Re: backup firewall connectivity
On Sat, Dec 29, 2007 at 03:59:25PM -0600, Aaron wrote: Still no connectivity to speak of when a machine has a carp interface set to the BACKUP state. Any other ideas? Hmmm. Th eonly thing I can think of is simplify. Assign a single address to your fxps, and add a carp interface in the same net. Much like the simple example in http://www.countersiege.com/doc/pfsync-carp/. That always worked for me. Do away with all aliases, make that work first and then build up. Oh, if you are doing NAT, do not NAT the traffic coming from the (secondary) firewall itself. That won't work. -Otto
Re: backup firewall connectivity
* Aaron [EMAIL PROTECTED] [2007-12-30 00:52]: I got rid of the aliases on the parent interfaces and made their addresses part of the carp network and things now seem to be working. This is great, and not so great as for my public address space, i'm losing another two addresses that i have to give to the firewall. :-( Is this the way it was intended or have i bumped into some unfortunate untested 'issue'? if you think about it, it is the only possible way. while the carp interface is not master, you cannot reach the networks on it. which is not a problem if it is a /32. how should that work? do you want toestablish a tcp connection where you never see the replies, because they go to your other firewall (the carp master)? -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: backup firewall connectivity
Darren Spruell wrote: On Dec 28, 2007 7:13 AM, Aaron [EMAIL PROTECTED] wrote: main firewall Carp0: inet 192.168.3.65 255.255.255.224 192.168.3.95 vhid 1 carpdev fxp0 pass tester1 inet alias 192.168.3.66 255.255.255.224 inet alias 192.168.3.67 255.255.255.224 Not to solution your problem, but the correct netmask for interface aliases is 255.255.255.255. Refer to archives and hostname.if(5). DS Thanks Darren, I tried this, and although I know you said it's not going to solve my problem, i was hoping, with no change in results. I have verified that my carp interfaces have the same exact settings via diff, and the only changes are the advskew settings. I taken the alias addresses out of the equation and am still getting the same results. I then cut down to two active physical interfaces on each machine, plus carp interfaces. lan side and wan side no dmz or dual wan, so my setup looks like this: lan---|carp3/fxp3|-OBSD BOX|fxp0/carp0|-wan | | something to do with the problem so i updated to -stable with same results. If i had any hair, i'm sure i would have pulled it all out by this point. here are my configs. machine A: # cat /etc/hostname.fxp0 inet 10.125.221.2 255.255.255.0 NONE # cat /etc/hostname.carp0 inet 192.168.3.65 255.255.255.224 192.168.3.95 vhid 1 carpdev fxp0 pass tester0 # cat /etc/hostname.fxp3 inet 10.128.221.2 255.255.255.0 NONE # cat /etc/hostname.carp3 inet 192.168.247.136 255.255.255.0 192.168.247.255 vhid 4 carpdev fxp3 pass tester4 Machine B: # cat /etc/hostname.fxp0 inet 10.125.221.3 255.255.255.0 NONE # cat /etc/hostname.carp0 inet 192.168.3.65 255.255.255.224 192.168.3.95 vhid 1 carpdev fxp0 pass tester0 advskew 100 # cat /etc/hostname.fxp3 inet 10.128.221.3 255.255.255.0 NONE # cat /etc/hostname.carp3 inet 192.168.247.136 255.255.255.0 192.168.247.255 vhid 4 carpdev fxp3 pass tester4 advskew 100 ifconfig Machine A: # ifconfig -aA lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33208 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 fxp0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0e:0c:74:6d:61 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 10.125.221.2 netmask 0xff00 broadcast 10.125.221.255 inet6 fe80::20e:cff:fe74:6d61%fxp0 prefixlen 64 scopeid 0x1 fxp1: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0e:0c:3b:3f:2e media: Ethernet autoselect (none) status: no carrier fxp2: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0e:0c:74:6d:a2 media: Ethernet autoselect (none) status: no carrier fxp3: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:47:b1:2c:c4 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 10.128.221.2 netmask 0xff00 broadcast 10.128.221.255 inet6 fe80::203:47ff:feb1:2cc4%fxp3 prefixlen 64 scopeid 0x4 rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:50:bf:72:51:c9 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 10.23.183.2 netmask 0xff00 broadcast 10.23.183.255 inet6 fe80::250:bfff:fe72:51c9%rl0 prefixlen 64 scopeid 0x5 enc0: flags=0 mtu 1536 pfsync0: flags=41UP,RUNNING mtu 1460 pfsync: syncdev: rl0 syncpeer: 224.0.0.240 maxupd: 128 groups: carp pfsync pflog0: flags=141UP,RUNNING,PROMISC mtu 33208 groups: pflog carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:01 carp: MASTER carpdev fxp0 vhid 1 advbase 1 advskew 0 groups: carp egress inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0x9 inet 192.168.3.65 netmask 0xffe0 broadcast 192.168.3.95 carp3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:04 carp: MASTER carpdev fxp3 vhid 4 advbase 1 advskew 0 groups: carp inet6 fe80::200:5eff:fe00:104%carp3 prefixlen 64 scopeid 0xa inet 192.168.247.136 netmask 0xff00 broadcast 192.168.247.255 ifconfig Machine B: # ifconfig -aA lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33208 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 inet 127.0.0.1 netmask 0xff00 fxp0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:47:ad:be:2e media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::203:47ff:fead:be2e%fxp0 prefixlen 64 scopeid 0x1 inet 10.125.221.3 netmask 0xff00 broadcast 10.125.221.255 fxp1: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500 lladdr 00:d0:b7:3e:c1:dc media: Ethernet autoselect (none)
Re: backup firewall connectivity
On Sat, Dec 29, 2007 at 01:30:23PM -0600, Aaron wrote: Darren Spruell wrote: On Dec 28, 2007 7:13 AM, Aaron [EMAIL PROTECTED] wrote: main firewall Carp0: inet 192.168.3.65 255.255.255.224 192.168.3.95 vhid 1 carpdev fxp0 pass tester1 inet alias 192.168.3.66 255.255.255.224 inet alias 192.168.3.67 255.255.255.224 Not to solution your problem, but the correct netmask for interface aliases is 255.255.255.255. Refer to archives and hostname.if(5). DS Thanks Darren, I tried this, and although I know you said it's not going to solve my problem, i was hoping, with no change in results. I have verified that my carp interfaces have the same exact settings via diff, and the only changes are the advskew settings. I taken the alias addresses out of the equation and am still getting the same results. I then cut down to two active physical interfaces on each machine, plus carp interfaces. lan side and wan side no dmz or dual wan, so my setup looks like this: lan---|carp3/fxp3|-OBSD BOX|fxp0/carp0|-wan | | something to do with the problem so i updated to -stable with same results. If i had any hair, i'm sure i would have pulled it all out by this point. here are my configs. machine A: # cat /etc/hostname.fxp0 inet 10.125.221.2 255.255.255.0 NONE # cat /etc/hostname.carp0 inet 192.168.3.65 255.255.255.224 192.168.3.95 vhid 1 carpdev fxp0 pass tester0 # cat /etc/hostname.fxp3 inet 10.128.221.2 255.255.255.0 NONE # cat /etc/hostname.carp3 inet 192.168.247.136 255.255.255.0 192.168.247.255 vhid 4 carpdev fxp3 pass tester4 I think your problem will be solved if you assign an alias in the 192.168.3.0 net to fxp0 and an alias in the 192.168.247.0 net to fxp3. Just like Henning already suggested. -Otto Machine B: # cat /etc/hostname.fxp0 inet 10.125.221.3 255.255.255.0 NONE # cat /etc/hostname.carp0 inet 192.168.3.65 255.255.255.224 192.168.3.95 vhid 1 carpdev fxp0 pass tester0 advskew 100 # cat /etc/hostname.fxp3 inet 10.128.221.3 255.255.255.0 NONE # cat /etc/hostname.carp3 inet 192.168.247.136 255.255.255.0 192.168.247.255 vhid 4 carpdev fxp3 pass tester4 advskew 100 ifconfig Machine A: # ifconfig -aA lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33208 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 fxp0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0e:0c:74:6d:61 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 10.125.221.2 netmask 0xff00 broadcast 10.125.221.255 inet6 fe80::20e:cff:fe74:6d61%fxp0 prefixlen 64 scopeid 0x1 fxp1: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0e:0c:3b:3f:2e media: Ethernet autoselect (none) status: no carrier fxp2: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0e:0c:74:6d:a2 media: Ethernet autoselect (none) status: no carrier fxp3: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:47:b1:2c:c4 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 10.128.221.2 netmask 0xff00 broadcast 10.128.221.255 inet6 fe80::203:47ff:feb1:2cc4%fxp3 prefixlen 64 scopeid 0x4 rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:50:bf:72:51:c9 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 10.23.183.2 netmask 0xff00 broadcast 10.23.183.255 inet6 fe80::250:bfff:fe72:51c9%rl0 prefixlen 64 scopeid 0x5 enc0: flags=0 mtu 1536 pfsync0: flags=41UP,RUNNING mtu 1460 pfsync: syncdev: rl0 syncpeer: 224.0.0.240 maxupd: 128 groups: carp pfsync pflog0: flags=141UP,RUNNING,PROMISC mtu 33208 groups: pflog carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:01 carp: MASTER carpdev fxp0 vhid 1 advbase 1 advskew 0 groups: carp egress inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0x9 inet 192.168.3.65 netmask 0xffe0 broadcast 192.168.3.95 carp3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:04 carp: MASTER carpdev fxp3 vhid 4 advbase 1 advskew 0 groups: carp inet6 fe80::200:5eff:fe00:104%carp3 prefixlen 64 scopeid 0xa inet 192.168.247.136 netmask 0xff00 broadcast 192.168.247.255 ifconfig Machine B: # ifconfig -aA lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33208 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 inet 127.0.0.1 netmask 0xff00 fxp0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:47:ad:be:2e
Re: backup firewall connectivity
Aaron wrote: Darren Spruell wrote: On Dec 28, 2007 7:13 AM, Aaron [EMAIL PROTECTED] wrote: main firewall Carp0: inet 192.168.3.65 255.255.255.224 192.168.3.95 vhid 1 carpdev fxp0 pass tester1 inet alias 192.168.3.66 255.255.255.224 inet alias 192.168.3.67 255.255.255.224 Not to solution your problem, but the correct netmask for interface aliases is 255.255.255.255. Refer to archives and hostname.if(5). DS Thanks Darren, I tried this, and although I know you said it's not going to solve my problem, i was hoping, with no change in results. I have verified that my carp interfaces have the same exact settings via diff, and the only changes are the advskew settings. I taken the alias addresses out of the equation and am still getting the same results. I then cut down to two active physical interfaces on each machine, plus carp interfaces. lan side and wan side no dmz or dual wan, so my setup looks like this: lan---|carp3/fxp3|-OBSD BOX|fxp0/carp0|-wan | | something to do with the problem so i updated to -stable with same results. If i had any hair, i'm sure i would have pulled it all out by this point. --- snip somehow part of the last message got messed up. here is what is should look like: |--|carp3/fxp3|-OBSD BOX|fxp0/carp0|--| lan ---| |--wan |--|carp3/fxp3|-OBSD BOX|fxp0/carp0|--| I am running obsd 4.2, was release, but thought that might have something to do with the problem so i updated to -stable with same results. If i had any hair, i'm sure i would have pulled it all out by this point.
Re: backup firewall connectivity
Otto Moerbeek wrote: On Sat, Dec 29, 2007 at 01:30:23PM -0600, Aaron wrote: Darren Spruell wrote: On Dec 28, 2007 7:13 AM, Aaron [EMAIL PROTECTED] wrote: main firewall Carp0: inet 192.168.3.65 255.255.255.224 192.168.3.95 vhid 1 carpdev fxp0 pass tester1 inet alias 192.168.3.66 255.255.255.224 inet alias 192.168.3.67 255.255.255.224 Not to solution your problem, but the correct netmask for interface aliases is 255.255.255.255. Refer to archives and hostname.if(5). DS Thanks Darren, I tried this, and although I know you said it's not going to solve my problem, i was hoping, with no change in results. I have verified that my carp interfaces have the same exact settings via diff, and the only changes are the advskew settings. I taken the alias addresses out of the equation and am still getting the same results. I then cut down to two active physical interfaces on each machine, plus carp interfaces. lan side and wan side no dmz or dual wan, so my setup looks like this: lan---|carp3/fxp3|-OBSD BOX|fxp0/carp0|-wan | | something to do with the problem so i updated to -stable with same results. If i had any hair, i'm sure i would have pulled it all out by this point. here are my configs. machine A: # cat /etc/hostname.fxp0 inet 10.125.221.2 255.255.255.0 NONE # cat /etc/hostname.carp0 inet 192.168.3.65 255.255.255.224 192.168.3.95 vhid 1 carpdev fxp0 pass tester0 # cat /etc/hostname.fxp3 inet 10.128.221.2 255.255.255.0 NONE # cat /etc/hostname.carp3 inet 192.168.247.136 255.255.255.0 192.168.247.255 vhid 4 carpdev fxp3 pass tester4 I think your problem will be solved if you assign an alias in the 192.168.3.0 net to fxp0 and an alias in the 192.168.247.0 net to fxp3. Just like Henning already suggested. -Otto Henning wrote: that depends wether you external carp interface has numbered or unnumbered parents. if the parents (carpdev) are unnumbered (no ipassigned),it is quite normal. otherwise you have sth wrong. I guess I'm missing something or I didn't understand what he means by (no ipassigned). All carp parents are numbered by the inverse of the definition he gave for unnumbered, because there are ip's assigned to all of the carpdev interfaces, just not with the same network as the carp interfaces. Is it required for the carp parents' ip addresses to be in the same network as the carp interfaces? I didn't see that anywhere as a requirement. I should also clarify, this is not happening only on my external carp interface. This is the behavior on all interfaces. There is no connectivity (i'm currently seeing some connectivity between the parents from a to b only (shown below)) when a machine is in the BACKUP state. Hoping anything will work, I gave it a try. Machine A: # cat /etc/hostname.fxp0 inet 10.125.221.2 255.255.255.0 NONE inet alias 192.168.3.67 255.255.255.255 # ifconfig fxp0 fxp0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0e:0c:74:6d:61 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 10.125.221.2 netmask 0xff00 broadcast 10.125.221.255 inet6 fe80::20e:cff:fe74:6d61%fxp0 prefixlen 64 scopeid 0x1 inet 192.168.3.67 netmask 0x broadcast 192.168.3.67 # ifconfig carp0 carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:01 carp: MASTER carpdev fxp0 vhid 1 advbase 1 advskew 0 groups: carp egress inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0x9 inet 192.168.3.65 netmask 0xffe0 broadcast 192.168.3.95 Machine B: # cat /etc/hostname.fxp0 inet 10.125.221.3 255.255.255.0 NONE inet alias 192.168.3.66 255.255.255.255 # ifconfig fxp0 fxp0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:47:ad:be:2e media: Ethernet autoselect (100baseTX full-duplex) status: active inet 10.125.221.3 netmask 0xff00 broadcast 10.125.221.255 inet6 fe80::203:47ff:fead:be2e%fxp0 prefixlen 64 scopeid 0x1 inet 192.168.3.66 netmask 0x broadcast 192.168.3.66 # ifconfig carp0 carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:01 carp: BACKUP carpdev fxp0 vhid 1 advbase 1 advskew 100 groups: carp egress inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0x9 inet 192.168.3.65 netmask 0xffe0 broadcast 192.168.3.95 I rebooted just to make sure nothing bad was hanging around after running netstart, same exact results. FROM MACHINE B while in backup state: # ping 192.168.3.94 PING 192.168.3.94 (192.168.3.94): 56 data bytes ping: sendto: Network is unreachable ping: wrote 192.168.3.94 64 chars, ret=-1 --- 192.168.3.94 ping statistics --- 1 packets transmitted, 0 packets received, 100.0% packet loss # ping
