ha firewall hardware suggestions
Hi OpenBSD hackers, At work we have a firewall on two Dell PowerEdge 2940 servers, with 10 NIC's in use, which I want to substiute in the near future. The second machine act as cold standby. I would like to use OpenBSD pf and carp/pfsync to make a ha firewall. I further want to use an embedded system to reduce heat and power consumption in our server room. What hardware would you suggest? Would a Soekris net6501-30 with two lan1841 be powerful enough to route and filter ip traffic for 50 clients in the LAN and 50 servers in the DMZ with a 300 Mbit uplink? Is there any other embedded system supported by OpenBSD with at least 9 gigabit ethernet network interfaces? Any octeon system available? Thanks in advance for any suggestion. best regards Waldemar
Re: ha firewall hardware suggestions
On May 15, 2014 2:29:00 AM EDT, Waldemar Brodkorb m...@waldemar-brodkorb.de wrote: Hi OpenBSD hackers, At work we have a firewall on two Dell PowerEdge 2940 servers, with 10 NIC's in use, which I want to substiute in the near future. The second machine act as cold standby. I would like to use OpenBSD pf and carp/pfsync to make a ha firewall. I further want to use an embedded system to reduce heat and power consumption in our server room. What hardware would you suggest? Would a Soekris net6501-30 with two lan1841 be powerful enough to route and filter ip traffic for 50 clients in the LAN and 50 servers in the DMZ with a 300 Mbit uplink? Is there any other embedded system supported by OpenBSD with at least 9 gigabit ethernet network interfaces? Any octeon system available? Thanks in advance for any suggestion. best regards Waldemar Err... 10 NICs and Reduce Power Heat don't usually belong together in the same thought. You may want to consider using a dual-NIC server with VLANs and a 24-port fully managed switch to accomplish the same thing. -Adam -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: ha firewall hardware suggestions
Hi, Adam Thompson wrote, At work we have a firewall on two Dell PowerEdge 2940 servers, with 10 NIC's in use, which I want to substiute in the near future. The second machine act as cold standby. Err... 10 NICs and Reduce Power Heat don't usually belong together in the same thought. I do not agree here. The Dell servers have two redundant power supplies with 400 watt each. The soekris board uses only 40 watt power supplies. You may want to consider using a dual-NIC server with VLANs and a 24-port fully managed switch to accomplish the same thing. We already have two 48 port HP5500 managed switches with IRF configured. The firewall uses two nics configured as trunking/bonding with LACP for three networks. I don't think the performance would be good if I transfer all the ip traffic over a dual port system with one VLAN trunking port on the internal network. best regards Waldemar
Re: ha firewall hardware suggestions
On 2014-05-15, Waldemar Brodkorb m...@waldemar-brodkorb.de wrote: Hi OpenBSD hackers, At work we have a firewall on two Dell PowerEdge 2940 servers, with 10 NIC's in use, which I want to substiute in the near future. The second machine act as cold standby. I would like to use OpenBSD pf and carp/pfsync to make a ha firewall. I further want to use an embedded system to reduce heat and power consumption in our server room. What hardware would you suggest? Would a Soekris net6501-30 with two lan1841 be powerful enough to route and filter ip traffic for 50 clients in the LAN and 50 servers in the DMZ with a 300 Mbit uplink? Is there any other embedded system supported by OpenBSD with at least 9 gigabit ethernet network interfaces? Any octeon system available? Thanks in advance for any suggestion. best regards Waldemar As a minimum I think you want the fastest of the 6501, but even then if it works at all for this amount of traffic (which depends on traffic mix, ruleset, what services are run on the system; vpn etc) you will have little headroom to handle attacks with high pps (or even some normal traffic, heavy voip etc). Also, though I'm not quite sure how the PCIe lane speed translates to total network throughput, the 1.0a lanes on the processor the 6501 uses have a data rate of 250MByte/s (2Gbit/s) so it seems they would be at 2x oversubscribed if you have 4x1Gb on a lane, so I don't see trunking as being likely to improve total throughput. If you really need that many physical nic, a board with one of the new avoton c2xxx soc + 6-port pcie nic would perform a lot better. OpenBSD 5.5-current (GENERIC.MP) #126: Mon May 12 22:40:04 MDT 2014 t...