Re: carp+pfsync+relayd question
Hello list, painfully i had to migrate the relayd service to a linux boxes with piranha until find the issue that caused relayd exit unexpectedly. So if someone want to make some smoke test to find the issue, please tellme. Best regads, Leonardo Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/18 Leonardo Santagostini lsantagost...@gmail.com Hello all, unfortunally i have to setup a cron entry that bounce relayd. Here the log that show how relayd stopped working Nov 18 18:34:55 v-arcbabalancer01 relayd[20347]: relay relay5, session 1961 (54 active), 0, 200.16.99.232 - 172.19.224.71:80, done Nov 18 18:34:55 v-arcbabalancer01 relayd[28629]: relay relay4, session 1959 (40 active), 0, 201.251.221.57 - 172.19.224.72:80, done Nov 18 18:34:55 v-arcbabalancer01 relayd[13074]: relay relay4, session 1990 (61 active), 0, 190.189.189.171 - 172.19.224.70:80, done Nov 18 18:34:55 v-arcbabalancer01 relayd[24546]: relay exiting, pid 24546 Nov 18 18:34:55 v-arcbabalancer01 relayd[13924]: relay relay4, session 1883 (43 active), 0, 190.228.28.250 - :0, buffer event timeout Nov 18 18:34:55 v-arcbabalancer01 relayd[27128]: relay relay4, session 2063 (49 active), 0, 201.255.217.232 - 172.19.224.71:80, done Nov 18 18:34:55 v-arcbabalancer01 relayd[24551]: pfe exiting, pid 24551 Nov 18 18:34:55 v-arcbabalancer01 relayd[3602]: hce exiting, pid 3602 Nov 18 18:34:55 v-arcbabalancer01 relayd[13924]: relay relay4, session 1964 (43 active), 0, 190.12.181.160 - 172.19.224.73:80, done Nov 18 18:34:55 v-arcbabalancer01 relayd[17688]: relay relay4, session 2080 (49 active), 0, 186.126.250.165 - 172.19.224.72:80, done Nov 18 18:34:55 v-arcbabalancer01 relayd[28629]: relay relay5, session 1891 (39 active), 0, 190.179.204.226 - :0, buffer event timeout Nov 18 18:34:55 v-arcbabalancer01 relayd[28629]: relay relay4, session 1962 (39 active), 0, 190.189.189.171 - 172.19.224.70:80, done Nov 18 18:34:55 v-arcbabalancer01 relayd[22840]: relay exiting, pid 22840 Nov 18 18:34:55 v-arcbabalancer01 relayd[5545]: relay exiting, pid 5545 Nov 18 18:34:55 v-arcbabalancer01 relayd[1089]: relay exiting, pid 1089 Nov 18 18:34:55 v-arcbabalancer01 relayd[28629]: relay exiting, pid 28629 Nov 18 18:34:55 v-arcbabalancer01 relayd[857]: relay exiting, pid 857 Nov 18 18:34:55 v-arcbabalancer01 relayd[27128]: relay exiting, pid 27128 Nov 18 18:34:55 v-arcbabalancer01 relayd[20347]: relay exiting, pid 20347 Nov 18 18:34:55 v-arcbabalancer01 relayd[13074]: relay exiting, pid 13074 Nov 18 18:34:55 v-arcbabalancer01 relayd[7637]: relay exiting, pid 7637 Nov 18 18:34:55 v-arcbabalancer01 relayd[8449]: relay exiting, pid 8449 Nov 18 18:34:55 v-arcbabalancer01 relayd[30009]: relay exiting, pid 30009 Nov 18 18:34:55 v-arcbabalancer01 relayd[13924]: relay exiting, pid 13924 Nov 18 18:34:55 v-arcbabalancer01 relayd[4542]: relay exiting, pid 4542 Nov 18 18:34:55 v-arcbabalancer01 relayd[13505]: parent terminating, pid 13505 Nov 18 18:39:11 v-arcbabalancer01 puppet-agent[20912]: Finished catalog run in 2.59 seconds Nov 18 18:58:04 v-arcbabalancer01 relayd[9964]: startup Best regards, yours Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/18 Leonardo Santagostini lsantagost...@gmail.com Hello Jan, thanks for answering. The point was with booting without bsd.mp, now box rebooted and showing 4 procs =) By now, all is working fine. Thank for all your support. I will keep you all informed how things are going. Best regards Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/18 Jan Lambertz jd.arb...@googlemail.com qemu-kvm ...-smp sockets=2 ... solved it for me. What qemu version an build are you using ? Am 14.11.2013 18:47 schrieb Leonardo Santagostini lsantagost...@gmail.com : Thanks a lot to all, i will give it a try and gives tou you feedback as soon as it get implemented. Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/14 Andy a...@brandwatch.com On 14/11/13 15:21, Leonardo Santagostini wrote: Hello misc, Im doing my final approach to put a production system with carp+pfsync+relayd on production. The point is that im facing some trouble setting more than one ip alias address with different vhid and different passwd. So, this is the scenario. Im trying to relayd more or less 15 sites so i have conceptual doubts. 1) is it nesessary to create one carp interface for each one of my internals VIP address 2) my understanding is that i have to work with pf on my carp interfaces. I have tried to put two different VIP's on my carp, but whitout lucky. Here is the homework. [root@server ~]# uname -a OpenBSD server.internaldomain.com 5.4 GENERIC#37 amd64 [root@server ~]# [root@server ~]# cat /etc/hostname.em0 inet 172.19.224.180 255.255.255.0
Re: carp+pfsync+relayd question
Output for 'pfctl -si', 'pfctl -sm' and 'sysctl -a|grep net.inet.ip.ifq would be hie to see. //mxb On 18 nov 2013, at 04:20, Leonardo Santagostini lsantagost...@gmail.com wrote: Sorry, looking more detailed at the logs i found this: /var/log/daemon Nov 17 18:36:12 v-arcbabalancer01 relayd[13984]: fatal: relay_connect: no connection in flight Nov 17 18:36:12 v-arcbabalancer01 relayd[22615]: pfe exiting, pid 22615 Nov 17 18:36:12 v-arcbabalancer01 relayd[31674]: hce exiting, pid 31674 Nov 17 18:36:12 v-arcbabalancer01 relayd[9082]: relay exiting, pid 9082 Nov 17 18:36:12 v-arcbabalancer01 relayd[701]: relay exiting, pid 701 Nov 17 18:36:12 v-arcbabalancer01 relayd[21358]: parent terminating, pid 21358 Nov 17 18:36:12 v-arcbabalancer01 relayd[24886]: relay exiting, pid 24886 Nov 17 18:36:12 v-arcbabalancer01 relayd[21395]: relay exiting, pid 21395 Nov 17 18:36:12 v-arcbabalancer01 relayd[13155]: relay exiting, pid 13155 Nov 17 18:36:12 v-arcbabalancer01 relayd[20557]: relay exiting, pid 20557 Nov 17 18:36:12 v-arcbabalancer01 relayd[14903]: relay exiting, pid 14903 Nov 17 18:36:12 v-arcbabalancer01 relayd[10686]: relay exiting, pid 10686 Nov 17 18:36:12 v-arcbabalancer01 relayd[17355]: relay exiting, pid 17355 Nov 17 18:36:12 v-arcbabalancer01 relayd[26908]: relay exiting, pid 26908 Nov 17 18:36:12 v-arcbabalancer01 relayd[6551]: relay exiting, pid 6551 Nov 17 18:36:12 v-arcbabalancer01 relayd[16649]: relay exiting, pid 16649 Nov 17 18:36:12 v-arcbabalancer01 relayd[2567]: relay exiting, pid 2567 Nov 17 18:36:12 v-arcbabalancer01 relayd[3159]: relay exiting, pid 3159 /var/log/messages Nov 17 18:36:12 v-arcbabalancer01 relayd[13984]: fatal: relay_connect: no connection in flight Regards Saludos.- Leonardo Santagostini 2013/11/18 Leonardo Santagostini lsantagost...@gmail.com Hello everybody, i still having some issues whit relayd. Nov 17 21:01:56 v-arcbabalancer01 relayd[4252]: relay relay4, session 75 (1 active), 0, 190.51.90.22 - :0, buffer event timeout Nov 17 21:01:57 v-arcbabalancer01 relayd[12715]: relay relay4, session 97 (4 active), 0, 190.49.60.30 - :0, buffer event timeout Nov 17 21:01:58 v-arcbabalancer01 relayd[4781]: relay relay4, session 142 (3 active), 0, 190.188.18.202 - :0, buffer event timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[25332]: relay relay4, session 28 (1 active), 0, 181.29.46.36 - :0, hard timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[12715]: relay relay4, session 55 (3 active), 0, 108.36.150.233 - :0, hard timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[18695]: relay relay4, session 67 (3 active), 0, 31.221.13.210 - :0, hard timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[13096]: relay relay5, session 73 (3 active), 0, 190.195.118.49 - :0, hard timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[31990]: relay relay4, session 25 (1 active), 0, 186.188.178.215 - :0, hard timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[4781]: relay relay4, session 144 (7 active), 0, 31.221.13.210 - :0, hard timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[23317]: relay relay2, session 55 (5 active), 0, 181.109.7.31 - :0, hard timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[22942]: relay relay4, session 93 (2 active), 0, 31.221.13.210 - :0, hard timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[13862]: relay relay4, session 80 (3 active), 0, 190.111.231.50 - :0, hard timeout Nov 17 21:02:06 v-arcbabalancer01 relayd[19770]: relay relay4, session 92 (1 active), 0, 75.70.87.158 - :0, buffer event timeout Nov 17 21:02:08 v-arcbabalancer01 relayd[23317]: relay relay4, session 131 (5 active), 0, 190.113.173.36 - :0, buffer event timeout Nov 17 21:02:11 v-arcbabalancer01 relayd[10590]: relay relay4, session 103 (9 active), 0, 186.137.241.254 - :0, buffer event timeout Nov 17 21:02:15 v-arcbabalancer01 relayd[23317]: relay relay4, session 143 (2 active), 0, 24.232.115.134 - :0, buffer event timeout Nov 17 21:02:16 v-arcbabalancer01 relayd[12715]: relay relay4, session 101 (7 active), 0, 108.87.58.21 - :0, buffer event timeout Nov 17 21:02:16 v-arcbabalancer01 relayd[12715]: relay relay4, session 102 (6 active), 0, 108.87.58.21 - :0, buffer event timeout Nov 17 21:02:16 v-arcbabalancer01 relayd[10590]: relay relay5, session 142 (13 active), 0, 190.195.118.49 - 172.19.224.73:80, no method Nov 17 21:02:16 v-arcbabalancer01 relayd[10590]: relay relay4, session 114 (12 active), 0, 190.49.11.36 - :0, buffer event timeout Nov 17 21:02:16 v-arcbabalancer01 relayd[12715]: relay relay4, session 104 (5 active), 0, 190.49.11.36 - :0, buffer event timeout Nov 17 21:02:17 v-arcbabalancer01 relayd[10590]: relay relay4, session 120 (10 active), 0, 189.237.152.81 - :0, buffer event timeout Nov 17 21:02:17 v-arcbabalancer01 relayd[31990]: relay relay4, session 117 (5 active), 0, 189.237.152.81 - :0, buffer event timeout Nov 17 21:02:17 v-arcbabalancer01 relayd[10590]: relay relay5, session 144 (9 active), 0, 190.195.118.49 - 172.19.224.71:80, no