Re: backup firewall connectivity
On Dec 29, 2007 2:59 PM, Aaron [EMAIL PROTECTED] wrote: Otto Moerbeek wrote: I think your problem will be solved if you assign an alias in the 192.168.3.0 net to fxp0 and an alias in the 192.168.247.0 net to fxp3. Just like Henning already suggested. Henning wrote: that depends wether you external carp interface has numbered or unnumbered parents. if the parents (carpdev) are unnumbered (no ipassigned),it is quite normal. otherwise you have sth wrong. I guess I'm missing something or I didn't understand what he means by (no ipassigned). All carp parents are numbered by the inverse of the definition he gave for unnumbered, because there are ip's assigned to all of the carpdev interfaces, just not with the same network as the carp interfaces. Is it required for the carp parents' ip addresses to be in the same network as the carp interfaces? I didn't see that anywhere as a requirement. The typical configuration is that the CARP interfaces will be assigned addresses on the same IP subnet as the parent interfaces. I don't believe that this is a requirement, per se, but it is hinted at in ifconfig(8): carpdev iface If the driver is a carp(4) pseudo-device, attach it to iface. If not specified, the kernel will attempt to select an interface with a subnet matching that of the carp interface. This configuration is the only way that makes sense to me; you don't have to overlap subnets on the same Ethernet segment, you don't have to fiddle with interface aliases, and if you need to reach the natural IP addresses for the real (parent) interfaces, they're routed and reachable the same as the CARP addresses. Again, not knowing if this impacts your problem, but may be worth testing. DS
Re: backup firewall connectivity
Darren Spruell wrote: On Dec 29, 2007 2:59 PM, Aaron [EMAIL PROTECTED] wrote: Otto Moerbeek wrote: I think your problem will be solved if you assign an alias in the 192.168.3.0 net to fxp0 and an alias in the 192.168.247.0 net to fxp3. Just like Henning already suggested. Henning wrote: that depends wether you external carp interface has numbered or unnumbered parents. if the parents (carpdev) are unnumbered (no ipassigned),it is quite normal. otherwise you have sth wrong. I guess I'm missing something or I didn't understand what he means by (no ipassigned). All carp parents are numbered by the inverse of the definition he gave for unnumbered, because there are ip's assigned to all of the carpdev interfaces, just not with the same network as the carp interfaces. Is it required for the carp parents' ip addresses to be in the same network as the carp interfaces? I didn't see that anywhere as a requirement. The typical configuration is that the CARP interfaces will be assigned addresses on the same IP subnet as the parent interfaces. I don't believe that this is a requirement, per se, but it is hinted at in ifconfig(8): carpdev iface If the driver is a carp(4) pseudo-device, attach it to iface. If not specified, the kernel will attempt to select an interface with a subnet matching that of the carp interface. This configuration is the only way that makes sense to me; you don't have to overlap subnets on the same Ethernet segment, you don't have to fiddle with interface aliases, and if you need to reach the natural IP addresses for the real (parent) interfaces, they're routed and reachable the same as the CARP addresses. Again, not knowing if this impacts your problem, but may be worth testing. DS I got rid of the aliases on the parent interfaces and made their addresses part of the carp network and things now seem to be working. This is great, and not so great as for my public address space, i'm losing another two addresses that i have to give to the firewall. :-( Is this the way it was intended or have i bumped into some unfortunate untested 'issue'? I also added in my aliases on the external interface (two less aliases now), with the prescribed 255.255.255.255 netmask. All of my aliases now have only their address as the broadcast address. I realize this is right using a /32 netmask, but will this affect the workings of the network? Thanks to all, Aaron Martinez
