RE: [pfSense Support] CARP - battle of the firewalls
Check the switches you use at LAN. I think there were some strange errors reported previously with some specific switches where it looked like the keepalive broadcasts were lost somewhere and the backup machine didn't see the master anymore. Are the switches used at WAN and LAN the same model and vendor? Holger -Original Message- From: Alastair Stevens [mailto:[EMAIL PROTECTED] Sent: Friday, July 14, 2006 12:44 PM To: support@pfsense.com Subject: [pfSense Support] CARP - battle of the firewalls Hi again We're gradually getting closer to our desired setup: 2 pfSense boxes with CARP failover, each with multiple LAN interfaces and load-balanced dual WANs. This is obviously quite a complex setup, and getting it all working at once seems elusive - but we're almost there! At the moment, the biggest problem is still CARP. When firewall B is brought up, it tries to become master for both LAN interfaces, whilst remaining backup for the WANS. This is at the same time that firewall A is master for everything, as it should be. So the CARP failover just isn't working - the machines seem to be fighting each other to become master, which breaks things. I have checked the settings, and consulted the list, multiple times, but can't get to the bottom of this. Any more ideas on why CARP is behaving so erratically? The machines are both running RC1 + SNAPSHOT_07_06_2006, as suggested by Scott earlier, and they have a dedicated crossover link for the pfsync traffic. Regards Alastair Virus checked by G DATA AntiVirusKit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CARP - battle of the firewalls
Alastair Stevens wrote: Hi again We're gradually getting closer to our desired setup: 2 pfSense boxes with CARP failover, each with multiple LAN interfaces and load-balanced dual WANs. This is obviously quite a complex setup, and getting it all working at once seems elusive - but we're almost there! At the moment, the biggest problem is still CARP. When firewall B is brought up, it tries to become master for both LAN interfaces, whilst remaining backup for the WANS. This is at the same time that firewall A is master for everything, as it should be. So the CARP failover just isn't working - the machines seem to be fighting each other to become master, which breaks things. I have checked the settings, and consulted the list, multiple times, but can't get to the bottom of this. Any more ideas on why CARP is behaving so erratically? The machines are both running RC1 + SNAPSHOT_07_06_2006, as suggested by Scott earlier, and they have a dedicated crossover link for the pfsync traffic. Regards Alastair I have an almost identical setup, except I'm not carping my WAN2, only WAN and LAN. When firewall A reboots it many times will only get one of the carps. When I reboot B that clears it up for me. However, I have only rarely experienced a problem with B taking over upon boot up. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CARP - battle of the firewalls
Spanning tree port lockout will nail you pretty hard with CARP. Make sure your switch ports (if managed switches) are in port fast. Also, make sure that you haven't inadvertantly turned on port security and limited the port to a single MAC (each CARP VHID uses a MAC along with the physical interfaces MAC). --Bill On 7/14/06, Royce Mitchell III [EMAIL PROTECTED] wrote: Alastair Stevens wrote: Hi again We're gradually getting closer to our desired setup: 2 pfSense boxes with CARP failover, each with multiple LAN interfaces and load-balanced dual WANs. This is obviously quite a complex setup, and getting it all working at once seems elusive - but we're almost there! At the moment, the biggest problem is still CARP. When firewall B is brought up, it tries to become master for both LAN interfaces, whilst remaining backup for the WANS. This is at the same time that firewall A is master for everything, as it should be. So the CARP failover just isn't working - the machines seem to be fighting each other to become master, which breaks things. I have checked the settings, and consulted the list, multiple times, but can't get to the bottom of this. Any more ideas on why CARP is behaving so erratically? The machines are both running RC1 + SNAPSHOT_07_06_2006, as suggested by Scott earlier, and they have a dedicated crossover link for the pfsync traffic. Regards Alastair I have an almost identical setup, except I'm not carping my WAN2, only WAN and LAN. When firewall A reboots it many times will only get one of the carps. When I reboot B that clears it up for me. However, I have only rarely experienced a problem with B taking over upon boot up. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] load balancer