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8562782208 (8166MB) avail mem = 8326078464 (7940MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xe7180 (51 entries) bios0: vendor American Megatrends Inc. version 1.0b date 11/06/2013 bios0: Supermicro A1SAi acpi0 at bios0: rev 2 acpi0: sleep states S0 S5 acpi0: tables DSDT FACP FPDT SPMI MCFG WDAT UEFI APIC BDAT HPET SSDT HEST BERT ERST EINJ acpi0: wakeup devices PEX1(S0) PEX2(S0) PEX3(S0) EHC1(S0) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Atom(TM) CPU C2550 @ 2.40GHz, 2400.44 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS cpu0: 1MB 64b/line 16-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Atom(TM) CPU C2550 @ 2.40GHz, 2399.99 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS cpu1: 1MB 64b/line 16-way L2 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Atom(TM) CPU C2550 @ 2.40GHz, 2399.99 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS cpu2: 1MB 64b/line 16-way L2 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Atom(TM) CPU C2550 @ 2.40GHz, 2399.99 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS cpu3: 1MB 64b/line 16-way L2 cache cpu3: smt 0, core 3, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (PEX1) acpiprt2 at acpi0: bus 2 (BR04) acpiprt3 at acpi0: bus 3 (PEX2) acpiprt4 at acpi0: bus 4 (PEX3) acpicpu0 at acpi0: C2, C1, PSS acpicpu1 at acpi0: C2, C1, PSS acpicpu2 at acpi0: C2, C1, PSS acpicpu3 at acpi0: C2, C1, PSS ipmi at mainbus0 not configured cpu0: Enhanced SpeedStep 2400 MHz: speeds: 2401, 2400, 2300, 2200, 2100, 2000, 1900, 1800, 1700, 1600, 1500, 1400, 1300, 1200 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 vendor Intel, unknown product 0x1f02 rev 0x02 ppb0 at pci0 dev 1
Re: HA firewall
Till now the firewalls seems to be stable. No panic for now. It seems the first small step was in the right direction... Thank you Rogier. Now my last problem regards the pf weird logs. I have two type of strange logs: 1) Jun 27 15:51:09 ip-11-53 /bsd: pfsync: ignoring stale update (4) id: 42bae8be0030af70 creatorid: 23e81a47 2) Jun 27 15:24:05 ip-11-52 /bsd: pf: BAD state: TCP 62.94.11.44:28003 83.211.3.20:28003 85.33.52.26:1088 [lo=4256108960 high=4256114800 win=17520 modulator=0] [lo=346282809 high=346300240 win=5840 modulator=0] 4:4 FPA seq=188091771 ack=4256108960 len=125 ackskew=0 pkts=768:692 dir=out,rev Jun 27 15:24:05 ip-11-52 /bsd: pf: State failure on: 2 | 6 The 1st message appears very often (up to 30-40 times in the same second) and the 2nd appears 1 times at second). Googling around the net I didn't found anithing usefull. Someone can give me some hints on how interpret the messages? Thanks Paolo P.S.: the firewall handle the traffic directed to some multiplayer game application server. In normal situation there are about 800 established tcp connection flowing throught the fws consuming a bandwidth of about 2 Mbit/s. Paolo Perrucci ha scritto: Ok, I replaced syncif with syncdev on both fws. Waiting for the next panic... Thanks Paolo Rogier Krieger ha scritto: On 6/24/05, Paolo Perrucci [EMAIL PROTECTED] wrote: hostname.pfsync0: up syncif rl0 To start with small steps: how about replacing syncif with syncdev for the hostname.pfsync0 files? IIRC, syncif is deprecated as of 3.7. For more info, see ifconfig(8). Cheers, Rogier
Re: HA firewall
I used to get similar errors with dhcpd, and noticed the clock was about 18 hours off. Setting the time and turning on ntpd seemed to fix that issue. --Bryan On 6/27/05, Paolo Perrucci [EMAIL PROTECTED] wrote: Till now the firewalls seems to be stable. No panic for now. It seems the first small step was in the right direction... Thank you Rogier. Now my last problem regards the pf weird logs. I have two type of strange logs: 1) Jun 27 15:51:09 ip-11-53 /bsd: pfsync: ignoring stale update (4) id: 42bae8be0030af70 creatorid: 23e81a47 2) Jun 27 15:24:05 ip-11-52 /bsd: pf: BAD state: TCP 62.94.11.44:28003 83.211.3.20:28003 85.33.52.26:1088 [lo=4256108960 high=4256114800 win=17520 modulator=0] [lo=346282809 high=346300240 win=5840 modulator=0] 4:4 FPA seq=188091771 ack=4256108960 len=125 ackskew=0 pkts=768:692 dir=out,rev Jun 27 15:24:05 ip-11-52 /bsd: pf: State failure on: 2 | 6 The 1st message appears very often (up to 30-40 times in the same second) and the 2nd appears 1 times at second). Googling around the net I didn't found anithing usefull. Someone can give me some hints on how interpret the messages? Thanks Paolo P.S.: the firewall handle the traffic directed to some multiplayer game application server. In normal situation there are about 800 established tcp connection flowing throught the fws consuming a bandwidth of about 2 Mbit/s. Paolo Perrucci ha scritto: Ok, I replaced syncif with syncdev on both fws. Waiting for the next panic... Thanks Paolo Rogier Krieger ha scritto: On 6/24/05, Paolo Perrucci [EMAIL PROTECTED] wrote: hostname.pfsync0: up syncif rl0 To start with small steps: how about replacing syncif with syncdev for the hostname.pfsync0 files? IIRC, syncif is deprecated as of 3.7. For more info, see ifconfig(8). Cheers, Rogier
