[pfSense Support] Carp failover time
Hi, What is the average time for the carp failover to kick in... i.e. how much time does it take for the backup to become master and start serving requests and vice versa? Is the timing parameter configurable? I have both the WAN and LAN gw as carp ip. Version2.0-RC1 (i386) built on Thu Mar 17 07:27:35 EDT 2011 ShiB. while ( ! ( succeed = try() ) ); - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Carp failover time
What is the average time for the carp failover to kick in... i.e. how much time does it take for the backup to become master and start serving requests and vice versa? Is the timing parameter configurable? I have both the WAN and LAN gw as carp ip. I as a human have never been faster then the failover, meaning that I immediately refreshed the CARP status screen after pulling a cable and that it was already showing master. It is at least within a second. Kind regards, Peter van der Leek - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Carp failover time
I think we're discussing timeouts related to OSI levels 2 or 3. A physical disconnect is of course immediate, but i think other factors should be considered, like watchdog style errors, ping timeouts, and transport layer failures. I hope we can document points of failure and expected delays for each. best, mike-- On Sat, 02 Jul 2011 17:36:39 +0200, Peter van der Leek wrote: What is the average time for the carp failover to kick in... i.e. how much time does it take for the backup to become master and start serving requests and vice versa? Is the timing parameter configurable? I have both the WAN and LAN gw as carp ip. I as a human have never been faster then the failover, meaning that I immediately refreshed the CARP status screen after pulling a cable and that it was already showing master. It is at least within a second. Kind regards, Peter van der Leek - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- Mike Nichols My Own SOHO m...@myownsoho.net http://myownsoho.com 212 202-2194 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Carp failover time
On Sat, Jul 2, 2011 at 4:34 AM, Shibashish shi...@gmail.com wrote: Hi, What is the average time for the carp failover to kick in... i.e. how much time does it take for the backup to become master and start serving requests and vice versa? Immediate if it's expected (i.e. you reboot the master), 1-2 seconds by default if it's not (such as yanking the power plug or any other failure to communicate by the master). Is the timing parameter configurable? Yes, search advskew and advbase. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
On 2/10/2011 7:58 PM, Vaughn L. Reid III wrote: On 2/10/2011 7:30 PM, Moshe Katz wrote: Is your ISP Verizon? We have had many ARP issues with Verizon FIOS. For our pfSense box to get all of our IPs, we have to manually set each of the IPs as the WAN IP (one by one), then set up the Virtual IP settings after we do that. Moshe -- Moshe Katz -- mo...@ymkatz.net mailto:mo...@ymkatz.net -- +1(301)867-3732 On Thu, Feb 10, 2011 at 7:19 PM, Vaughn L. Reid III vaughn_reid_...@elitemail.org mailto:vaughn_reid_...@elitemail.org wrote: On 2/10/2011 12:57 PM, Evgeny Yurchenko wrote: On 11-02-10 11:07 AM, Vaughn L. Reid III wrote: On 2/10/2011 10:42 AM, Vaughn L. Reid III wrote: On 2/10/2011 9:32 AM, Vaughn L. Reid III wrote: On 2/10/2011 2:43 AM, Seth Mos wrote: Op 10-2-2011 4:18, Vaughn L. Reid III schreef: 1. All the Master and backup status notifications in the web interface on both PFSense boxes show the correct status 2. I'll do a packet capture tomorrow and see if the carp-heartbeat shows up I was unaware that any Carp related traffic passed between any of the interfaces except the one designated as the synchronization interface. I need to double-check the multi-cast configuration on the switch tomorrow also ( I think I have multi-cast enabled on the switch, but need to confirm that). Yes, some switch support multicast filtering, I know from experience with HP switches that it works with the setting on. So I know they have it implemented correctly. This way not all switch ports get the carp traffic unless they participate in the multicast group. This cuts down on broadcast a lot. I recommend the HP switches, they have never given me any grief as long as I've worked with them. I even have a carp cluster spanning 2 building across the street over a fiber connection. It just works. If you need a managed switch on a budget I can confirm that the HP Procurve 1810-8G works well. It's web managed, supports vlans and basic traffic counters. It is also fanless. The smallest I have in use on a carp cluster is a Procurcve 2650 in combination with a 2900-48G. The biggest I have is a 8212zl. Do note that the software in the 1810 differs a lot from the other managed switches. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com mailto:support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com mailto:support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I've run a packet capture and here are the results: 1. Capture shows a bunch of VRRP announcements from the primary firewall to destination 224.0.0.18. The destination confirms this is a multicast address I believe. According to Wikipedia, VRRP and CARP share the same protocol number. So, I believe that these are CARP announcements. 2. All the VRRP requests had a vrrp.prio value of 0 with a description of Priority: 0 (Current Master has stopped participating in VRRP) 3. Over a 114 second capture, there were no VRRP announcements from the secondary firewall. 4. There were lots of ARP broadcast requests from the secondary firewall asking for who has the IP of the default gateway. There were 0 ARP requests from the primary firewall during the capture period.