Re: backup firewall connectivity
On Dec 29, 2007 4:41 PM, Aaron [EMAIL PROTECTED] wrote: I also added in my aliases on the external interface (two less aliases now), with the prescribed 255.255.255.255 netmask. All of my aliases now have only their address as the broadcast address. I realize this is right using a /32 netmask, but will this affect the workings of the network? Nope, network functions will be fine. Those that rely on these settings do so from the primary IP settings on the interface, not the interface aliases. Note as from hostname.if(5) that the broadcast address is typically optional; a setting of NONE will result in computation from the network mask and for aliases it can be left off entirely with no ill effects. Examples given: inet 10.0.1.12 255.255.255.0 10.0.1.255 media 100baseTX description Uplink inet alias 10.0.1.13 255.255.255.255 10.0.1.13 inet alias 10.0.1.14 255.255.255.255 NONE inet alias 10.0.1.15 255.255.255.255 inet alias 10.0.1.16 0x DS
Re: backup firewall connectivity
* Aaron [EMAIL PROTECTED] [2007-12-28 03:24]: I am wondering, in a dual firewall situation, preemption enabled, carp working just fine (i think), is it normal that the backup firewall (when in backup state) has no connectivity on any of the carped interfaces? that depends wether you external carp interface has numbered or unnumbered parents. if the parents (carpdev) are unnumbered (no ipassigned),it is quite normal. otherwise you have sth wrong. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: backup firewall connectivity
* Aaron [EMAIL PROTECTED] [2007-12-28 03:24]: I am wondering, in a dual firewall situation, preemption enabled, carp working just fine (i think), is it normal that the backup firewall (when in backup state) has no connectivity on any of the carped interfaces? that depends wether you external carp interface has numbered or unnumbered parents. if the parents (carpdev) are unnumbered (no ipassigned),it is quite normal. otherwise you have sth wrong. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam how depressing.. ok.. here is some information, please let me know if there are other things I should include. The firewall is a plain jane supermicro pd4sa with a p4 2ghz and 512Mb memory. I am not currently at the location with the box so i don't have a dmesg to post. There are 5 physical interfaces on the machine, fxp0-3 and rl0 which I use for my pfsync interface. in my best ascii art, this is the machine layout. |-| - wanA/carp0 carp2-dmz- | | - wanB/carp1 carp3--lan |-| Here are my interface configs: main firewall fxp0: inet 10.125.221.2 255.255.255.0 NONE main firewall fxp1: inet 10.126.221.2 255.255.255.0 NONE backup firewall fxp0: inet 10.125.221.3 255.255.255.0 NONE backup firewall fxp1: inet 10.126.221.3 255.255.255.0 NONE main firewall Carp0: inet 192.168.3.65 255.255.255.224 192.168.3.95 vhid 1 carpdev fxp0 pass tester1 inet alias 192.168.3.66 255.255.255.224 inet alias 192.168.3.67 255.255.255.224 inet alias 192.168.3.68 255.255.255.224 inet alias 192.168.3.69 255.255.255.224 inet alias 192.168.3.70 255.255.255.224 inet alias 192.168.3.71 255.255.255.224 inet alias 192.168.3.72 255.255.255.224 inet alias 192.168.3.73 255.255.255.224 inet alias 192.168.3.74 255.255.255.224 inet alias 192.168.3.75 255.255.255.224 inet alias 192.168.3.76 255.255.255.224 inet alias 192.168.3.77 255.255.255.224 inet alias 192.168.3.78 255.255.255.224 inet alias 192.168.3.79 255.255.255.224 inet alias 192.168.3.80 255.255.255.224 inet alias 192.168.3.81 255.255.255.224 inet alias 192.168.3.82 255.255.255.224 inet alias 192.168.3.83 255.255.255.224 inet alias 192.168.3.84 255.255.255.224 inet alias 192.168.3.85 255.255.255.224 inet alias 192.168.3.86 255.255.255.224 inet alias 192.168.3.87 255.255.255.224 inet alias 192.168.3.88 255.255.255.224 inet alias 192.168.3.89 255.255.255.224 inet alias 192.168.3.90 255.255.255.224 inet alias 192.168.3.91 255.255.255.224 inet alias 192.168.3.92 255.255.255.224 inet alias 192.168.3.93 255.255.255.224 main firewall Carp1: inet 192.168.3.129 255.255.255.224 192.168.3.159 vhid 2 carpdev fxp1 pass tester2 inet alias 192.168.3.130 255.255.255.224 inet alias 192.168.3.131 255.255.255.224 inet alias 192.168.3.132 255.255.255.224 inet alias 192.168.3.133 255.255.255.224 inet alias 192.168.3.134 255.255.255.224 inet alias 192.168.3.135 255.255.255.224 inet alias 192.168.3.136 255.255.255.224 inet alias 192.168.3.137 255.255.255.224 inet alias 192.168.3.138 255.255.255.224 inet alias 192.168.3.139 255.255.255.224 inet alias 192.168.3.140 255.255.255.224 inet alias 192.168.3.141 255.255.255.224 inet alias 192.168.3.142 255.255.255.224 inet alias 192.168.3.143 255.255.255.224 inet alias 192.168.3.144 255.255.255.224 inet alias 192.168.3.145 255.255.255.224 inet alias 192.168.3.146 255.255.255.224 inet alias 192.168.3.147 255.255.255.224 inet alias 192.168.3.148 255.255.255.224 inet alias 192.168.3.149 255.255.255.224 inet alias 192.168.3.150 255.255.255.224 inet alias 192.168.3.151 255.255.255.224 inet alias 192.168.3.152 255.255.255.224 inet alias 192.168.3.153 255.255.255.224 inet alias 192.168.3.154 255.255.255.224 inet alias 192.168.3.155 255.255.255.224 inet alias 192.168.3.156 255.255.255.224 inet alias 192.168.3.157 255.255.255.224 backup firewall Carp0: inet 192.168.3.65 255.255.255.224 192.168.3.95 vhid 1 carpdev fxp0 pass tester1 advskew 100 inet alias 192.168.3.66 255.255.255.224 inet alias 192.168.3.67 255.255.255.224 inet alias 192.168.3.68 255.255.255.224 inet alias 192.168.3.69 255.255.255.224 inet alias 192.168.3.70 255.255.255.224 inet alias 192.168.3.71 255.255.255.224 inet alias 192.168.3.72 255.255.255.224 inet alias 192.168.3.73 255.255.255.224 inet alias 192.168.3.74 255.255.255.224 inet alias 192.168.3.75 255.255.255.224 inet alias 192.168.3.76 255.255.255.224 inet alias 192.168.3.77 255.255.255.224 inet alias 192.168.3.78 255.255.255.224 inet alias 192.168.3.79 255.255.255.224 inet alias 192.168.3.80 255.255.255.224 inet alias 192.168.3.81 255.255.255.224 inet alias 192.168.3.82 255.255.255.224 inet alias 192.168.3.83 255.255.255.224 inet alias 192.168.3.84 255.255.255.224 inet alias 192.168.3.85 255.255.255.224 inet alias
Re: backup firewall connectivity
On Dec 28, 2007 7:13 AM, Aaron [EMAIL PROTECTED] wrote: main firewall Carp0: inet 192.168.3.65 255.255.255.224 192.168.3.95 vhid 1 carpdev fxp0 pass tester1 inet alias 192.168.3.66 255.255.255.224 inet alias 192.168.3.67 255.255.255.224 Not to solution your problem, but the correct netmask for interface aliases is 255.255.255.255. Refer to archives and hostname.if(5). DS
backup firewall connectivity
I am wondering, in a dual firewall situation, preemption enabled, carp working just fine (i think), is it normal that the backup firewall (when in backup state) has no connectivity on any of the carped interfaces? I only ask because I have read some posts where someone is connecting somewhere, downloading something.. etc.. from the _backup_ firewall. They didn't say if it was running as the master of the carp interface or not. When i try to connect out any of my carp interfaces (or the actual physical interface for that matter) I get the message: ping: sendto: Network is unreachable ping: wrote 10.0.69.41 64 chars, ret=-1 If the answer to the question is no, you can't connect when the box is in backup state, then all is well.. otherwise, I'll put up if configs, dmesg etc.. BTW, I did try this with pf enabled and disabled (also did a flush all after disabling pf) so i don't think pf is an issue here. Thanks in advance, Aaron