Re: HA firewall
received any reply. Before report another bug I would like to know if someone else had similar experiences. Thanks Paolo knitti ha scritto: On 6/23/05, Paolo Perrucci [EMAIL PROTECTED] wrote: Hi all, I'm trying to setup an ha firewall using carp and pfsync. I tried 3.6 and 3.7 version but both test fails with different kernel panic. In my last attempt I used the 3.7 version (-stable) on both the firewall but after some hours the primary box fails with this kernel panic: panic: kernel diagnostic assertion state-timeout PFTM_MAX failed: file /usr/src/sys/net/pf.c, line 887 Stopped at Debugger+0x4: leave RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC! DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION! ddb Debugger(e388eed8,d06d2000,d06d3df4,d5e22000,d5e22000) at Debugger+0x4 panic(d04dea80,d04affb7,d04d5c83,d04d5c9d,377) at panic+0x63 tablefull(d04affb7,d04d5c9d,377,d04d5c83,d05ab760) at tablefull pf_purge_expired_src_nodes(d5e22000,,d0563170,d06d3e30,20) at pf_purge_expired_src_nodes pf_purge_expired_states(30,d01feb16,d0b68a80,d06d3e54,d01021b1) at pf_purge_expired_states+0x33 pf_purge_timeout(d05ab72c,5305,3,0,0) at pf_purge_timeout+0x15 ... (the ddb log stop here) Is there someone that used OpenBSD in a similar configuration ? no one knows your configuration. http://www.openbsd.org/faq/faq2.html#Bugs --knitti -- = Paolo Perrucci Program Manager [EMAIL PROTECTED] [EMAIL PROTECTED] Ludonet S.p.A. www.ludonet.org EUTELIA Via G.V. Bona, 67 00156 (GRA Tiburtina) ROMA ITALIA telefono +39 06.41797.205 fax +39 06.41797.898 =
HA firewall
Hi all, I'm trying to setup an ha firewall using carp and pfsync. I tried 3.6 and 3.7 version but both test fails with different kernel panic. In my last attempt I used the 3.7 version (-stable) on both the firewall but after some hours the primary box fails with this kernel panic: panic: kernel diagnostic assertion state-timeout PFTM_MAX failed: file /usr/src/sys/net/pf.c, line 887 Stopped at Debugger+0x4: leave RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC! DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION! ddb Debugger(e388eed8,d06d2000,d06d3df4,d5e22000,d5e22000) at Debugger+0x4 panic(d04dea80,d04affb7,d04d5c83,d04d5c9d,377) at panic+0x63 tablefull(d04affb7,d04d5c9d,377,d04d5c83,d05ab760) at tablefull pf_purge_expired_src_nodes(d5e22000,,d0563170,d06d3e30,20) at pf_purge_expired_src_nodes pf_purge_expired_states(30,d01feb16,d0b68a80,d06d3e54,d01021b1) at pf_purge_expired_states+0x33 pf_purge_timeout(d05ab72c,5305,3,0,0) at pf_purge_timeout+0x15 ... (the ddb log stop here) Is there someone that used OpenBSD in a similar configuration ? Paolo
Re: HA firewall
I configured the two firewalls as the basic example described here: http://www.countersiege.com/doc/pfsync-carp/ I already reported a similar bug (http://thread.gmane.org/gmane.os.openbsd.misc/83948) but until now I didn't received any reply. Before report another bug I would like to know if someone else had similar experiences. Thanks Paolo knitti ha scritto: On 6/23/05, Paolo Perrucci [EMAIL PROTECTED] wrote: Hi all, I'm trying to setup an ha firewall using carp and pfsync. I tried 3.6 and 3.7 version but both test fails with different kernel panic. In my last attempt I used the 3.7 version (-stable) on both the firewall but after some hours the primary box fails with this kernel panic: panic: kernel diagnostic assertion state-timeout PFTM_MAX failed: file /usr/src/sys/net/pf.c, line 887 Stopped at Debugger+0x4: leave RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC! DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION! ddb Debugger(e388eed8,d06d2000,d06d3df4,d5e22000,d5e22000) at Debugger+0x4 panic(d04dea80,d04affb7,d04d5c83,d04d5c9d,377) at panic+0x63 tablefull(d04affb7,d04d5c9d,377,d04d5c83,d05ab760) at tablefull pf_purge_expired_src_nodes(d5e22000,,d0563170,d06d3e30,20) at pf_purge_expired_src_nodes pf_purge_expired_states(30,d01feb16,d0b68a80,d06d3e54,d01021b1) at pf_purge_expired_states+0x33 pf_purge_timeout(d05ab72c,5305,3,0,0) at pf_purge_timeout+0x15 ... (the ddb log stop here) Is there someone that used OpenBSD in a similar configuration ? no one knows your configuration. http://www.openbsd.org/faq/faq2.html#Bugs --knitti -- = Paolo Perrucci Program Manager [EMAIL PROTECTED] [EMAIL PROTECTED] Ludonet S.p.A. www.ludonet.org EUTELIA Via G.V. Bona, 67 00156 (GRA Tiburtina) ROMA ITALIA telefono +39 06.41797.205 fax +39 06.41797.898 =