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
On 2/10/2011 2:43 AM, Seth Mos wrote: Op 10-2-2011 4:18, Vaughn L. Reid III schreef: 1. All the Master and backup status notifications in the web interface on both PFSense boxes show the correct status 2. I'll do a packet capture tomorrow and see if the carp-heartbeat shows up I was unaware that any Carp related traffic passed between any of the interfaces except the one designated as the synchronization interface. I need to double-check the multi-cast configuration on the switch tomorrow also ( I think I have multi-cast enabled on the switch, but need to confirm that). Yes, some switch support multicast filtering, I know from experience with HP switches that it works with the setting on. So I know they have it implemented correctly. This way not all switch ports get the carp traffic unless they participate in the multicast group. This cuts down on broadcast a lot. I recommend the HP switches, they have never given me any grief as long as I've worked with them. I even have a carp cluster spanning 2 building across the street over a fiber connection. It just works. If you need a managed switch on a budget I can confirm that the HP Procurve 1810-8G works well. It's web managed, supports vlans and basic traffic counters. It is also fanless. The smallest I have in use on a carp cluster is a Procurcve 2650 in combination with a 2900-48G. The biggest I have is a 8212zl. Do note that the software in the 1810 differs a lot from the other managed switches. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I've run a packet capture and here are the results: 1. Capture shows a bunch of VRRP announcements from the primary firewall to destination 224.0.0.18. The destination confirms this is a multicast address I believe. According to Wikipedia, VRRP and CARP share the same protocol number. So, I believe that these are CARP announcements. 2. All the VRRP requests had a vrrp.prio value of 0 with a description of Priority: 0 (Current Master has stopped participating in VRRP) 3. Over a 114 second capture, there were no VRRP announcements from the secondary firewall. 4. There were lots of ARP broadcast requests from the secondary firewall asking for who has the IP of the default gateway. There were 0 ARP requests from the primary firewall during the capture period. 5. There were lots of ICMP pings from both the primary and secondary Pfsense firewalls to the default gateway on this WAN interface. I assume this is from the Load Balance Fail-Over configuration I have enabled for the cluster on this interface. I confirmed that the Master firewall shows itself as Master for all interfaces. I confirmed that the Secondary firewall shows itself as Backup for all interfaces. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
On 2/10/2011 9:32 AM, Vaughn L. Reid III wrote: On 2/10/2011 2:43 AM, Seth Mos wrote: Op 10-2-2011 4:18, Vaughn L. Reid III schreef: 1. All the Master and backup status notifications in the web interface on both PFSense boxes show the correct status 2. I'll do a packet capture tomorrow and see if the carp-heartbeat shows up I was unaware that any Carp related traffic passed between any of the interfaces except the one designated as the synchronization interface. I need to double-check the multi-cast configuration on the switch tomorrow also ( I think I have multi-cast enabled on the switch, but need to confirm that). Yes, some switch support multicast filtering, I know from experience with HP switches that it works with the setting on. So I know they have it implemented correctly. This way not all switch ports get the carp traffic unless they participate in the multicast group. This cuts down on broadcast a lot. I recommend the HP switches, they have never given me any grief as long as I've worked with them. I even have a carp cluster spanning 2 building across the street over a fiber connection. It just works. If you need a managed switch on a budget I can confirm that the HP Procurve 1810-8G works well. It's web managed, supports vlans and basic traffic counters. It is also fanless. The smallest I have in use on a carp cluster is a Procurcve 2650 in combination with a 2900-48G. The biggest I have is a 8212zl. Do note that the software in the 1810 differs a lot from the other managed switches. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I've run a packet capture and here are the results: 1. Capture shows a bunch of VRRP announcements from the primary firewall to destination 224.0.0.18. The destination confirms this is a multicast address I believe. According to Wikipedia, VRRP and CARP share the same protocol number. So, I believe that these are CARP announcements. 2. All the VRRP requests had a vrrp.prio value of 0 with a description of Priority: 0 (Current Master has stopped participating in VRRP) 3. Over a 114 second capture, there were no VRRP announcements from the secondary firewall. 4. There were lots of ARP broadcast requests from the secondary firewall asking for who has the IP of the default gateway. There were 0 ARP requests from the primary firewall during the capture period. 5. There were lots of ICMP pings from both the primary and secondary Pfsense firewalls to the default gateway on this WAN interface. I assume this is from the Load Balance Fail-Over configuration I have enabled for the cluster on this interface. I confirmed that the Master firewall shows itself as Master for all interfaces. I confirmed that the Secondary firewall shows itself as Backup for all interfaces. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I performed a second capture of 3 minutes on malfunctioning WAN and noted identical results for the VRRP/CARP packets. On the second capture, however, I did see ARP requests from both firewalls asking for the MAC of the IP of the Default Gateway -- this was different from my item number 4 in the previous post. I also performed a 3 minute packet capture from one of the known working WAN connections on the cluster. The VRRP packets on that connection showed an origination address of the Real IP on primary/Master firewall and a multi-cast destination, just like the results from the problem WAN connection. I also noted that the vrrp.prio value and description was the same on the working WAN as on the not-working WAN. Both the working WAN connection packet capture and the non-Working WAN packet captures show IGMP packets noting the entering and leaving of multi-cast groups. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
On 2/10/2011 10:42 AM, Vaughn L. Reid III wrote: On 2/10/2011 9:32 AM, Vaughn L. Reid III wrote: On 2/10/2011 2:43 AM, Seth Mos wrote: Op 10-2-2011 4:18, Vaughn L. Reid III schreef: 1. All the Master and backup status notifications in the web interface on both PFSense boxes show the correct status 2. I'll do a packet capture tomorrow and see if the carp-heartbeat shows up I was unaware that any Carp related traffic passed between any of the interfaces except the one designated as the synchronization interface. I need to double-check the multi-cast configuration on the switch tomorrow also ( I think I have multi-cast enabled on the switch, but need to confirm that). Yes, some switch support multicast filtering, I know from experience with HP switches that it works with the setting on. So I know they have it implemented correctly. This way not all switch ports get the carp traffic unless they participate in the multicast group. This cuts down on broadcast a lot. I recommend the HP switches, they have never given me any grief as long as I've worked with them. I even have a carp cluster spanning 2 building across the street over a fiber connection. It just works. If you need a managed switch on a budget I can confirm that the HP Procurve 1810-8G works well. It's web managed, supports vlans and basic traffic counters. It is also fanless. The smallest I have in use on a carp cluster is a Procurcve 2650 in combination with a 2900-48G. The biggest I have is a 8212zl. Do note that the software in the 1810 differs a lot from the other managed switches. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I've run a packet capture and here are the results: 1. Capture shows a bunch of VRRP announcements from the primary firewall to destination 224.0.0.18. The destination confirms this is a multicast address I believe. According to Wikipedia, VRRP and CARP share the same protocol number. So, I believe that these are CARP announcements. 2. All the VRRP requests had a vrrp.prio value of 0 with a description of Priority: 0 (Current Master has stopped participating in VRRP) 3. Over a 114 second capture, there were no VRRP announcements from the secondary firewall. 4. There were lots of ARP broadcast requests from the secondary firewall asking for who has the IP of the default gateway. There were 0 ARP requests from the primary firewall during the capture period. 5. There were lots of ICMP pings from both the primary and secondary Pfsense firewalls to the default gateway on this WAN interface. I assume this is from the Load Balance Fail-Over configuration I have enabled for the cluster on this interface. I confirmed that the Master firewall shows itself as Master for all interfaces. I confirmed that the Secondary firewall shows itself as Backup for all interfaces. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I performed a second capture of 3 minutes on malfunctioning WAN and noted identical results for the VRRP/CARP packets. On the second capture, however, I did see ARP requests from both firewalls asking for the MAC of the IP of the Default Gateway -- this was different from my item number 4 in the previous post. I also performed a 3 minute packet capture from one of the known working WAN connections on the cluster. The VRRP packets on that connection showed an origination address of the Real IP on primary/Master firewall and a multi-cast destination, just like the results from the problem WAN connection. I also noted that the vrrp.prio value and description was the same on the working WAN as on the not-working WAN. Both the working WAN connection packet capture and the non-Working WAN packet captures show IGMP packets noting the entering and leaving of multi-cast groups. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org One more thing. If I unplug the connection that leads to the ISP's black box from the switch and leave everything else in place, pings from the secondary/backup firewall to the CARP start working as expected. I'm not sure I understand this behavior. With 2 IP addresses on the same subnet that can communicate with each other on the same VLAN of a switch, it seems to me that it shouldn't matter what else I plug into that switch (as long as it has a different IP and as long as it is not doing some
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
On 11-02-10 11:07 AM, Vaughn L. Reid III wrote: On 2/10/2011 10:42 AM, Vaughn L. Reid III wrote: On 2/10/2011 9:32 AM, Vaughn L. Reid III wrote: On 2/10/2011 2:43 AM, Seth Mos wrote: Op 10-2-2011 4:18, Vaughn L. Reid III schreef: 1. All the Master and backup status notifications in the web interface on both PFSense boxes show the correct status 2. I'll do a packet capture tomorrow and see if the carp-heartbeat shows up I was unaware that any Carp related traffic passed between any of the interfaces except the one designated as the synchronization interface. I need to double-check the multi-cast configuration on the switch tomorrow also ( I think I have multi-cast enabled on the switch, but need to confirm that). Yes, some switch support multicast filtering, I know from experience with HP switches that it works with the setting on. So I know they have it implemented correctly. This way not all switch ports get the carp traffic unless they participate in the multicast group. This cuts down on broadcast a lot. I recommend the HP switches, they have never given me any grief as long as I've worked with them. I even have a carp cluster spanning 2 building across the street over a fiber connection. It just works. If you need a managed switch on a budget I can confirm that the HP Procurve 1810-8G works well. It's web managed, supports vlans and basic traffic counters. It is also fanless. The smallest I have in use on a carp cluster is a Procurcve 2650 in combination with a 2900-48G. The biggest I have is a 8212zl. Do note that the software in the 1810 differs a lot from the other managed switches. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I've run a packet capture and here are the results: 1. Capture shows a bunch of VRRP announcements from the primary firewall to destination 224.0.0.18. The destination confirms this is a multicast address I believe. According to Wikipedia, VRRP and CARP share the same protocol number. So, I believe that these are CARP announcements. 2. All the VRRP requests had a vrrp.prio value of 0 with a description of Priority: 0 (Current Master has stopped participating in VRRP) 3. Over a 114 second capture, there were no VRRP announcements from the secondary firewall. 4. There were lots of ARP broadcast requests from the secondary firewall asking for who has the IP of the default gateway. There were 0 ARP requests from the primary firewall during the capture period. 5. There were lots of ICMP pings from both the primary and secondary Pfsense firewalls to the default gateway on this WAN interface. I assume this is from the Load Balance Fail-Over configuration I have enabled for the cluster on this interface. I confirmed that the Master firewall shows itself as Master for all interfaces. I confirmed that the Secondary firewall shows itself as Backup for all interfaces. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I performed a second capture of 3 minutes on malfunctioning WAN and noted identical results for the VRRP/CARP packets. On the second capture, however, I did see ARP requests from both firewalls asking for the MAC of the IP of the Default Gateway -- this was different from my item number 4 in the previous post. I also performed a 3 minute packet capture from one of the known working WAN connections on the cluster. The VRRP packets on that connection showed an origination address of the Real IP on primary/Master firewall and a multi-cast destination, just like the results from the problem WAN connection. I also noted that the vrrp.prio value and description was the same on the working WAN as on the not-working WAN. Both the working WAN connection packet capture and the non-Working WAN packet captures show IGMP packets noting the entering and leaving of multi-cast groups. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org One more thing. If I unplug the connection that leads to the ISP's black box from the switch and leave everything else in place, pings from the secondary/backup firewall to the CARP start working as expected. I'm not sure I understand this behavior. With 2 IP addresses on the same subnet that can communicate with each other on the same VLAN of a switch, it seems to me that it shouldn't matter what else I plug into that switch (as long as it has a different IP and as long as
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
On 2/10/2011 12:57 PM, Evgeny Yurchenko wrote: On 11-02-10 11:07 AM, Vaughn L. Reid III wrote: On 2/10/2011 10:42 AM, Vaughn L. Reid III wrote: On 2/10/2011 9:32 AM, Vaughn L. Reid III wrote: On 2/10/2011 2:43 AM, Seth Mos wrote: Op 10-2-2011 4:18, Vaughn L. Reid III schreef: 1. All the Master and backup status notifications in the web interface on both PFSense boxes show the correct status 2. I'll do a packet capture tomorrow and see if the carp-heartbeat shows up I was unaware that any Carp related traffic passed between any of the interfaces except the one designated as the synchronization interface. I need to double-check the multi-cast configuration on the switch tomorrow also ( I think I have multi-cast enabled on the switch, but need to confirm that). Yes, some switch support multicast filtering, I know from experience with HP switches that it works with the setting on. So I know they have it implemented correctly. This way not all switch ports get the carp traffic unless they participate in the multicast group. This cuts down on broadcast a lot. I recommend the HP switches, they have never given me any grief as long as I've worked with them. I even have a carp cluster spanning 2 building across the street over a fiber connection. It just works. If you need a managed switch on a budget I can confirm that the HP Procurve 1810-8G works well. It's web managed, supports vlans and basic traffic counters. It is also fanless. The smallest I have in use on a carp cluster is a Procurcve 2650 in combination with a 2900-48G. The biggest I have is a 8212zl. Do note that the software in the 1810 differs a lot from the other managed switches. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I've run a packet capture and here are the results: 1. Capture shows a bunch of VRRP announcements from the primary firewall to destination 224.0.0.18. The destination confirms this is a multicast address I believe. According to Wikipedia, VRRP and CARP share the same protocol number. So, I believe that these are CARP announcements. 2. All the VRRP requests had a vrrp.prio value of 0 with a description of Priority: 0 (Current Master has stopped participating in VRRP) 3. Over a 114 second capture, there were no VRRP announcements from the secondary firewall. 4. There were lots of ARP broadcast requests from the secondary firewall asking for who has the IP of the default gateway. There were 0 ARP requests from the primary firewall during the capture period. 5. There were lots of ICMP pings from both the primary and secondary Pfsense firewalls to the default gateway on this WAN interface. I assume this is from the Load Balance Fail-Over configuration I have enabled for the cluster on this interface. I confirmed that the Master firewall shows itself as Master for all interfaces. I confirmed that the Secondary firewall shows itself as Backup for all interfaces. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I performed a second capture of 3 minutes on malfunctioning WAN and noted identical results for the VRRP/CARP packets. On the second capture, however, I did see ARP requests from both firewalls asking for the MAC of the IP of the Default Gateway -- this was different from my item number 4 in the previous post. I also performed a 3 minute packet capture from one of the known working WAN connections on the cluster. The VRRP packets on that connection showed an origination address of the Real IP on primary/Master firewall and a multi-cast destination, just like the results from the problem WAN connection. I also noted that the vrrp.prio value and description was the same on the working WAN as on the not-working WAN. Both the working WAN connection packet capture and the non-Working WAN packet captures show IGMP packets noting the entering and leaving of multi-cast groups. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org One more thing. If I unplug the connection that leads to the ISP's black box from the switch and leave everything else in place, pings from the secondary/backup firewall to the CARP start working as expected. I'm not sure I understand this behavior. With 2 IP addresses on the same subnet that can communicate with each other on the same VLAN of a switch, it seems to me that it shouldn't matter what
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