Re: carp+pfsync+relayd question
Ok, thanks for all the replies. Im waiting to this situation appears to send to you the output of those commands. Thanks and regards Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/18 mxb m...@alumni.chalmers.se Output for 'pfctl -si', 'pfctl -sm' and 'sysctl -a|grep net.inet.ip.ifqâ would be hie to see. //mxb On 18 nov 2013, at 04:20, Leonardo Santagostini lsantagost...@gmail.com wrote: Sorry, looking more detailed at the logs i found this: /var/log/daemon Nov 17 18:36:12 v-arcbabalancer01 relayd[13984]: fatal: relay_connect: no connection in flight Nov 17 18:36:12 v-arcbabalancer01 relayd[22615]: pfe exiting, pid 22615 Nov 17 18:36:12 v-arcbabalancer01 relayd[31674]: hce exiting, pid 31674 Nov 17 18:36:12 v-arcbabalancer01 relayd[9082]: relay exiting, pid 9082 Nov 17 18:36:12 v-arcbabalancer01 relayd[701]: relay exiting, pid 701 Nov 17 18:36:12 v-arcbabalancer01 relayd[21358]: parent terminating, pid 21358 Nov 17 18:36:12 v-arcbabalancer01 relayd[24886]: relay exiting, pid 24886 Nov 17 18:36:12 v-arcbabalancer01 relayd[21395]: relay exiting, pid 21395 Nov 17 18:36:12 v-arcbabalancer01 relayd[13155]: relay exiting, pid 13155 Nov 17 18:36:12 v-arcbabalancer01 relayd[20557]: relay exiting, pid 20557 Nov 17 18:36:12 v-arcbabalancer01 relayd[14903]: relay exiting, pid 14903 Nov 17 18:36:12 v-arcbabalancer01 relayd[10686]: relay exiting, pid 10686 Nov 17 18:36:12 v-arcbabalancer01 relayd[17355]: relay exiting, pid 17355 Nov 17 18:36:12 v-arcbabalancer01 relayd[26908]: relay exiting, pid 26908 Nov 17 18:36:12 v-arcbabalancer01 relayd[6551]: relay exiting, pid 6551 Nov 17 18:36:12 v-arcbabalancer01 relayd[16649]: relay exiting, pid 16649 Nov 17 18:36:12 v-arcbabalancer01 relayd[2567]: relay exiting, pid 2567 Nov 17 18:36:12 v-arcbabalancer01 relayd[3159]: relay exiting, pid 3159 /var/log/messages Nov 17 18:36:12 v-arcbabalancer01 relayd[13984]: fatal: relay_connect: no connection in flight Regards Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/18 Leonardo Santagostini lsantagost...@gmail.com Hello everybody, i still having some issues whit relayd. Nov 17 21:01:56 v-arcbabalancer01 relayd[4252]: relay relay4, session 75 (1 active), 0, 190.51.90.22 - :0, buffer event timeout Nov 17 21:01:57 v-arcbabalancer01 relayd[12715]: relay relay4, session 97 (4 active), 0, 190.49.60.30 - :0, buffer event timeout Nov 17 21:01:58 v-arcbabalancer01 relayd[4781]: relay relay4, session 142 (3 active), 0, 190.188.18.202 - :0, buffer event timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[25332]: relay relay4, session 28 (1 active), 0, 181.29.46.36 - :0, hard timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[12715]: relay relay4, session 55 (3 active), 0, 108.36.150.233 - :0, hard timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[18695]: relay relay4, session 67 (3 active), 0, 31.221.13.210 - :0, hard timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[13096]: relay relay5, session 73 (3 active), 0, 190.195.118.49 - :0, hard timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[31990]: relay relay4, session 25 (1 active), 0, 186.188.178.215 - :0, hard timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[4781]: relay relay4, session 144 (7 active), 0, 31.221.13.210 - :0, hard timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[23317]: relay relay2, session 55 (5 active), 0, 181.109.7.31 - :0, hard timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[22942]: relay relay4, session 93 (2 active), 0, 31.221.13.210 - :0, hard timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[13862]: relay relay4, session 80 (3 active), 0, 190.111.231.50 - :0, hard timeout Nov 17 21:02:06 v-arcbabalancer01 relayd[19770]: relay relay4, session 92 (1 active), 0, 75.70.87.158 - :0, buffer event timeout Nov 17 21:02:08 v-arcbabalancer01 relayd[23317]: relay relay4, session 131 (5 active), 0, 190.113.173.36 - :0, buffer event timeout Nov 17 21:02:11 v-arcbabalancer01 relayd[10590]: relay relay4, session 103 (9 active), 0, 186.137.241.254 - :0, buffer event timeout Nov 17 21:02:15 v-arcbabalancer01 relayd[23317]: relay relay4, session 143 (2 active), 0, 24.232.115.134 - :0, buffer event timeout Nov 17 21:02:16 v-arcbabalancer01 relayd[12715]: relay relay4, session 101 (7 active), 0, 108.87.58.21 - :0, buffer event timeout Nov 17 21:02:16 v-arcbabalancer01 relayd[12715]: relay relay4, session 102 (6 active), 0, 108.87.58.21 - :0, buffer event timeout Nov 17 21:02:16 v-arcbabalancer01 relayd[10590]: relay relay5, session 142 (13 active), 0, 190.195.118.49 - 172.19.224.73:80http://172.19.224.73/, no method Nov 17 21:02:16 v-arcbabalancer01 relayd[10590]: relay relay4, session 114 (12 active), 0, 190.49.11.36 - :0, buffer event timeout Nov 17 21:02:16 v-arcbabalancer01 relayd[12715]: relay relay4, session 104 (5 active), 0, 190.49.11.36 - :0, buffer event timeout Nov 17 21:02:17 v-arcbabalancer01 relayd[10590]:
Re: carp+pfsync+relayd question
Hello list, i found something strange. By one side, cpu idle is at 0% [root@v-arcbabalancer01 ~]# vmstat 2 20 procsmemory pagediskstraps cpu r b wavm fre flt re pi po fr sr wd0 cd0 int sys cs us sy id 5 0 0 86576 1450072 845 0 0 0 0 0 0 0 152 2922 308 60 5 35 4 0 0 86668 1449976 31 0 0 0 0 0 0 0 435 4554 869 94 6 0 4 0 0 86732 1449896 14 0 0 0 0 0 0 0 425 4269 827 94 6 0 5 0 0 86732 14498964 0 0 0 0 0 0 0 297 4098 762 92 8 0 7 0 0 86740 14498725 0 0 0 0 0 0 0 287 3264 625 94 6 0 4 0 0 86748 1449864 14 0 0 0 0 0 0 0 370 4400 804 92 8 0 4 0 0 86756 1449836 12 0 0 0 0 0 0 0 311 3708 730 92 8 0 4 0 0 86840 1449744 30 0 0 0 0 0 0 0 331 3585 701 93 7 0 4 0 0 86840 14497284 0 0 0 0 0 0 0 453 4744 885 93 7 0 4 0 0 86840 14497284 0 0 0 0 0 0 0 355 3832 745 92 8 0 5 0 0 86876 1449668 23 0 0 0 0 0 0 0 375 5003 934 92 8 0 4 0 0 86880 14496644 0 0 0 0 0 0 0 295 3600 707 93 7 0 9 1 0 87136 1449148 13421 0 0 0 0 0 0 0 242 24373 778 87 13 0 5 1 0 91964 1445628 23388 0 0 0 0 0 0 0 273 1 1256 80 20 0 5 0 0 86892 1449624 479 0 0 0 0 0 0 0 313 4012 736 90 10 0 7 0 0 86892 14496086 0 0 0 0 0 0 0 308 3831 712 93 7 0 4 0 0 86892 14496084 0 0 0 0 0 0 0 290 3694 732 95 5 0 4 0 0 86900 1449576 14 0 0 0 0 0 0 0 345 4439 857 92 8 0 4 0 0 86900 14495764 0 0 0 0 0 0 0 337 4798 879 92 8 0 5 0 0 86964 1449492 12 0 0 0 0 0 0 0 389 4723 923 94 6 0 By the other assigned cpus are two not one as the machine sees. [root@v-arcbabalancer01 ~]# dmesg | grep cpu acpicpu0 at acpi0 cpu0 at mainbus0: apid 0 (boot processor) cpu0: Opteron or Athlon 64, 2660.64 MHz cpu0: FPU,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,PGE,CMOV,PAT,MMX,FXSR,SSE,SSE2,SSE3,POPCN T cpu0: smt 0, core 0, package 0 cpu0: apic clock running at 1000MHz cpu at mainbus0: not configured So i will try to do some search about gettint the proper config for openbsd hosts in kvm If anyone can give to me some clues it will realy welcome. Regards Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/18 Leonardo Santagostini lsantagost...@gmail.com Ok, thanks for all the replies. Im waiting to this situation appears to send to you the output of those commands. Thanks and regards Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/18 mxb m...@alumni.chalmers.se Output for 'pfctl -si', 'pfctl -sm' and 'sysctl -a|grep net.inet.ip.ifqâ would be hie to see. //mxb On 18 nov 2013, at 04:20, Leonardo Santagostini lsantagost...@gmail.com wrote: Sorry, looking more detailed at the logs i found this: /var/log/daemon Nov 17 18:36:12 v-arcbabalancer01 relayd[13984]: fatal: relay_connect: no connection in flight Nov 17 18:36:12 v-arcbabalancer01 relayd[22615]: pfe exiting, pid 22615 Nov 17 18:36:12 v-arcbabalancer01 relayd[31674]: hce exiting, pid 31674 Nov 17 18:36:12 v-arcbabalancer01 relayd[9082]: relay exiting, pid 9082 Nov 17 18:36:12 v-arcbabalancer01 relayd[701]: relay exiting, pid 701 Nov 17 18:36:12 v-arcbabalancer01 relayd[21358]: parent terminating, pid 21358 Nov 17 18:36:12 v-arcbabalancer01 relayd[24886]: relay exiting, pid 24886 Nov 17 18:36:12 v-arcbabalancer01 relayd[21395]: relay exiting, pid 21395 Nov 17 18:36:12 v-arcbabalancer01 relayd[13155]: relay exiting, pid 13155 Nov 17 18:36:12 v-arcbabalancer01 relayd[20557]: relay exiting, pid 20557 Nov 17 18:36:12 v-arcbabalancer01 relayd[14903]: relay exiting, pid 14903 Nov 17 18:36:12 v-arcbabalancer01 relayd[10686]: relay exiting, pid 10686 Nov 17 18:36:12 v-arcbabalancer01 relayd[17355]: relay exiting, pid 17355 Nov 17 18:36:12 v-arcbabalancer01 relayd[26908]: relay exiting, pid 26908 Nov 17 18:36:12 v-arcbabalancer01 relayd[6551]: relay exiting, pid 6551 Nov 17 18:36:12 v-arcbabalancer01 relayd[16649]: relay exiting, pid 16649 Nov 17 18:36:12 v-arcbabalancer01 relayd[2567]: relay exiting, pid 2567 Nov 17 18:36:12 v-arcbabalancer01 relayd[3159]: relay exiting, pid 3159 /var/log/messages Nov 17 18:36:12 v-arcbabalancer01 relayd[13984]: fatal: relay_connect: no connection in flight Regards Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/18 Leonardo Santagostini lsantagost...@gmail.com Hello everybody, i still having some issues whit relayd. Nov 17 21:01:56 v-arcbabalancer01 relayd[4252]: relay relay4, session 75 (1 active), 0, 190.51.90.22 - :0, buffer event timeout Nov 17 21:01:57 v-arcbabalancer01 relayd[12715]: relay relay4, session 97 (4 active),
carp+pfsync+relayd question
qemu-kvm ...-smp sockets=2 ... solved it for me. What qemu version an build are you using ? Am 14.11.2013 18:47 schrieb Leonardo Santagostini lsantagost...@gmail.com : Thanks a lot to all, i will give it a try and gives tou you feedback as soon as it get implemented. Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/14 Andy a...@brandwatch.com On 14/11/13 15:21, Leonardo Santagostini wrote: Hello misc, Im doing my final approach to put a production system with carp+pfsync+relayd on production. The point is that im facing some trouble setting more than one ip alias address with different vhid and different passwd. So, this is the scenario. Im trying to relayd more or less 15 sites so i have conceptual doubts. 1) is it nesessary to create one carp interface for each one of my internals VIP address 2) my understanding is that i have to work with pf on my carp interfaces. I have tried to put two different VIP's on my carp, but whitout lucky. Here is the homework. [root@server ~]# uname -a OpenBSD server.internaldomain.com 5.4 GENERIC#37 amd64 [root@server ~]# [root@server ~]# cat /etc/hostname.em0 inet 172.19.224.180 255.255.255.0 [root@server ~]# cat /etc/hostname.em1 inet 172.19.226.231 255.255.255.0 172.19.226.255 [root@server ~]# cat /etc/hostname.carp0 # inet alias 172.19.224.16 255.255.255.255 172.19.224.255 vhid 1 advskew 10 carpdev em0 pass Ahsooqu3 inet alias 172.19.224.131 255.255.255.0 172.19.224.255 vhid 2 advskew 10 carpdev em0 pass Meixo9oe # inet alias 172.19.224.41 255.255.255.255 172.19.224.255 vhid 3 advskew 10 carpdev em0 pass av5eG9Gi # inet alias 172.19.224.40 255.255.255.255 172.19.224.255 vhid 4 advskew 10 carpdev em0 pass Rei6thai # inet alias 172.19.224.181 255.255.255.0 172.19.224.255 vhid 5 advskew 10 carpdev em0 pass Toobohz3 # inet alias 172.19.224.182 255.255.255.255 172.19.224.255 vhid 6 adskew 10 carpdev em0 pass Quahng6U CARP should look like this (master); inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass Ahsooqu3 advskew 0 inet alias 172.19.224.131 255.255.255.255 inet alias 172.19.224.41 255.255.255.255 inet alias 172.19.224.40 255.255.255.255 inet alias 172.19.224.181 255.255.255.255 inet alias 172.19.224.182 255.255.255.255 And (backup); inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass Ahsooqu3 advskew 200 inet alias 172.19.224.131 255.255.255.255 inet alias 172.19.224.41 255.255.255.255 inet alias 172.19.224.40 255.255.255.255 inet alias 172.19.224.181 255.255.255.255 inet alias 172.19.224.182 255.255.255.255 And yes the subnet masks for the alias' should be /32 and you will see a warning in the logs during fail-over. This is fine, the devs just haven't muted the check warning yet. You've done it right if 'netstat -rn' shows; 172.19.224.131 127.0.0.1 UGHS 00 33152 8 lo0 172.19.224.131/32 172.19.224.131 U 00 - 4 carp0 [root@server ~]# cat /etc/hostname.pfsync0 up syncdev em1 [root@server ~]# cat /etc/pf.conf ext_if=carp0 You don't refer to CARP as an interface, it is simply a VRRP watchdog interface (for example you cannot set the MTU on a CARP interface as it is not really an interface. Use the physical.. ext_if=em0 set fingerprints /etc/pf.os set optimization aggressive set limit states 9 Definitely needs to be higher! try 1 million.. set limit src-nodes 65000 table bad_ip persist table internat_net persist file /etc/internal_net table admitted_net persist file /etc/admitted.txt # vip1_address = 172.19.224.181 # vip2_address = 172.19.224.16 vip3_address = 172.19.224.131 # vip4_address = 172.19.224.41 # vip5_address = 172.19.224.40 Just to keep you sane remember these rules; # (SNAT) NATing is done before filtering, 'pass out on $if_ext from $external_carp_ip1' (public address as src for outbound). # (DNAT) RDRing is done before filtering, 'pass in on $if_ext from any to $internal_ip1' (private address as dst for inbound). [image: OpenBSD_PF_flow] # Dejo de procesar cuando se trata de las redes internas pass in quick from internat_net to any # Dejo pasar las ips desde las redes permitidas # pass in quick from admitted_net to $vip1_address pass in quick from admitted_net to $vip3_address # Genero el block block in quick from bad_ip Your 'block in quick's should be above your 'pass in quick's! quick means stop evaluating and do this action now.. block in log quick on $ext_if proto tcp from any os NMAP to any label ExtNMAPScan # Proteccion contra nmap y herramientas similares # block in quick on $ext_if proto tcp flags FUP/WEUAPRSF block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF block in quick on $ext_if proto tcp flags
Re: carp+pfsync+relayd question
Hello Jan, thanks for answering. The point was with booting without bsd.mp, now box rebooted and showing 4 procs =) By now, all is working fine. Thank for all your support. I will keep you all informed how things are going. Best regards Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/18 Jan Lambertz jd.arb...@googlemail.com qemu-kvm ...-smp sockets=2 ... solved it for me. What qemu version an build are you using ? Am 14.11.2013 18:47 schrieb Leonardo Santagostini lsantagost...@gmail.com : Thanks a lot to all, i will give it a try and gives tou you feedback as soon as it get implemented. Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/14 Andy a...@brandwatch.com On 14/11/13 15:21, Leonardo Santagostini wrote: Hello misc, Im doing my final approach to put a production system with carp+pfsync+relayd on production. The point is that im facing some trouble setting more than one ip alias address with different vhid and different passwd. So, this is the scenario. Im trying to relayd more or less 15 sites so i have conceptual doubts. 1) is it nesessary to create one carp interface for each one of my internals VIP address 2) my understanding is that i have to work with pf on my carp interfaces. I have tried to put two different VIP's on my carp, but whitout lucky. Here is the homework. [root@server ~]# uname -a OpenBSD server.internaldomain.com 5.4 GENERIC#37 amd64 [root@server ~]# [root@server ~]# cat /etc/hostname.em0 inet 172.19.224.180 255.255.255.0 [root@server ~]# cat /etc/hostname.em1 inet 172.19.226.231 255.255.255.0 172.19.226.255 [root@server ~]# cat /etc/hostname.carp0 # inet alias 172.19.224.16 255.255.255.255 172.19.224.255 vhid 1 advskew 10 carpdev em0 pass Ahsooqu3 inet alias 172.19.224.131 255.255.255.0 172.19.224.255 vhid 2 advskew 10 carpdev em0 pass Meixo9oe # inet alias 172.19.224.41 255.255.255.255 172.19.224.255 vhid 3 advskew 10 carpdev em0 pass av5eG9Gi # inet alias 172.19.224.40 255.255.255.255 172.19.224.255 vhid 4 advskew 10 carpdev em0 pass Rei6thai # inet alias 172.19.224.181 255.255.255.0 172.19.224.255 vhid 5 advskew 10 carpdev em0 pass Toobohz3 # inet alias 172.19.224.182 255.255.255.255 172.19.224.255 vhid 6 adskew 10 carpdev em0 pass Quahng6U CARP should look like this (master); inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass Ahsooqu3 advskew 0 inet alias 172.19.224.131 255.255.255.255 inet alias 172.19.224.41 255.255.255.255 inet alias 172.19.224.40 255.255.255.255 inet alias 172.19.224.181 255.255.255.255 inet alias 172.19.224.182 255.255.255.255 And (backup); inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass Ahsooqu3 advskew 200 inet alias 172.19.224.131 255.255.255.255 inet alias 172.19.224.41 255.255.255.255 inet alias 172.19.224.40 255.255.255.255 inet alias 172.19.224.181 255.255.255.255 inet alias 172.19.224.182 255.255.255.255 And yes the subnet masks for the alias' should be /32 and you will see a warning in the logs during fail-over. This is fine, the devs just haven't muted the check warning yet. You've done it right if 'netstat -rn' shows; 172.19.224.131 127.0.0.1 UGHS 00 33152 8 lo0 172.19.224.131/32 172.19.224.131 U 00 - 4 carp0 [root@server ~]# cat /etc/hostname.pfsync0 up syncdev em1 [root@server ~]# cat /etc/pf.conf ext_if=carp0 You don't refer to CARP as an interface, it is simply a VRRP watchdog interface (for example you cannot set the MTU on a CARP interface as it is not really an interface. Use the physical.. ext_if=em0 set fingerprints /etc/pf.os set optimization aggressive set limit states 9 Definitely needs to be higher! try 1 million.. set limit src-nodes 65000 table bad_ip persist table internat_net persist file /etc/internal_net table admitted_net persist file /etc/admitted.txt # vip1_address = 172.19.224.181 # vip2_address = 172.19.224.16 vip3_address = 172.19.224.131 # vip4_address = 172.19.224.41 # vip5_address = 172.19.224.40 Just to keep you sane remember these rules; # (SNAT) NATing is done before filtering, 'pass out on $if_ext from $external_carp_ip1' (public address as src for outbound). # (DNAT) RDRing is done before filtering, 'pass in on $if_ext from any to $internal_ip1' (private address as dst for inbound). [image: OpenBSD_PF_flow] # Dejo de procesar cuando se trata de las redes internas pass in quick from internat_net to any # Dejo pasar las ips desde las redes permitidas # pass in quick from admitted_net to $vip1_address pass in quick
Re: carp+pfsync+relayd question
Hello all, unfortunally i have to setup a cron entry that bounce relayd. Here the log that show how relayd stopped working Nov 18 18:34:55 v-arcbabalancer01 relayd[20347]: relay relay5, session 1961 (54 active), 0, 200.16.99.232 - 172.19.224.71:80, done Nov 18 18:34:55 v-arcbabalancer01 relayd[28629]: relay relay4, session 1959 (40 active), 0, 201.251.221.57 - 172.19.224.72:80, done Nov 18 18:34:55 v-arcbabalancer01 relayd[13074]: relay relay4, session 1990 (61 active), 0, 190.189.189.171 - 172.19.224.70:80, done Nov 18 18:34:55 v-arcbabalancer01 relayd[24546]: relay exiting, pid 24546 Nov 18 18:34:55 v-arcbabalancer01 relayd[13924]: relay relay4, session 1883 (43 active), 0, 190.228.28.250 - :0, buffer event timeout Nov 18 18:34:55 v-arcbabalancer01 relayd[27128]: relay relay4, session 2063 (49 active), 0, 201.255.217.232 - 172.19.224.71:80, done Nov 18 18:34:55 v-arcbabalancer01 relayd[24551]: pfe exiting, pid 24551 Nov 18 18:34:55 v-arcbabalancer01 relayd[3602]: hce exiting, pid 3602 Nov 18 18:34:55 v-arcbabalancer01 relayd[13924]: relay relay4, session 1964 (43 active), 0, 190.12.181.160 - 172.19.224.73:80, done Nov 18 18:34:55 v-arcbabalancer01 relayd[17688]: relay relay4, session 2080 (49 active), 0, 186.126.250.165 - 172.19.224.72:80, done Nov 18 18:34:55 v-arcbabalancer01 relayd[28629]: relay relay5, session 1891 (39 active), 0, 190.179.204.226 - :0, buffer event timeout Nov 18 18:34:55 v-arcbabalancer01 relayd[28629]: relay relay4, session 1962 (39 active), 0, 190.189.189.171 - 172.19.224.70:80, done Nov 18 18:34:55 v-arcbabalancer01 relayd[22840]: relay exiting, pid 22840 Nov 18 18:34:55 v-arcbabalancer01 relayd[5545]: relay exiting, pid 5545 Nov 18 18:34:55 v-arcbabalancer01 relayd[1089]: relay exiting, pid 1089 Nov 18 18:34:55 v-arcbabalancer01 relayd[28629]: relay exiting, pid 28629 Nov 18 18:34:55 v-arcbabalancer01 relayd[857]: relay exiting, pid 857 Nov 18 18:34:55 v-arcbabalancer01 relayd[27128]: relay exiting, pid 27128 Nov 18 18:34:55 v-arcbabalancer01 relayd[20347]: relay exiting, pid 20347 Nov 18 18:34:55 v-arcbabalancer01 relayd[13074]: relay exiting, pid 13074 Nov 18 18:34:55 v-arcbabalancer01 relayd[7637]: relay exiting, pid 7637 Nov 18 18:34:55 v-arcbabalancer01 relayd[8449]: relay exiting, pid 8449 Nov 18 18:34:55 v-arcbabalancer01 relayd[30009]: relay exiting, pid 30009 Nov 18 18:34:55 v-arcbabalancer01 relayd[13924]: relay exiting, pid 13924 Nov 18 18:34:55 v-arcbabalancer01 relayd[4542]: relay exiting, pid 4542 Nov 18 18:34:55 v-arcbabalancer01 relayd[13505]: parent terminating, pid 13505 Nov 18 18:39:11 v-arcbabalancer01 puppet-agent[20912]: Finished catalog run in 2.59 seconds Nov 18 18:58:04 v-arcbabalancer01 relayd[9964]: startup Best regards, yours Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/18 Leonardo Santagostini lsantagost...@gmail.com Hello Jan, thanks for answering. The point was with booting without bsd.mp, now box rebooted and showing 4 procs =) By now, all is working fine. Thank for all your support. I will keep you all informed how things are going. Best regards Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/18 Jan Lambertz jd.arb...@googlemail.com qemu-kvm ...-smp sockets=2 ... solved it for me. What qemu version an build are you using ? Am 14.11.2013 18:47 schrieb Leonardo Santagostini lsantagost...@gmail.com : Thanks a lot to all, i will give it a try and gives tou you feedback as soon as it get implemented. Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/14 Andy a...@brandwatch.com On 14/11/13 15:21, Leonardo Santagostini wrote: Hello misc, Im doing my final approach to put a production system with carp+pfsync+relayd on production. The point is that im facing some trouble setting more than one ip alias address with different vhid and different passwd. So, this is the scenario. Im trying to relayd more or less 15 sites so i have conceptual doubts. 1) is it nesessary to create one carp interface for each one of my internals VIP address 2) my understanding is that i have to work with pf on my carp interfaces. I have tried to put two different VIP's on my carp, but whitout lucky. Here is the homework. [root@server ~]# uname -a OpenBSD server.internaldomain.com 5.4 GENERIC#37 amd64 [root@server ~]# [root@server ~]# cat /etc/hostname.em0 inet 172.19.224.180 255.255.255.0 [root@server ~]# cat /etc/hostname.em1 inet 172.19.226.231 255.255.255.0 172.19.226.255 [root@server ~]# cat /etc/hostname.carp0 # inet alias 172.19.224.16 255.255.255.255 172.19.224.255 vhid 1 advskew 10 carpdev em0 pass Ahsooqu3 inet alias 172.19.224.131 255.255.255.0 172.19.224.255 vhid 2 advskew 10 carpdev em0 pass Meixo9oe # inet alias 172.19.224.41 255.255.255.255 172.19.224.255 vhid 3 advskew 10 carpdev
Re: carp+pfsync+relayd question
Hello everybody, i still having some issues whit relayd. Nov 17 21:01:56 v-arcbabalancer01 relayd[4252]: relay relay4, session 75 (1 active), 0, 190.51.90.22 - :0, buffer event timeout Nov 17 21:01:57 v-arcbabalancer01 relayd[12715]: relay relay4, session 97 (4 active), 0, 190.49.60.30 - :0, buffer event timeout Nov 17 21:01:58 v-arcbabalancer01 relayd[4781]: relay relay4, session 142 (3 active), 0, 190.188.18.202 - :0, buffer event timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[25332]: relay relay4, session 28 (1 active), 0, 181.29.46.36 - :0, hard timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[12715]: relay relay4, session 55 (3 active), 0, 108.36.150.233 - :0, hard timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[18695]: relay relay4, session 67 (3 active), 0, 31.221.13.210 - :0, hard timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[13096]: relay relay5, session 73 (3 active), 0, 190.195.118.49 - :0, hard timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[31990]: relay relay4, session 25 (1 active), 0, 186.188.178.215 - :0, hard timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[4781]: relay relay4, session 144 (7 active), 0, 31.221.13.210 - :0, hard timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[23317]: relay relay2, session 55 (5 active), 0, 181.109.7.31 - :0, hard timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[22942]: relay relay4, session 93 (2 active), 0, 31.221.13.210 - :0, hard timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[13862]: relay relay4, session 80 (3 active), 0, 190.111.231.50 - :0, hard timeout Nov 17 21:02:06 v-arcbabalancer01 relayd[19770]: relay relay4, session 92 (1 active), 0, 75.70.87.158 - :0, buffer event timeout Nov 17 21:02:08 v-arcbabalancer01 relayd[23317]: relay relay4, session 131 (5 active), 0, 190.113.173.36 - :0, buffer event timeout Nov 17 21:02:11 v-arcbabalancer01 relayd[10590]: relay relay4, session 103 (9 active), 0, 186.137.241.254 - :0, buffer event timeout Nov 17 21:02:15 v-arcbabalancer01 relayd[23317]: relay relay4, session 143 (2 active), 0, 24.232.115.134 - :0, buffer event timeout Nov 17 21:02:16 v-arcbabalancer01 relayd[12715]: relay relay4, session 101 (7 active), 0, 108.87.58.21 - :0, buffer event timeout Nov 17 21:02:16 v-arcbabalancer01 relayd[12715]: relay relay4, session 102 (6 active), 0, 108.87.58.21 - :0, buffer event timeout Nov 17 21:02:16 v-arcbabalancer01 relayd[10590]: relay relay5, session 142 (13 active), 0, 190.195.118.49 - 172.19.224.73:80, no method Nov 17 21:02:16 v-arcbabalancer01 relayd[10590]: relay relay4, session 114 (12 active), 0, 190.49.11.36 - :0, buffer event timeout Nov 17 21:02:16 v-arcbabalancer01 relayd[12715]: relay relay4, session 104 (5 active), 0, 190.49.11.36 - :0, buffer event timeout Nov 17 21:02:17 v-arcbabalancer01 relayd[10590]: relay relay4, session 120 (10 active), 0, 189.237.152.81 - :0, buffer event timeout Nov 17 21:02:17 v-arcbabalancer01 relayd[31990]: relay relay4, session 117 (5 active), 0, 189.237.152.81 - :0, buffer event timeout Nov 17 21:02:17 v-arcbabalancer01 relayd[10590]: relay relay5, session 144 (9 active), 0, 190.195.118.49 - 172.19.224.71:80, no method Nov 17 21:02:17 v-arcbabalancer01 relayd[10590]: relay relay5, session 145 (9 active), 0, 190.195.118.49 - 172.19.224.70:80, no method Nov 17 21:02:19 v-arcbabalancer01 relayd[30656]: relay relay4, session 126 (4 active), 0, 190.220.108.107 - :0, buffer event timeout Nov 17 21:02:22 v-arcbabalancer01 relayd[19770]: relay relay4, session 103 (1 active), 0, 189.149.155.136 - :0, buffer event timeout Nov 17 21:02:25 v-arcbabalancer01 relayd[18695]: relay relay4, session 79 (3 active), 0, 181.167.177.45 - :0, buffer event timeout Nov 17 21:02:28 v-arcbabalancer01 relayd[12715]: relay relay4, session 109 (4 active), 0, 190.18.27.4 - :0, buffer event timeout Nov 17 21:02:30 v-arcbabalancer01 relayd[12715]: relay relay4, session 112 (3 active), 0, 181.21.154.28 - :0, buffer event timeout Here is my config dmesg: http://pastebin.com/fLU8qaTd relayd.conf: http://pastebin.com/Nn1VYRxQ pf.conf: http://pastebin.com/HcQchkgP /etc/hostname.carp0: http://pastebin.com/wyccT20r /etc/hostname.em1: http://pastebin.com/MQq9nExL /etc/sysctl.conf: http://pastebin.com/QrkwLgWN Anybody can enligth me ? Thank you in advance, best regards Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/14 Leonardo Santagostini lsantagost...@gmail.com Hello Andy. Actually i proved flushing pf rules, tables and counters with no luck. But after restart relayd things come to work as expected. Thanks, Leonardo El nov 14, 2013 8:15 p.m., mxb m...@alumni.chalmers.se escribió: No, it is number of currently active sessions for this particular relay. Eg. 502 âusers. On 14 nov 2013, at 21:59, Andy Lemin a...@brandwatch.com wrote: Hi, as a complete guess (not used relayd yet let alone DSR) a 502 sounds like an error return from nginx/apache etc. could be a direct server return issue causing the TCP three way handshake to not
Re: carp+pfsync+relayd question
Sorry, looking more detailed at the logs i found this: /var/log/daemon Nov 17 18:36:12 v-arcbabalancer01 relayd[13984]: fatal: relay_connect: no connection in flight Nov 17 18:36:12 v-arcbabalancer01 relayd[22615]: pfe exiting, pid 22615 Nov 17 18:36:12 v-arcbabalancer01 relayd[31674]: hce exiting, pid 31674 Nov 17 18:36:12 v-arcbabalancer01 relayd[9082]: relay exiting, pid 9082 Nov 17 18:36:12 v-arcbabalancer01 relayd[701]: relay exiting, pid 701 Nov 17 18:36:12 v-arcbabalancer01 relayd[21358]: parent terminating, pid 21358 Nov 17 18:36:12 v-arcbabalancer01 relayd[24886]: relay exiting, pid 24886 Nov 17 18:36:12 v-arcbabalancer01 relayd[21395]: relay exiting, pid 21395 Nov 17 18:36:12 v-arcbabalancer01 relayd[13155]: relay exiting, pid 13155 Nov 17 18:36:12 v-arcbabalancer01 relayd[20557]: relay exiting, pid 20557 Nov 17 18:36:12 v-arcbabalancer01 relayd[14903]: relay exiting, pid 14903 Nov 17 18:36:12 v-arcbabalancer01 relayd[10686]: relay exiting, pid 10686 Nov 17 18:36:12 v-arcbabalancer01 relayd[17355]: relay exiting, pid 17355 Nov 17 18:36:12 v-arcbabalancer01 relayd[26908]: relay exiting, pid 26908 Nov 17 18:36:12 v-arcbabalancer01 relayd[6551]: relay exiting, pid 6551 Nov 17 18:36:12 v-arcbabalancer01 relayd[16649]: relay exiting, pid 16649 Nov 17 18:36:12 v-arcbabalancer01 relayd[2567]: relay exiting, pid 2567 Nov 17 18:36:12 v-arcbabalancer01 relayd[3159]: relay exiting, pid 3159 /var/log/messages Nov 17 18:36:12 v-arcbabalancer01 relayd[13984]: fatal: relay_connect: no connection in flight Regards Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/18 Leonardo Santagostini lsantagost...@gmail.com Hello everybody, i still having some issues whit relayd. Nov 17 21:01:56 v-arcbabalancer01 relayd[4252]: relay relay4, session 75 (1 active), 0, 190.51.90.22 - :0, buffer event timeout Nov 17 21:01:57 v-arcbabalancer01 relayd[12715]: relay relay4, session 97 (4 active), 0, 190.49.60.30 - :0, buffer event timeout Nov 17 21:01:58 v-arcbabalancer01 relayd[4781]: relay relay4, session 142 (3 active), 0, 190.188.18.202 - :0, buffer event timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[25332]: relay relay4, session 28 (1 active), 0, 181.29.46.36 - :0, hard timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[12715]: relay relay4, session 55 (3 active), 0, 108.36.150.233 - :0, hard timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[18695]: relay relay4, session 67 (3 active), 0, 31.221.13.210 - :0, hard timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[13096]: relay relay5, session 73 (3 active), 0, 190.195.118.49 - :0, hard timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[31990]: relay relay4, session 25 (1 active), 0, 186.188.178.215 - :0, hard timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[4781]: relay relay4, session 144 (7 active), 0, 31.221.13.210 - :0, hard timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[23317]: relay relay2, session 55 (5 active), 0, 181.109.7.31 - :0, hard timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[22942]: relay relay4, session 93 (2 active), 0, 31.221.13.210 - :0, hard timeout Nov 17 21:02:03 v-arcbabalancer01 relayd[13862]: relay relay4, session 80 (3 active), 0, 190.111.231.50 - :0, hard timeout Nov 17 21:02:06 v-arcbabalancer01 relayd[19770]: relay relay4, session 92 (1 active), 0, 75.70.87.158 - :0, buffer event timeout Nov 17 21:02:08 v-arcbabalancer01 relayd[23317]: relay relay4, session 131 (5 active), 0, 190.113.173.36 - :0, buffer event timeout Nov 17 21:02:11 v-arcbabalancer01 relayd[10590]: relay relay4, session 103 (9 active), 0, 186.137.241.254 - :0, buffer event timeout Nov 17 21:02:15 v-arcbabalancer01 relayd[23317]: relay relay4, session 143 (2 active), 0, 24.232.115.134 - :0, buffer event timeout Nov 17 21:02:16 v-arcbabalancer01 relayd[12715]: relay relay4, session 101 (7 active), 0, 108.87.58.21 - :0, buffer event timeout Nov 17 21:02:16 v-arcbabalancer01 relayd[12715]: relay relay4, session 102 (6 active), 0, 108.87.58.21 - :0, buffer event timeout Nov 17 21:02:16 v-arcbabalancer01 relayd[10590]: relay relay5, session 142 (13 active), 0, 190.195.118.49 - 172.19.224.73:80, no method Nov 17 21:02:16 v-arcbabalancer01 relayd[10590]: relay relay4, session 114 (12 active), 0, 190.49.11.36 - :0, buffer event timeout Nov 17 21:02:16 v-arcbabalancer01 relayd[12715]: relay relay4, session 104 (5 active), 0, 190.49.11.36 - :0, buffer event timeout Nov 17 21:02:17 v-arcbabalancer01 relayd[10590]: relay relay4, session 120 (10 active), 0, 189.237.152.81 - :0, buffer event timeout Nov 17 21:02:17 v-arcbabalancer01 relayd[31990]: relay relay4, session 117 (5 active), 0, 189.237.152.81 - :0, buffer event timeout Nov 17 21:02:17 v-arcbabalancer01 relayd[10590]: relay relay5, session 144 (9 active), 0, 190.195.118.49 - 172.19.224.71:80, no method Nov 17 21:02:17 v-arcbabalancer01 relayd[10590]: relay relay5, session 145 (9 active), 0, 190.195.118.49 - 172.19.224.70:80, no method Nov 17
carp+pfsync+relayd question
Hello misc,
Im doing my final approach to put a production system with
carp+pfsync+relayd on production.
The point is that im facing some trouble setting more than one ip alias
address with different vhid and different passwd.
So, this is the scenario.
Im trying to relayd more or less 15 sites so i have conceptual doubts.
1) is it nesessary to create one carp interface for each one of my
internals VIP address
2) my understanding is that i have to work with pf on my carp interfaces.
I have tried to put two different VIP's on my carp, but whitout lucky.
Here is the homework.
[root@server ~]# uname -a
OpenBSD server.internaldomain.com 5.4 GENERIC#37 amd64
[root@server ~]#
[root@server ~]# cat /etc/hostname.em0
inet 172.19.224.180 255.255.255.0
[root@server ~]# cat /etc/hostname.em1
inet 172.19.226.231 255.255.255.0 172.19.226.255
[root@server ~]# cat /etc/hostname.carp0
# inet alias 172.19.224.16 255.255.255.255 172.19.224.255 vhid 1 advskew 10
carpdev em0 pass Ahsooqu3
inet alias 172.19.224.131 255.255.255.0 172.19.224.255 vhid 2 advskew 10
carpdev em0 pass Meixo9oe
# inet alias 172.19.224.41 255.255.255.255 172.19.224.255 vhid 3 advskew 10
carpdev em0 pass av5eG9Gi
# inet alias 172.19.224.40 255.255.255.255 172.19.224.255 vhid 4 advskew 10
carpdev em0 pass Rei6thai
# inet alias 172.19.224.181 255.255.255.0 172.19.224.255 vhid 5 advskew 10
carpdev em0 pass Toobohz3
# inet alias 172.19.224.182 255.255.255.255 172.19.224.255 vhid 6 adskew 10
carpdev em0 pass Quahng6U
[root@server ~]# cat /etc/hostname.pfsync0
up syncdev em1
[root@server ~]# cat /etc/pf.conf
ext_if=carp0
set fingerprints /etc/pf.os
set optimization aggressive
set limit states 9
set limit src-nodes 65000
table bad_ip persist
table internat_net persist file /etc/internal_net
table admitted_net persist file /etc/admitted.txt
# vip1_address = 172.19.224.181
# vip2_address = 172.19.224.16
vip3_address = 172.19.224.131
# vip4_address = 172.19.224.41
# vip5_address = 172.19.224.40
# Dejo de procesar cuando se trata de las redes internas
pass in quick from internat_net to any
# Dejo pasar las ips desde las redes permitidas
# pass in quick from admitted_net to $vip1_address
pass in quick from admitted_net to $vip3_address
# Genero el block
block in quick from bad_ip
block in log quick on $ext_if proto tcp from any os NMAP to any label
ExtNMAPScan
# Proteccion contra nmap y herramientas similares
# block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF
block in quick from urpf-failed
# Aplico reglas de DoS y Syn Flood en site1
# pass in log on $mob_if proto tcp to $vip1_address port www keep state
(sloppy, max 1, max-src-nodes 5000, max-src-conn 100, max-src-conn-rate
95/2, adaptive .start 6000, adaptive.end 12000, tcp.first
15, tcp.opening 5, tcp.established 3600, tcp.closing 5, tcp.finwait 15,
tcp.closed 15, tcp.tsdiff 5)
# Aplico reglas de DoS y Syn Flood en site2
# pass in on $ext_if proto tcp to $vip2_address port www keep state
(sloppy, max 1, max-src-nodes 5000, max-src-conn 150, max-src-conn-rate
150/3)
# Aplico reglas para site3
pass in on $ext_if proto tcp to $vip3_address port www keep state (sloppy,
max 1, max-src-nodes 5000, max-src-conn 150, max-src-conn-rate 100/3)
# Aplico reglas de DoS y Syn Flood en site4
# pass in on $ext_if proto tcp to $vip4_address port www keep state
(sloppy, max 1, max-src-nodes 5000, max-src-conn 150, max-src-conn-rate
100/3)
# Aplico reglas de DoS y Syn Flood en site5
# pass in on $ext_if proto tcp to $vip5_address port www keep state
(sloppy, max 1, max-src-nodes 5000, max-src-conn 150, max-src-conn-rate
100/3)
# Anchor Para relayd
anchor relayd/*
[root@server ~]# cat /etc/relayd.conf
# Archivo de configuracion de balanceo
## Opciones globales
interval 5
timeout 500
prefork 15
log all
## Direcciones de las vip
# address1=172.19.224.16
# address2=172.19.224.181
address3=172.19.224.131
# address4=172.19.224.41
# address5=172.19.224.40
## Direcciones de los servidores
wsapp1=172.19.224.200
wsapp2=172.19.224.201
webcache01=172.19.224.70
webcache02=172.19.224.71
webcache03=172.19.224.72
webcache04=172.19.224.73
## Definicion de Tablas
table mobileweb { $wsapp1 $wsapp2 }
table webcaches { $webcache01 $webcache02 $webcache03 $webcache04 }
table webcaches1 { $webcache01 }
## Definicion de protocolos (Filtros)
http protocol httpSite1 {
header change Connection to close
header append $REMOTE_ADDR to X-Forwarded-For
cookie hash sessid
}
http protocol httpSite2 {
header change Connection to close
header append $REMOTE_ADDR to X-Forwarded-For
cookie hash sessid
}
http protocol httpSite3 {
header change Connection to close
Re: carp+pfsync+relayd question
15 sites and only 9? Id put around 50 (and have). You might need even more. On 14 nov 2013, at 16:21, Leonardo Santagostini lsantagost...@gmail.com wrote: set limit states 9
Re: carp+pfsync+relayd question
Put all of those into the same relay { } as they are going to the same
forward table.
relay {
listen on addr1 port 80
listen on addr2 port 80
etc
.
}
or youll end up doing check http several times.
and Id do just simple check tcp - faster.
On 14 nov 2013, at 16:21, Leonardo Santagostini lsantagost...@gmail.com
wrote:
relay site2 {
listen on $address3 port 80
protocol httpSite2
forward to webcaches port 80 mode roundrobin check http
/monitoreo/relayd.txt code 200
}
#relay site3 {
#listen on $address1 port 80
#protocol httpSite3
#forward to webcaches port 80 mode roundrobin check http
/monitoreo/relayd.txt code 200
#}
#relay site4 {
#listen on $address4 port 80
#protocol httpSite4
#forward to webcaches port 80 mode roundrobin check http
/monitoreo/relayd.txt code 200
#}
#relay site5 {
#listen on $address5 port 80
#protocol httpSite5
#forward to webcaches port 80 mode roundrobin check http
/monitoreo/relayd.txt code 200
#}
Re: carp+pfsync+relayd question
Ok, i will modify the config. But i really want to know about the carp configuration. I forget to mention that im doing DSR. Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/14 mxb m...@alumni.chalmers.se 15 sites and only 9? Iâd put around 50 (and have). You might need even more. On 14 nov 2013, at 16:21, Leonardo Santagostini lsantagost...@gmail.com wrote: set limit states 9
Re: carp+pfsync+relayd question
On 14/11/13 15:21, Leonardo Santagostini wrote: Hello misc, Im doing my final approach to put a production system with carp+pfsync+relayd on production. The point is that im facing some trouble setting more than one ip alias address with different vhid and different passwd. So, this is the scenario. Im trying to relayd more or less 15 sites so i have conceptual doubts. 1) is it nesessary to create one carp interface for each one of my internals VIP address 2) my understanding is that i have to work with pf on my carp interfaces. I have tried to put two different VIP's on my carp, but whitout lucky. Here is the homework. [root@server ~]# uname -a OpenBSD server.internaldomain.com 5.4 GENERIC#37 amd64 [root@server ~]# [root@server ~]# cat /etc/hostname.em0 inet 172.19.224.180 255.255.255.0 [root@server ~]# cat /etc/hostname.em1 inet 172.19.226.231 255.255.255.0 172.19.226.255 [root@server ~]# cat /etc/hostname.carp0 # inet alias 172.19.224.16 255.255.255.255 172.19.224.255 vhid 1 advskew 10 carpdev em0 pass Ahsooqu3 inet alias 172.19.224.131 255.255.255.0 172.19.224.255 vhid 2 advskew 10 carpdev em0 pass Meixo9oe # inet alias 172.19.224.41 255.255.255.255 172.19.224.255 vhid 3 advskew 10 carpdev em0 pass av5eG9Gi # inet alias 172.19.224.40 255.255.255.255 172.19.224.255 vhid 4 advskew 10 carpdev em0 pass Rei6thai # inet alias 172.19.224.181 255.255.255.0 172.19.224.255 vhid 5 advskew 10 carpdev em0 pass Toobohz3 # inet alias 172.19.224.182 255.255.255.255 172.19.224.255 vhid 6 adskew 10 carpdev em0 pass Quahng6U CARP should look like this (master); inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass Ahsooqu3 advskew 0 inet alias 172.19.224.131 255.255.255.255 inet alias 172.19.224.41 255.255.255.255 inet alias 172.19.224.40 255.255.255.255 inet alias 172.19.224.181 255.255.255.255 inet alias 172.19.224.182 255.255.255.255 And (backup); inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass Ahsooqu3 advskew 200 inet alias 172.19.224.131 255.255.255.255 inet alias 172.19.224.41 255.255.255.255 inet alias 172.19.224.40 255.255.255.255 inet alias 172.19.224.181 255.255.255.255 inet alias 172.19.224.182 255.255.255.255 And yes the subnet masks for the alias' should be /32 and you will see a warning in the logs during fail-over. This is fine, the devs just haven't muted the check warning yet. You've done it right if 'netstat -rn' shows; 172.19.224.131 127.0.0.1 UGHS 00 33152 8 lo0 172.19.224.131/32 172.19.224.131 U 00 - 4 carp0 [root@server ~]# cat /etc/hostname.pfsync0 up syncdev em1 [root@server ~]# cat /etc/pf.conf ext_if=carp0 You don't refer to CARP as an interface, it is simply a VRRP watchdog interface (for example you cannot set the MTU on a CARP interface as it is not really an interface. Use the physical.. ext_if=em0 set fingerprints /etc/pf.os set optimization aggressive set limit states 9 Definitely needs to be higher! try 1 million.. set limit src-nodes 65000 table bad_ip persist table internat_net persist file /etc/internal_net table admitted_net persist file /etc/admitted.txt # vip1_address = 172.19.224.181 # vip2_address = 172.19.224.16 vip3_address = 172.19.224.131 # vip4_address = 172.19.224.41 # vip5_address = 172.19.224.40 Just to keep you sane remember these rules; # (SNAT) NATing is done before filtering, 'pass out on $if_ext from $external_carp_ip1' (public address as src for outbound). # (DNAT) RDRing is done before filtering, 'pass in on $if_ext from any to $internal_ip1' (private address as dst for inbound). OpenBSD_PF_flow # Dejo de procesar cuando se trata de las redes internas pass in quick from internat_net to any # Dejo pasar las ips desde las redes permitidas # pass in quick from admitted_net to $vip1_address pass in quick from admitted_net to $vip3_address # Genero el block block in quick from bad_ip Your 'block in quick's should be above your 'pass in quick's! quick means stop evaluating and do this action now.. block in log quick on $ext_if proto tcp from any os NMAP to any label ExtNMAPScan # Proteccion contra nmap y herramientas similares # block in quick on $ext_if proto tcp flags FUP/WEUAPRSF block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF block in quick on $ext_if proto tcp flags /WEUAPRSF block in quick on $ext_if proto tcp flags SR/SR block in quick on $ext_if proto tcp flags SF/SF block in quick from urpf-failed # Aplico reglas de DoS y Syn Flood en site1 # pass in log on $mob_if proto tcp to $vip1_address port www keep state (sloppy, max 1, max-src-nodes 5000, max-src-conn 100, max-src-conn-rate 95/2, adaptive .start 6000, adaptive.end 12000, tcp.first 15, tcp.opening 5, tcp.established 3600, tcp.closing 5, tcp.finwait 15, tcp.closed 15, tcp.tsdiff 5) Be careful, Direct
Re: carp+pfsync+relayd question
Thanks a lot to all, i will give it a try and gives tou you feedback as soon as it get implemented. Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/14 Andy a...@brandwatch.com On 14/11/13 15:21, Leonardo Santagostini wrote: Hello misc, Im doing my final approach to put a production system with carp+pfsync+relayd on production. The point is that im facing some trouble setting more than one ip alias address with different vhid and different passwd. So, this is the scenario. Im trying to relayd more or less 15 sites so i have conceptual doubts. 1) is it nesessary to create one carp interface for each one of my internals VIP address 2) my understanding is that i have to work with pf on my carp interfaces. I have tried to put two different VIP's on my carp, but whitout lucky. Here is the homework. [root@server ~]# uname -a OpenBSD server.internaldomain.com 5.4 GENERIC#37 amd64 [root@server ~]# [root@server ~]# cat /etc/hostname.em0 inet 172.19.224.180 255.255.255.0 [root@server ~]# cat /etc/hostname.em1 inet 172.19.226.231 255.255.255.0 172.19.226.255 [root@server ~]# cat /etc/hostname.carp0 # inet alias 172.19.224.16 255.255.255.255 172.19.224.255 vhid 1 advskew 10 carpdev em0 pass Ahsooqu3 inet alias 172.19.224.131 255.255.255.0 172.19.224.255 vhid 2 advskew 10 carpdev em0 pass Meixo9oe # inet alias 172.19.224.41 255.255.255.255 172.19.224.255 vhid 3 advskew 10 carpdev em0 pass av5eG9Gi # inet alias 172.19.224.40 255.255.255.255 172.19.224.255 vhid 4 advskew 10 carpdev em0 pass Rei6thai # inet alias 172.19.224.181 255.255.255.0 172.19.224.255 vhid 5 advskew 10 carpdev em0 pass Toobohz3 # inet alias 172.19.224.182 255.255.255.255 172.19.224.255 vhid 6 adskew 10 carpdev em0 pass Quahng6U CARP should look like this (master); inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass Ahsooqu3 advskew 0 inet alias 172.19.224.131 255.255.255.255 inet alias 172.19.224.41 255.255.255.255 inet alias 172.19.224.40 255.255.255.255 inet alias 172.19.224.181 255.255.255.255 inet alias 172.19.224.182 255.255.255.255 And (backup); inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass Ahsooqu3 advskew 200 inet alias 172.19.224.131 255.255.255.255 inet alias 172.19.224.41 255.255.255.255 inet alias 172.19.224.40 255.255.255.255 inet alias 172.19.224.181 255.255.255.255 inet alias 172.19.224.182 255.255.255.255 And yes the subnet masks for the alias' should be /32 and you will see a warning in the logs during fail-over. This is fine, the devs just haven't muted the check warning yet. You've done it right if 'netstat -rn' shows; 172.19.224.131 127.0.0.1 UGHS 00 33152 8 lo0 172.19.224.131/32 172.19.224.131 U 00 - 4 carp0 [root@server ~]# cat /etc/hostname.pfsync0 up syncdev em1 [root@server ~]# cat /etc/pf.conf ext_if=carp0 You don't refer to CARP as an interface, it is simply a VRRP watchdog interface (for example you cannot set the MTU on a CARP interface as it is not really an interface. Use the physical.. ext_if=em0 set fingerprints /etc/pf.os set optimization aggressive set limit states 9 Definitely needs to be higher! try 1 million.. set limit src-nodes 65000 table bad_ip persist table internat_net persist file /etc/internal_net table admitted_net persist file /etc/admitted.txt # vip1_address = 172.19.224.181 # vip2_address = 172.19.224.16 vip3_address = 172.19.224.131 # vip4_address = 172.19.224.41 # vip5_address = 172.19.224.40 Just to keep you sane remember these rules; # (SNAT) NATing is done before filtering, 'pass out on $if_ext from $external_carp_ip1' (public address as src for outbound). # (DNAT) RDRing is done before filtering, 'pass in on $if_ext from any to $internal_ip1' (private address as dst for inbound). [image: OpenBSD_PF_flow] # Dejo de procesar cuando se trata de las redes internas pass in quick from internat_net to any # Dejo pasar las ips desde las redes permitidas # pass in quick from admitted_net to $vip1_address pass in quick from admitted_net to $vip3_address # Genero el block block in quick from bad_ip Your 'block in quick's should be above your 'pass in quick's! quick means stop evaluating and do this action now.. block in log quick on $ext_if proto tcp from any os NMAP to any label ExtNMAPScan # Proteccion contra nmap y herramientas similares # block in quick on $ext_if proto tcp flags FUP/WEUAPRSF block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF block in quick on $ext_if proto tcp flags /WEUAPRSF block in quick on $ext_if proto tcp flags SR/SR block in quick on $ext_if proto tcp flags SF/SF block in quick from urpf-failed # Aplico reglas de DoS y Syn Flood en site1 # pass in log on $mob_if proto tcp to $vip1_address port www keep state
Re: carp+pfsync+relayd question
