Hi Bill,
Same here, I even have the same thing working on 1.1 PFsense for another
customer. Is there a way to down grade from 1.2 RC2 to 1.1?
Thanks,
Lee
Bill Marquette wrote:
Strange, other than the sticky address (which should be more a
nuisance than anything) not getting set on the secondary, I'm not
seeing anything obvious that would prevent the connection from
working.
The only other thing I can think to look at is whether the rulesets
(/tmp/rules.debug) are the same between the two machines (with
exception to a few subtle differences they should be).
You can try tcpdump'ing on the secondary and making sure the tcp
traffic is making it to the external interface. If it is, check the
inside and see what's actually getting passed through. Lastly, double
check the firewall logs, you might be seeing blocks for some reason.
FWIW, I have similar setups working just fine (minus pfsense as the
frontend), so this is likely a pfsense bug or a config issue of some
sort.
--Bill
On 10/10/07, Lee Hetherington [EMAIL PROTECTED] wrote:
Hi Bill,
All is carp, when the primary is off, I can ping the address still.
Primary:
# pfctl -sn -aslb
rdr inet proto tcp from any to 10.2.48.1 port = smtp - { 10.5.49.1,
10.5.49.2 } port 25 round-robin sticky-address
rdr inet proto tcp from any to 10.2.48.1 port = http - { 10.5.49.1,
10.5.49.2 } port 80 round-robin sticky-address
Secondary:
# pfctl -sn -aslb
rdr inet proto tcp from any to 10.2.48.1 port = smtp - { 10.5.49.1,
10.5.49.2 } port 25 round-robin
rdr inet proto tcp from any to 10.2.48.1 port = http - { 10.5.49.1,
10.5.49.2 } port 80 round-robin
Thanks,
Lee
Bill Marquette wrote:
Hmm, what does the output of pfctl -sn -aslb look like on both
boxes? The other obvious question is, are the virtual addresses that
front end your load balance pool CARP addresses? If they aren't, then
the secondary won't take them over on failover regardless of the load
balance config.
--Bill
On 10/10/07, Lee Hetherington [EMAIL PROTECTED] wrote:
Hi Bill,
The config was sync'd ok, I can see it on both boxes. Below is a ps -ax
from the secondary machine:
# ps -ax |grep slb
60083 ?? Ss 0:00.51 /usr/local/sbin/slbd -c/var/etc/slbd.conf -r5000
65097 p0 RV 0:00.00 grep slb (tcsh)
Looks to me like its running? I tried editing the config and saving it
like you suggest, and the ps -ax was then:
# ps -ax | grep slb
65407 ?? Ss 0:00.00 /usr/local/sbin/slbd -c/var/etc/slbd.conf -r5000
Still nothing however when I reboot the primary...
Lee
Bill Marquette wrote:
Can you confirm that the load balancer config sync'd over to the
secondary? Also, assuming it did, can you do a 'ps -ax |grep slb'
from the shell? I suspect it never started slbd after sync (as an
interim workaround, you could try going to the load balancer page on
the secondary and editing/saving the config).
--Bill
On 10/9/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Hi Bill,
Sorry, inbound... we have 2x Web Servers behind the PFsense boxes so we are
load balancing 443 and 80 TCP
Lee
On Tue, 9 Oct 2007 08:47:27 -0500, Bill Marquette [EMAIL PROTECTED] wrote:
Inbound or outbound load balancing?
--Bill
On 10/9/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Hi There,
Im using 1.2 RC2 on Intel boxes. I have the load balancer setup and
working, the two machines are syncing settings and the carp is working
properly. However, if I reboot the primary firewall the secondary takes
over pings, but the load balancing doesnt work again until the primary is
back online.
Everything seems to be ok, when the primary disappears, the ping drops 1
packet, then the secondary carries on and everything runs ok. The servers
on the lan interface of the firewall can route out to the internet fine
whilst running with only the secondary firewall. The only thing not to
work is the load balancer.
Anyone have any ideas?
I have it wired as:
INTERNET -- PIX 515 PAIR -- 2X CISCO 3550-EMI -- PFSENSE PAIR -- 2X
CISCO 3550-EMI -- LAN
Each of the pix/pfsense are connected to seperate switches, which are in
turn linked together.
Thanks in advance,
Lee
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Message scanned for all known viruses by Mailsauce. Email protection
solutions from E-Sauce. For more information please visit
http://www.mailsauce.com
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional