does it request and receive a full state dump from the other firewall, and does this happen before CARP fails back? Otherwise, any existing sessions going through the firewall will be dropped. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsync state full resync
Hey guys- good questions! I remember asking myself the same question and what helped me was reading the RFC for VRRP/CARP. essentially when the old master domes back up it will pick up the changes because there will already be a master running on the pvid, what used to be the slave. To be short as possible- the old master will rejoin be group as a slave- get the states- then becom master again. Hope this helps. -Joel > On Feb 16, 2014, at 10:03 AM, rajan agarwal wrote: > > I was about to post the same question. Thanks Brian, been facing a problem > with this in my 2 pfsense setup. > > > >> On Sun, Feb 16, 2014 at 7:20 PM, Brian Candler wrote: >> I have a question about pfsync failover. >> >> Suppose you have a master/slave firewall pair; the master is broadcasting >> updates to its state table and the slave is picking them up. Then you reboot >> the master firewall. The slave firewall takes over. >> >> When the master firewall comes back, its state table will initiallly be >> empty. So does it have a way to request from the slave a dump of the current >> state table? And will this transfer be completed before it becomes master on >> any CARP interfaces? >> >> I can't see this situation described at >> http://www.openbsd.org/faq/pf/carp.html >> http://www.openbsd.org/cgi-bin/man.cgi?query=pfsync&sektion=4&manpath=OpenBSD+5.4 >> >> It talks about state change messages but not a full resync. >> >> However, I can find a hint of a bulk transfer here: >> http://www.freebsd.org/cgi/man.cgi?query=pfsync&sektion=4 >> and in this old posting: >> http://lists.freebsd.org/pipermail/freebsd-net/2006-May/010823.html >> >> Thanks, >> >> Brian. >> >> ___ >> List mailing list >> List@lists.pfsense.org >> http://lists.pfsense.org/mailman/listinfo/list > > ___ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsync state full resync
I was about to post the same question. Thanks Brian, been facing a problem with this in my 2 pfsense setup. On Sun, Feb 16, 2014 at 7:20 PM, Brian Candler wrote: > I have a question about pfsync failover. > > Suppose you have a master/slave firewall pair; the master is broadcasting > updates to its state table and the slave is picking them up. Then you > reboot the master firewall. The slave firewall takes over. > > When the master firewall comes back, its state table will initiallly be > empty. So does it have a way to request from the slave a dump of the > current state table? And will this transfer be completed before it becomes > master on any CARP interfaces? > > I can't see this situation described at > http://www.openbsd.org/faq/pf/carp.html > http://www.openbsd.org/cgi-bin/man.cgi?query=pfsync&; > sektion=4&manpath=OpenBSD+5.4 > > It talks about state change messages but not a full resync. > > However, I can find a hint of a bulk transfer here: > http://www.freebsd.org/cgi/man.cgi?query=pfsync&sektion=4 > and in this old posting: > http://lists.freebsd.org/pipermail/freebsd-net/2006-May/010823.html > > Thanks, > > Brian. > > ___ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list > ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] pfsync state full resync
I have a question about pfsync failover. Suppose you have a master/slave firewall pair; the master is broadcasting updates to its state table and the slave is picking them up. Then you reboot the master firewall. The slave firewall takes over. When the master firewall comes back, its state table will initiallly be empty. So does it have a way to request from the slave a dump of the current state table? And will this transfer be completed before it becomes master on any CARP interfaces? I can't see this situation described at http://www.openbsd.org/faq/pf/carp.html http://www.openbsd.org/cgi-bin/man.cgi?query=pfsync&sektion=4&manpath=OpenBSD+5.4 It talks about state change messages but not a full resync. However, I can find a hint of a bulk transfer here: http://www.freebsd.org/cgi/man.cgi?query=pfsync&sektion=4 and in this old posting: http://lists.freebsd.org/pipermail/freebsd-net/2006-May/010823.html Thanks, Brian. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