hello, We installed the load balancer on our PFsense RELENG_1_SNAPSHOT-07-09-2006 machine. The load balance seams to work great at web traffic (if we shutdown the WAN connection, OPT takes it over nicely:) that's a fantastic function, keep up the great work) But if i try to build up any SSHor telnetconnection, to internal or an external connection it fails. The log files are not showing any thing uses full Greetings
Re: [pfSense Support] CARP - battle of the firewalls
Bill Marquette wrote: Spanning tree port lockout will nail you pretty hard with CARP. Make sure your switch ports (if managed switches) are in port fast. Also, make sure that you haven't inadvertantly turned on port security and limited the port to a single MAC (each CARP VHID uses a MAC along with the physical interfaces MAC). When this happens, I do not have two masters for any single carp ip, so that would seem to indicate they do see eachother at least somewhat. Also, these are not managed switches, and the sync interface is a cross-over cable between the two dedicated sync interfaces, no intermediate hardware involved. I just double-checked and the VHID's are different for each carp ip and the advertisting freqs are 0's on router A and 100's on router B. After thinking about what you said, I decided to go and double-check what was plugged in where, and I think I found the problem. The WAN should be ok: both routers' wan interfaces are plugged into a 3Com SuperStack DS Hub 500 24 port 3c16611, and the only other thing plugged into this device is the cable for the packets to be sent out through ( it actually goes through another switch before getting to the modem, but I don't see a problem there ). The LAN side is where I think I discovered the problem. Router A is plugged into my main LAN switch, a D-Link DGS-1024D, however router B isn't plugged directly into that, but a secondary switch, a AOpen AOW-605M, which is then plugged into the D-Link. Your statement above of port fast leads me to believe that the interfaces need to be able to see eachother's packets in a more-timely-than-usual manner. I will move both LAN cables onto the same router and then report if the problem goes away. Since I have all unmanaged switches ( well, I actually have one managed on the LAN, but we've never cracked it open, and it wouldn't ever see any of the packets in question ), would it be advisable to give each carp interface a dedicated switch, or is it safe for example, to hook both LAN interfaces to the aforementioned D-Link, which is a 24-port gigabit unmanaged switch which all my servers are plugged into? Thanks for your help! Royce Mitchell III - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] OpenVPN - duplicate IPs
Title: OpenVPN - duplicate IPs Would you believe it - we have another problem, with our existing pfSense box (ie unrelated to all my other recent questions with the new dual firewalls). OpenVPN is configured and working - except that it gives the *same IP* to every client. Yes, we're using unique certs and keys (via pkcs12), as can be easily verified by exporting and looking at them! So it's not a 'duplicate-cn' problem. I've used OpenVPN before, in other environments, without any problems. But while this one is working for any single client, more than that and it all falls over. Do I have to go through a manual mapping of CNs to IPs? Can I get DHCP to assign addresses, bypassing OpenVPN's method? Cheers Alastair
Re: [pfSense Support] OpenVPN - duplicate IPs
On 7/14/06, Alastair Stevens [EMAIL PROTECTED] wrote: Would you believe it - we have another problem, with our existing pfSense box (ie unrelated to all my other recent questions with the new dual firewalls). OpenVPN is configured and working - except that it gives the *same IP* to every client. Yes, we're using unique certs and keys (via pkcs12), as can be easily verified by exporting and looking at them! So it's not a 'duplicate-cn' problem. I've used OpenVPN before, in other environments, without any problems. But while this one is working for any single client, more than that and it all falls over. Do I have to go through a manual mapping of CNs to IPs? Can I get DHCP to assign addresses, bypassing OpenVPN's method? Cheers Alastair I never heard back on these two questions: is the ovpn address pool on a different subnet from all of the other subnets? ie, your lan subnet isn't 192.168.3.0/24 is it? is DHCP in pfsense disabled for the openvpn interface? This is how i've configured my machines- it seems that openvpn hands out ips without the need for a dhcp server
[pfSense Support] Can we hard-set interface speeds?
Hi, I was wondering if there's a way to hard-set a speed on an interface if it's not sync'ing correctly (IE, it's set to 100/half, and it should be 100/full)? -Kyle - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Can we hard-set interface speeds?
I don't suppose there's any chance we can get that in the GUI sometime in the future, can we? : -Kyle Scott Ullrich wrote: On 7/14/06, Kyle Mott [EMAIL PROTECTED] wrote: Hi, I was wondering if there's a way to hard-set a speed on an interface if it's not sync'ing correctly (IE, it's set to 100/half, and it should be 100/full)? http://faq.pfsense.com/index.php?action=artikelcat=10id=38artlang=enhighlight=hidden%20options - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Can we hard-set interface speeds?
Nope. On 7/14/06, Kyle Mott [EMAIL PROTECTED] wrote: I don't suppose there's any chance we can get that in the GUI sometime in the future, can we? : -Kyle Scott Ullrich wrote: On 7/14/06, Kyle Mott [EMAIL PROTECTED] wrote: Hi, I was wondering if there's a way to hard-set a speed on an interface if it's not sync'ing correctly (IE, it's set to 100/half, and it should be 100/full)? http://faq.pfsense.com/index.php?action=artikelcat=10id=38artlang=enhighlight=hidden%20options - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Can we hard-set interface speeds?
Not today or not ever? -W On 7/14/06, Scott Ullrich [EMAIL PROTECTED] wrote: Nope. On 7/14/06, Kyle Mott [EMAIL PROTECTED] wrote: I don't suppose there's any chance we can get that in the GUI sometime in the future, can we? : -Kyle Scott Ullrich wrote: On 7/14/06, Kyle Mott [EMAIL PROTECTED] wrote: Hi, I was wondering if there's a way to hard-set a speed on an interface if it's not sync'ing correctly (IE, it's set to 100/half, and it should be 100/full)? http://faq.pfsense.com/index.php?action=artikelcat=10id=38artlang=enhighlight=hidden%20options - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Wade B Integrity is more important than perception management - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Can we hard-set interface speeds?
On 7/14/06, bablam [EMAIL PROTECTED] wrote: Not today or not ever? -W This has been brought up many times before. We have outlined the reasons. Please check the archives. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Can we hard-set interface speeds?
if you edit the config.xml via the GUI, you're using the gui right?On 7/14/06, bablam [EMAIL PROTECTED] wrote:Not today or not ever? -WOn 7/14/06, Scott Ullrich [EMAIL PROTECTED] wrote: Nope. On 7/14/06, Kyle Mott [EMAIL PROTECTED] wrote: I don't suppose there's any chance we can get that in the GUI sometime in the future, can we? :-Kyle Scott Ullrich wrote: On 7/14/06, Kyle Mott [EMAIL PROTECTED] wrote: Hi, I was wondering if there's a way to hard-set a speed on an interface if it's not sync'ing correctly (IE, it's set to 100/half, and it should be 100/full)? http://faq.pfsense.com/index.php?action="" - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]--Wade BIntegrity is more important than perception management -To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] load balancer
Fails in what way? You mean, when a WAN goes down you get disconnected (to be expected)? --Bill On 7/14/06, Tunge2 [EMAIL PROTECTED] wrote: hello, We installed the load balancer on our PFsense RELENG_1_SNAPSHOT-07-09-2006 machine. The load balance seams to work great at web traffic (if we shutdown the WAN connection, OPT takes it over nicely:) that's a fantastic function, keep up the great work) But if i try to build up any SSH or telnet connection, to internal or an external connection it fails. The log files are not showing any thing uses full Greetings - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CARP - battle of the firewalls
Bill Marquette wrote: On 7/14/06, Royce Mitchell III [EMAIL PROTECTED] wrote: ever see any of the packets in question ), would it be advisable to give each carp interface a dedicated switch, or is it safe for example, to hook both LAN interfaces to the aforementioned D-Link, which is a 24-port gigabit unmanaged switch which all my servers are plugged into? Given your setup and the fact that you still have a single point of failure on the WAN side of your firewall, I'd probably plug both firewalls into your most reliable switch. Trying to split them may end up in some rather goofy network issues anyway in failover scenarios. It wasn't intential to set them up so goofily so much as just an experiment that turned into a working setup without reviewing ( until now ) the setup. There's no avoiding a single point of failure on the wan side because there's only one modem, which is why we have the dual-wan setup. While each isp is a single point of failure, the fact that we have two mitigates the single point of failure. The only real single point of failure we have is the central d-link switch. Anyway I will try getting all carp interfaces on shared switches next week and see what that improves. Thanks! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