Ok, just added my second website to both servers like your recommendation. I will post my config before the end of the day just to share it with you. Thank you so much !!! Regards Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/14 Leonardo Santagostini lsantagost...@gmail.com Thanks a lot to all, i will give it a try and gives tou you feedback as soon as it get implemented. Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/14 Andy a...@brandwatch.com On 14/11/13 15:21, Leonardo Santagostini wrote: Hello misc, Im doing my final approach to put a production system with carp+pfsync+relayd on production. The point is that im facing some trouble setting more than one ip alias address with different vhid and different passwd. So, this is the scenario. Im trying to relayd more or less 15 sites so i have conceptual doubts. 1) is it nesessary to create one carp interface for each one of my internals VIP address 2) my understanding is that i have to work with pf on my carp interfaces. I have tried to put two different VIP's on my carp, but whitout lucky. Here is the homework. [root@server ~]# uname -a OpenBSD server.internaldomain.com 5.4 GENERIC#37 amd64 [root@server ~]# [root@server ~]# cat /etc/hostname.em0 inet 172.19.224.180 255.255.255.0 [root@server ~]# cat /etc/hostname.em1 inet 172.19.226.231 255.255.255.0 172.19.226.255 [root@server ~]# cat /etc/hostname.carp0 # inet alias 172.19.224.16 255.255.255.255 172.19.224.255 vhid 1 advskew 10 carpdev em0 pass Ahsooqu3 inet alias 172.19.224.131 255.255.255.0 172.19.224.255 vhid 2 advskew 10 carpdev em0 pass Meixo9oe # inet alias 172.19.224.41 255.255.255.255 172.19.224.255 vhid 3 advskew 10 carpdev em0 pass av5eG9Gi # inet alias 172.19.224.40 255.255.255.255 172.19.224.255 vhid 4 advskew 10 carpdev em0 pass Rei6thai # inet alias 172.19.224.181 255.255.255.0 172.19.224.255 vhid 5 advskew 10 carpdev em0 pass Toobohz3 # inet alias 172.19.224.182 255.255.255.255 172.19.224.255 vhid 6 adskew 10 carpdev em0 pass Quahng6U CARP should look like this (master); inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass Ahsooqu3 advskew 0 inet alias 172.19.224.131 255.255.255.255 inet alias 172.19.224.41 255.255.255.255 inet alias 172.19.224.40 255.255.255.255 inet alias 172.19.224.181 255.255.255.255 inet alias 172.19.224.182 255.255.255.255 And (backup); inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass Ahsooqu3 advskew 200 inet alias 172.19.224.131 255.255.255.255 inet alias 172.19.224.41 255.255.255.255 inet alias 172.19.224.40 255.255.255.255 inet alias 172.19.224.181 255.255.255.255 inet alias 172.19.224.182 255.255.255.255 And yes the subnet masks for the alias' should be /32 and you will see a warning in the logs during fail-over. This is fine, the devs just haven't muted the check warning yet. You've done it right if 'netstat -rn' shows; 172.19.224.131 127.0.0.1 UGHS 00 33152 8 lo0 172.19.224.131/32 172.19.224.131 U 00 - 4 carp0 [root@server ~]# cat /etc/hostname.pfsync0 up syncdev em1 [root@server ~]# cat /etc/pf.conf ext_if=carp0 You don't refer to CARP as an interface, it is simply a VRRP watchdog interface (for example you cannot set the MTU on a CARP interface as it is not really an interface. Use the physical.. ext_if=em0 set fingerprints /etc/pf.os set optimization aggressive set limit states 9 Definitely needs to be higher! try 1 million.. set limit src-nodes 65000 table bad_ip persist table internat_net persist file /etc/internal_net table admitted_net persist file /etc/admitted.txt # vip1_address = 172.19.224.181 # vip2_address = 172.19.224.16 vip3_address = 172.19.224.131 # vip4_address = 172.19.224.41 # vip5_address = 172.19.224.40 Just to keep you sane remember these rules; # (SNAT) NATing is done before filtering, 'pass out on $if_ext from $external_carp_ip1' (public address as src for outbound). # (DNAT) RDRing is done before filtering, 'pass in on $if_ext from any to $internal_ip1' (private address as dst for inbound). [image: OpenBSD_PF_flow] # Dejo de procesar cuando se trata de las redes internas pass in quick from internat_net to any # Dejo pasar las ips desde las redes permitidas # pass in quick from admitted_net to $vip1_address pass in quick from admitted_net to $vip3_address # Genero el block block in quick from bad_ip Your 'block in quick's should be above your 'pass in quick's! quick means stop evaluating and do this action now.. block in log quick on $ext_if proto tcp from any os NMAP to any label ExtNMAPScan # Proteccion contra nmap y herramientas similares # block in quick on $ext_if proto tcp flags FUP/WEUAPRSF block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF block in quick on $ext_if proto tcp
Re: carp+pfsync+relayd question
Well well well there is one thing its ocurring that i cant figure out. im getting some relay site3 session 3370 (502 active), 0, 190.179.249.128 - :0, buffer event timeout And after a couple a minutes (i couldnt take note exactly how many) relayd get restarted Is there any clue where to look into? Thanks in advance Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/14 Leonardo Santagostini lsantagost...@gmail.com Ok, just added my second website to both servers like your recommendation. I will post my config before the end of the day just to share it with you. Thank you so much !!! Regards Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/14 Leonardo Santagostini lsantagost...@gmail.com Thanks a lot to all, i will give it a try and gives tou you feedback as soon as it get implemented. Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/14 Andy a...@brandwatch.com On 14/11/13 15:21, Leonardo Santagostini wrote: Hello misc, Im doing my final approach to put a production system with carp+pfsync+relayd on production. The point is that im facing some trouble setting more than one ip alias address with different vhid and different passwd. So, this is the scenario. Im trying to relayd more or less 15 sites so i have conceptual doubts. 1) is it nesessary to create one carp interface for each one of my internals VIP address 2) my understanding is that i have to work with pf on my carp interfaces. I have tried to put two different VIP's on my carp, but whitout lucky. Here is the homework. [root@server ~]# uname -a OpenBSD server.internaldomain.com 5.4 GENERIC#37 amd64 [root@server ~]# [root@server ~]# cat /etc/hostname.em0 inet 172.19.224.180 255.255.255.0 [root@server ~]# cat /etc/hostname.em1 inet 172.19.226.231 255.255.255.0 172.19.226.255 [root@server ~]# cat /etc/hostname.carp0 # inet alias 172.19.224.16 255.255.255.255 172.19.224.255 vhid 1 advskew 10 carpdev em0 pass Ahsooqu3 inet alias 172.19.224.131 255.255.255.0 172.19.224.255 vhid 2 advskew 10 carpdev em0 pass Meixo9oe # inet alias 172.19.224.41 255.255.255.255 172.19.224.255 vhid 3 advskew 10 carpdev em0 pass av5eG9Gi # inet alias 172.19.224.40 255.255.255.255 172.19.224.255 vhid 4 advskew 10 carpdev em0 pass Rei6thai # inet alias 172.19.224.181 255.255.255.0 172.19.224.255 vhid 5 advskew 10 carpdev em0 pass Toobohz3 # inet alias 172.19.224.182 255.255.255.255 172.19.224.255 vhid 6 adskew 10 carpdev em0 pass Quahng6U CARP should look like this (master); inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass Ahsooqu3 advskew 0 inet alias 172.19.224.131 255.255.255.255 inet alias 172.19.224.41 255.255.255.255 inet alias 172.19.224.40 255.255.255.255 inet alias 172.19.224.181 255.255.255.255 inet alias 172.19.224.182 255.255.255.255 And (backup); inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass Ahsooqu3 advskew 200 inet alias 172.19.224.131 255.255.255.255 inet alias 172.19.224.41 255.255.255.255 inet alias 172.19.224.40 255.255.255.255 inet alias 172.19.224.181 255.255.255.255 inet alias 172.19.224.182 255.255.255.255 And yes the subnet masks for the alias' should be /32 and you will see a warning in the logs during fail-over. This is fine, the devs just haven't muted the check warning yet. You've done it right if 'netstat -rn' shows; 172.19.224.131 127.0.0.1 UGHS 00 33152 8 lo0 172.19.224.131/32 172.19.224.131 U 00 - 4 carp0 [root@server ~]# cat /etc/hostname.pfsync0 up syncdev em1 [root@server ~]# cat /etc/pf.conf ext_if=carp0 You don't refer to CARP as an interface, it is simply a VRRP watchdog interface (for example you cannot set the MTU on a CARP interface as it is not really an interface. Use the physical.. ext_if=em0 set fingerprints /etc/pf.os set optimization aggressive set limit states 9 Definitely needs to be higher! try 1 million.. set limit src-nodes 65000 table bad_ip persist table internat_net persist file /etc/internal_net table admitted_net persist file /etc/admitted.txt # vip1_address = 172.19.224.181 # vip2_address = 172.19.224.16 vip3_address = 172.19.224.131 # vip4_address = 172.19.224.41 # vip5_address = 172.19.224.40 Just to keep you sane remember these rules; # (SNAT) NATing is done before filtering, 'pass out on $if_ext from $external_carp_ip1' (public address as src for outbound). # (DNAT) RDRing is done before filtering, 'pass in on $if_ext from any to $internal_ip1' (private address as dst for inbound). [image: OpenBSD_PF_flow] # Dejo de procesar cuando se trata de las redes internas pass in quick from internat_net to any # Dejo pasar las ips desde las redes permitidas # pass in quick from admitted_net to $vip1_address pass in quick from admitted_net to
Re: carp+pfsync+relayd question
Hi, as a complete guess (not used relayd yet let alone DSR) a 502 sounds like an error return from nginx/apache etc. could be a direct server return issue causing the TCP three way handshake to not be completing properly between the endpoints, even though a 502 is usually server side issue.. I'd try removing the 'in' or 'out' direction from the rules. Otherwise I'd suggest investigating some more and post a new question to misc. Good luck. Andy Sent from my iPhone On 14 Nov 2013, at 19:37, Leonardo Santagostini lsantagost...@gmail.com wrote: Well well well there is one thing its ocurring that i cant figure out. im getting some relay site3 session 3370 (502 active), 0, 190.179.249.128 - :0, buffer event timeout And after a couple a minutes (i couldnt take note exactly how many) relayd get restarted Is there any clue where to look into? Thanks in advance Saludos.- Leonardo Santagostini 2013/11/14 Leonardo Santagostini lsantagost...@gmail.com Ok, just added my second website to both servers like your recommendation. I will post my config before the end of the day just to share it with you. Thank you so much !!! Regards Saludos.- Leonardo Santagostini 2013/11/14 Leonardo Santagostini lsantagost...@gmail.com Thanks a lot to all, i will give it a try and gives tou you feedback as soon as it get implemented. Saludos.- Leonardo Santagostini 2013/11/14 Andy a...@brandwatch.com On 14/11/13 15:21, Leonardo Santagostini wrote: Hello misc, Im doing my final approach to put a production system with carp+pfsync+relayd on production. The point is that im facing some trouble setting more than one ip alias address with different vhid and different passwd. So, this is the scenario. Im trying to relayd more or less 15 sites so i have conceptual doubts. 1) is it nesessary to create one carp interface for each one of my internals VIP address 2) my understanding is that i have to work with pf on my carp interfaces. I have tried to put two different VIP's on my carp, but whitout lucky. Here is the homework. [root@server ~]# uname -a OpenBSD server.internaldomain.com 5.4 GENERIC#37 amd64 [root@server ~]# [root@server ~]# cat /etc/hostname.em0 inet 172.19.224.180 255.255.255.0 [root@server ~]# cat /etc/hostname.em1 inet 172.19.226.231 255.255.255.0 172.19.226.255 [root@server ~]# cat /etc/hostname.carp0 # inet alias 172.19.224.16 255.255.255.255 172.19.224.255 vhid 1 advskew 10 carpdev em0 pass Ahsooqu3 inet alias 172.19.224.131 255.255.255.0 172.19.224.255 vhid 2 advskew 10 carpdev em0 pass Meixo9oe # inet alias 172.19.224.41 255.255.255.255 172.19.224.255 vhid 3 advskew 10 carpdev em0 pass av5eG9Gi # inet alias 172.19.224.40 255.255.255.255 172.19.224.255 vhid 4 advskew 10 carpdev em0 pass Rei6thai # inet alias 172.19.224.181 255.255.255.0 172.19.224.255 vhid 5 advskew 10 carpdev em0 pass Toobohz3 # inet alias 172.19.224.182 255.255.255.255 172.19.224.255 vhid 6 adskew 10 carpdev em0 pass Quahng6U CARP should look like this (master); inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass Ahsooqu3 advskew 0 inet alias 172.19.224.131 255.255.255.255 inet alias 172.19.224.41 255.255.255.255 inet alias 172.19.224.40 255.255.255.255 inet alias 172.19.224.181 255.255.255.255 inet alias 172.19.224.182 255.255.255.255 And (backup); inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass Ahsooqu3 advskew 200 inet alias 172.19.224.131 255.255.255.255 inet alias 172.19.224.41 255.255.255.255 inet alias 172.19.224.40 255.255.255.255 inet alias 172.19.224.181 255.255.255.255 inet alias 172.19.224.182 255.255.255.255 And yes the subnet masks for the alias' should be /32 and you will see a warning in the logs during fail-over. This is fine, the devs just haven't muted the check warning yet. You've done it right if 'netstat -rn' shows; 172.19.224.131 127.0.0.1 UGHS 00 33152 8 lo0 172.19.224.131/32 172.19.224.131 U 00 - 4 carp0 [root@server ~]# cat /etc/hostname.pfsync0 up syncdev em1 [root@server ~]# cat /etc/pf.conf ext_if=carp0 You don't refer to CARP as an interface, it is simply a VRRP watchdog interface (for example you cannot set the MTU on a CARP interface as it is not really an interface. Use the physical.. ext_if=em0 set fingerprints /etc/pf.os set optimization aggressive set limit states 9 Definitely needs to be higher! try 1 million.. set limit src-nodes 65000 table bad_ip persist table internat_net persist file /etc/internal_net table admitted_net persist file /etc/admitted.txt # vip1_address = 172.19.224.181 # vip2_address = 172.19.224.16 vip3_address = 172.19.224.131 # vip4_address = 172.19.224.41 # vip5_address = 172.19.224.40 Just to keep you sane remember these rules; # (SNAT) NATing is done before filtering, 'pass out on $if_ext from $external_carp_ip1' (public address as
Re: carp+pfsync+relayd question
In fact thinking about it if think that is a relayd issue somewhere and not pf at all.. Sent from my iPhone On 14 Nov 2013, at 19:37, Leonardo Santagostini lsantagost...@gmail.com wrote: Well well well there is one thing its ocurring that i cant figure out. im getting some relay site3 session 3370 (502 active), 0, 190.179.249.128 - :0, buffer event timeout And after a couple a minutes (i couldnt take note exactly how many) relayd get restarted Is there any clue where to look into? Thanks in advance Saludos.- Leonardo Santagostini 2013/11/14 Leonardo Santagostini lsantagost...@gmail.com Ok, just added my second website to both servers like your recommendation. I will post my config before the end of the day just to share it with you. Thank you so much !!! Regards Saludos.- Leonardo Santagostini 2013/11/14 Leonardo Santagostini lsantagost...@gmail.com Thanks a lot to all, i will give it a try and gives tou you feedback as soon as it get implemented. Saludos.- Leonardo Santagostini 2013/11/14 Andy a...@brandwatch.com On 14/11/13 15:21, Leonardo Santagostini wrote: Hello misc, Im doing my final approach to put a production system with carp+pfsync+relayd on production. The point is that im facing some trouble setting more than one ip alias address with different vhid and different passwd. So, this is the scenario. Im trying to relayd more or less 15 sites so i have conceptual doubts. 1) is it nesessary to create one carp interface for each one of my internals VIP address 2) my understanding is that i have to work with pf on my carp interfaces. I have tried to put two different VIP's on my carp, but whitout lucky. Here is the homework. [root@server ~]# uname -a OpenBSD server.internaldomain.com 5.4 GENERIC#37 amd64 [root@server ~]# [root@server ~]# cat /etc/hostname.em0 inet 172.19.224.180 255.255.255.0 [root@server ~]# cat /etc/hostname.em1 inet 172.19.226.231 255.255.255.0 172.19.226.255 [root@server ~]# cat /etc/hostname.carp0 # inet alias 172.19.224.16 255.255.255.255 172.19.224.255 vhid 1 advskew 10 carpdev em0 pass Ahsooqu3 inet alias 172.19.224.131 255.255.255.0 172.19.224.255 vhid 2 advskew 10 carpdev em0 pass Meixo9oe # inet alias 172.19.224.41 255.255.255.255 172.19.224.255 vhid 3 advskew 10 carpdev em0 pass av5eG9Gi # inet alias 172.19.224.40 255.255.255.255 172.19.224.255 vhid 4 advskew 10 carpdev em0 pass Rei6thai # inet alias 172.19.224.181 255.255.255.0 172.19.224.255 vhid 5 advskew 10 carpdev em0 pass Toobohz3 # inet alias 172.19.224.182 255.255.255.255 172.19.224.255 vhid 6 adskew 10 carpdev em0 pass Quahng6U CARP should look like this (master); inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass Ahsooqu3 advskew 0 inet alias 172.19.224.131 255.255.255.255 inet alias 172.19.224.41 255.255.255.255 inet alias 172.19.224.40 255.255.255.255 inet alias 172.19.224.181 255.255.255.255 inet alias 172.19.224.182 255.255.255.255 And (backup); inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass Ahsooqu3 advskew 200 inet alias 172.19.224.131 255.255.255.255 inet alias 172.19.224.41 255.255.255.255 inet alias 172.19.224.40 255.255.255.255 inet alias 172.19.224.181 255.255.255.255 inet alias 172.19.224.182 255.255.255.255 And yes the subnet masks for the alias' should be /32 and you will see a warning in the logs during fail-over. This is fine, the devs just haven't muted the check warning yet. You've done it right if 'netstat -rn' shows; 172.19.224.131 127.0.0.1 UGHS 00 33152 8 lo0 172.19.224.131/32 172.19.224.131 U 00 - 4 carp0 [root@server ~]# cat /etc/hostname.pfsync0 up syncdev em1 [root@server ~]# cat /etc/pf.conf ext_if=carp0 You don't refer to CARP as an interface, it is simply a VRRP watchdog interface (for example you cannot set the MTU on a CARP interface as it is not really an interface. Use the physical.. ext_if=em0 set fingerprints /etc/pf.os set optimization aggressive set limit states 9 Definitely needs to be higher! try 1 million.. set limit src-nodes 65000 table bad_ip persist table internat_net persist file /etc/internal_net table admitted_net persist file /etc/admitted.txt # vip1_address = 172.19.224.181 # vip2_address = 172.19.224.16 vip3_address = 172.19.224.131 # vip4_address = 172.19.224.41 # vip5_address = 172.19.224.40 Just to keep you sane remember these rules; # (SNAT) NATing is done before filtering, 'pass out on $if_ext from $external_carp_ip1' (public address as src for outbound). # (DNAT) RDRing is done before filtering, 'pass in on $if_ext from any to $internal_ip1' (private address as dst for inbound). OpenBSD_PF_flow.png # Dejo de procesar cuando se trata de las redes internas pass in quick from internat_net to any # Dejo pasar las ips desde las redes permitidas # pass in quick from admitted_net to
Re: carp+pfsync+relayd question
Ok im not at the office now. But tomorrow we could do more test. Regards and thank you !!! El nov 14, 2013 8:01 p.m., Andy Lemin a...@brandwatch.com escribió: In fact thinking about it if think that is a relayd issue somewhere and not pf at all.. Sent from my iPhone On 14 Nov 2013, at 19:37, Leonardo Santagostini lsantagost...@gmail.com wrote: Well well well there is one thing its ocurring that i cant figure out. im getting some relay site3 session 3370 (502 active), 0, 190.179.249.128 - :0, buffer event timeout And after a couple a minutes (i couldnt take note exactly how many) relayd get restarted Is there any clue where to look into? Thanks in advance Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/14 Leonardo Santagostini lsantagost...@gmail.com Ok, just added my second website to both servers like your recommendation. I will post my config before the end of the day just to share it with you. Thank you so much !!! Regards Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/14 Leonardo Santagostini lsantagost...@gmail.com Thanks a lot to all, i will give it a try and gives tou you feedback as soon as it get implemented. Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/14 Andy a...@brandwatch.com On 14/11/13 15:21, Leonardo Santagostini wrote: Hello misc, Im doing my final approach to put a production system with carp+pfsync+relayd on production. The point is that im facing some trouble setting more than one ip alias address with different vhid and different passwd. So, this is the scenario. Im trying to relayd more or less 15 sites so i have conceptual doubts. 1) is it nesessary to create one carp interface for each one of my internals VIP address 2) my understanding is that i have to work with pf on my carp interfaces. I have tried to put two different VIP's on my carp, but whitout lucky. Here is the homework. [root@server ~]# uname -a OpenBSD server.internaldomain.com 5.4 GENERIC#37 amd64 [root@server ~]# [root@server ~]# cat /etc/hostname.em0 inet 172.19.224.180 255.255.255.0 [root@server ~]# cat /etc/hostname.em1 inet 172.19.226.231 255.255.255.0 172.19.226.255 [root@server ~]# cat /etc/hostname.carp0 # inet alias 172.19.224.16 255.255.255.255 172.19.224.255 vhid 1 advskew 10 carpdev em0 pass Ahsooqu3 inet alias 172.19.224.131 255.255.255.0 172.19.224.255 vhid 2 advskew 10 carpdev em0 pass Meixo9oe # inet alias 172.19.224.41 255.255.255.255 172.19.224.255 vhid 3 advskew 10 carpdev em0 pass av5eG9Gi # inet alias 172.19.224.40 255.255.255.255 172.19.224.255 vhid 4 advskew 10 carpdev em0 pass Rei6thai # inet alias 172.19.224.181 255.255.255.0 172.19.224.255 vhid 5 advskew 10 carpdev em0 pass Toobohz3 # inet alias 172.19.224.182 255.255.255.255 172.19.224.255 vhid 6 adskew 10 carpdev em0 pass Quahng6U CARP should look like this (master); inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass Ahsooqu3 advskew 0 inet alias 172.19.224.131 255.255.255.255 inet alias 172.19.224.41 255.255.255.255 inet alias 172.19.224.40 255.255.255.255 inet alias 172.19.224.181 255.255.255.255 inet alias 172.19.224.182 255.255.255.255 And (backup); inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass Ahsooqu3 advskew 200 inet alias 172.19.224.131 255.255.255.255 inet alias 172.19.224.41 255.255.255.255 inet alias 172.19.224.40 255.255.255.255 inet alias 172.19.224.181 255.255.255.255 inet alias 172.19.224.182 255.255.255.255 And yes the subnet masks for the alias' should be /32 and you will see a warning in the logs during fail-over. This is fine, the devs just haven't muted the check warning yet. You've done it right if 'netstat -rn' shows; 172.19.224.131 127.0.0.1 UGHS 00 33152 8 lo0 172.19.224.131/32 172.19.224.131 U 00 - 4 carp0 [root@server ~]# cat /etc/hostname.pfsync0 up syncdev em1 [root@server ~]# cat /etc/pf.conf ext_if=carp0 You don't refer to CARP as an interface, it is simply a VRRP watchdog interface (for example you cannot set the MTU on a CARP interface as it is not really an interface. Use the physical.. ext_if=em0 set fingerprints /etc/pf.os set optimization aggressive set limit states 9 Definitely needs to be higher! try 1 million.. set limit src-nodes 65000 table bad_ip persist table internat_net persist file /etc/internal_net table admitted_net persist file /etc/admitted.txt # vip1_address = 172.19.224.181 # vip2_address = 172.19.224.16 vip3_address = 172.19.224.131 # vip4_address = 172.19.224.41 # vip5_address = 172.19.224.40 Just to keep you sane remember these rules; # (SNAT) NATing is done before filtering, 'pass out on $if_ext from $external_carp_ip1' (public address as src for outbound). # (DNAT) RDRing is done before filtering,
Re: carp+pfsync+relayd question
No, it is number of currently active sessions for this particular relay. Eg. 502 users. On 14 nov 2013, at 21:59, Andy Lemin a...@brandwatch.com wrote: Hi, as a complete guess (not used relayd yet let alone DSR) a 502 sounds like an error return from nginx/apache etc. could be a direct server return issue causing the TCP three way handshake to not be completing properly between the endpoints, even though a 502 is usually server side issue.. I'd try removing the 'in' or 'out' direction from the rules.
Re: carp+pfsync+relayd question
Hello Andy. Actually i proved flushing pf rules, tables and counters with no luck. But after restart relayd things come to work as expected. Thanks, Leonardo El nov 14, 2013 8:15 p.m., mxb m...@alumni.chalmers.se escribió: No, it is number of currently active sessions for this particular relay. Eg. 502 âusers. On 14 nov 2013, at 21:59, Andy Lemin a...@brandwatch.com wrote: Hi, as a complete guess (not used relayd yet let alone DSR) a 502 sounds like an error return from nginx/apache etc. could be a direct server return issue causing the TCP three way handshake to not be completing properly between the endpoints, even though a 502 is usually server side issue.. I'd try removing the 'in' or 'out' direction from the rules.