Is your ISP Verizon? We have had many ARP issues with Verizon FIOS. For our pfSense box to get all of our IPs, we have to manually set each of the IPs as the WAN IP (one by one), then set up the Virtual IP settings after we do that. Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 On Thu, Feb 10, 2011 at 7:19 PM, Vaughn L. Reid III vaughn_reid_...@elitemail.org wrote: On 2/10/2011 12:57 PM, Evgeny Yurchenko wrote: On 11-02-10 11:07 AM, Vaughn L. Reid III wrote: On 2/10/2011 10:42 AM, Vaughn L. Reid III wrote: On 2/10/2011 9:32 AM, Vaughn L. Reid III wrote: On 2/10/2011 2:43 AM, Seth Mos wrote: Op 10-2-2011 4:18, Vaughn L. Reid III schreef: 1. All the Master and backup status notifications in the web interface on both PFSense boxes show the correct status 2. I'll do a packet capture tomorrow and see if the carp-heartbeat shows up I was unaware that any Carp related traffic passed between any of the interfaces except the one designated as the synchronization interface. I need to double-check the multi-cast configuration on the switch tomorrow also ( I think I have multi-cast enabled on the switch, but need to confirm that). Yes, some switch support multicast filtering, I know from experience with HP switches that it works with the setting on. So I know they have it implemented correctly. This way not all switch ports get the carp traffic unless they participate in the multicast group. This cuts down on broadcast a lot. I recommend the HP switches, they have never given me any grief as long as I've worked with them. I even have a carp cluster spanning 2 building across the street over a fiber connection. It just works. If you need a managed switch on a budget I can confirm that the HP Procurve 1810-8G works well. It's web managed, supports vlans and basic traffic counters. It is also fanless. The smallest I have in use on a carp cluster is a Procurcve 2650 in combination with a 2900-48G. The biggest I have is a 8212zl. Do note that the software in the 1810 differs a lot from the other managed switches. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I've run a packet capture and here are the results: 1. Capture shows a bunch of VRRP announcements from the primary firewall to destination 224.0.0.18. The destination confirms this is a multicast address I believe. According to Wikipedia, VRRP and CARP share the same protocol number. So, I believe that these are CARP announcements. 2. All the VRRP requests had a vrrp.prio value of 0 with a description of Priority: 0 (Current Master has stopped participating in VRRP) 3. Over a 114 second capture, there were no VRRP announcements from the secondary firewall. 4. There were lots of ARP broadcast requests from the secondary firewall asking for who has the IP of the default gateway. There were 0 ARP requests from the primary firewall during the capture period. 5. There were lots of ICMP pings from both the primary and secondary Pfsense firewalls to the default gateway on this WAN interface. I assume this is from the Load Balance Fail-Over configuration I have enabled for the cluster on this interface. I confirmed that the Master firewall shows itself as Master for all interfaces. I confirmed that the Secondary firewall shows itself as Backup for all interfaces. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I performed a second capture of 3 minutes on malfunctioning WAN and noted identical results for the VRRP/CARP packets. On the second capture, however, I did see ARP requests from both firewalls asking for the MAC of the IP of the Default Gateway -- this was different from my item number 4 in the previous post. I also performed a 3 minute packet capture from one of the known working WAN connections on the cluster. The VRRP packets on that connection showed an origination address of the Real IP on primary/Master firewall and a multi-cast destination, just like the results from the problem WAN connection. I also noted that the vrrp.prio value and description was the same on the working WAN as on the not-working WAN. Both the working WAN connection packet capture and the non-Working WAN packet captures show IGMP packets noting the entering and leaving of multi-cast groups. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
On 2/10/2011 7:30 PM, Moshe Katz wrote: Is your ISP Verizon? We have had many ARP issues with Verizon FIOS. For our pfSense box to get all of our IPs, we have to manually set each of the IPs as the WAN IP (one by one), then set up the Virtual IP settings after we do that. Moshe -- Moshe Katz -- mo...@ymkatz.net mailto:mo...@ymkatz.net -- +1(301)867-3732 On Thu, Feb 10, 2011 at 7:19 PM, Vaughn L. Reid III vaughn_reid_...@elitemail.org mailto:vaughn_reid_...@elitemail.org wrote: On 2/10/2011 12:57 PM, Evgeny Yurchenko wrote: On 11-02-10 11:07 AM, Vaughn L. Reid III wrote: On 2/10/2011 10:42 AM, Vaughn L. Reid III wrote: On 2/10/2011 9:32 AM, Vaughn L. Reid III wrote: On 2/10/2011 2:43 AM, Seth Mos wrote: Op 10-2-2011 4:18, Vaughn L. Reid III schreef: 1. All the Master and backup status notifications in the web interface on both PFSense boxes show the correct status 2. I'll do a packet capture tomorrow and see if the carp-heartbeat shows up I was unaware that any Carp related traffic passed between any of the interfaces except the one designated as the synchronization interface. I need to double-check the multi-cast configuration on the switch tomorrow also ( I think I have multi-cast enabled on the switch, but need to confirm that). Yes, some switch support multicast filtering, I know from experience with HP switches that it works with the setting on. So I know they have it implemented correctly. This way not all switch ports get the carp traffic unless they participate in the multicast group. This cuts down on broadcast a lot. I recommend the HP switches, they have never given me any grief as long as I've worked with them. I even have a carp cluster spanning 2 building across the street over a fiber connection. It just works. If you need a managed switch on a budget I can confirm that the HP Procurve 1810-8G works well. It's web managed, supports vlans and basic traffic counters. It is also fanless. The smallest I have in use on a carp cluster is a Procurcve 2650 in combination with a 2900-48G. The biggest I have is a 8212zl. Do note that the software in the 1810 differs a lot from the other managed switches. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com mailto:support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com mailto:support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I've run a packet capture and here are the results: 1. Capture shows a bunch of VRRP announcements from the primary firewall to destination 224.0.0.18. The destination confirms this is a multicast address I believe. According to Wikipedia, VRRP and CARP share the same protocol number. So, I believe that these are CARP announcements. 2. All the VRRP requests had a vrrp.prio value of 0 with a description of Priority: 0 (Current Master has stopped participating in VRRP) 3. Over a 114 second capture, there were no VRRP announcements from the secondary firewall. 4. There were lots of ARP broadcast requests from the secondary firewall asking for who has the IP of the default gateway. There were 0 ARP requests from the primary firewall during the capture period. 5. There were lots of ICMP pings from both the
[pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
I've got a PfSense version 1.2.3 cluster at a Public Library customer connected to 6 WAN links. The first 5 are connected as VLANS through a TP-Link SL3428 switch then to an ISP provided Router (4 ATT ADSL links each with a Netopia ADSL router and a Fiber Link with a Cisco 2800 series router). These 5 WAN links are all configured identically (except for IP, etc.) and have worked beautifully for 2 or 3 years). The first 5 WAN's all go out the same Intel server interface. The 6th connection goes out a second Intel server interface (There are 6 physical Intel server gigabit interfaces on the machines all together -- 4 onboard plus 1 dual port PCI-X card). Illustration: WAN Connections 1 through 5 Pfsense Cluster --- VLAN Trunk --- TP-Link Managed Switch --- Switch Ports out to each Provider on a different VLAN's (port to provider in access mode not tagged) --- Provider's Router -- Internet Everything Works!!! WAN Connection 6 Pfsense cluster -- VLAN Trunk -- D-Link Managed Switch -- Switch Port out to the Provider (port to provider in access mode not tagged) Provider's On-Site Black Box/Fiber Converter (can't get any details about what's in it) -- Nothing!!! The Library has recently decided to replace the ADSL links with a fiber-to-your door Internet connection. For redundancy, I've set this up to run through a D-Link DGS 3200-10 managed switch. I this connection configured identically to the other 5 working connections except ISP specific things like netmask and IP address. I cannot, for the life of me, get this 6th connection to work correctly. I've been doing some troubleshooting for bit now and have noticed some items that might be helpful on this 6th WAN connection. Address Learning enabled on the Switch (default setting): 1. If I leave MAC address learning on on the D-Link switch, the Carp Master can ping its real IP address, can ping its CARP IP address, and can ping the fail-over PfSense 2. The fail-over Pfsense server can ping its own real IP, can ping the Carp Master's real IP, but cannot ping the CARP IP. 3. When I first boot the switch, I can usually ping the CARP IP from the fail-over box 1 time before pings start timing out. 4. From a remote location, I am able to ping the real IP of both boxes, but I cannot ping the CARP IP. 5. Both boxes can ping the ISP's default gateway. Address Learning disabled on the Switch: 1. Both PFSense boxes can ping each other, and both can ping the CARP IP. 2. Neither can ping the ISP's IP address. 3. From a remote location, I am unable to ping any of the boxes on the 6th ISP interface. I've tried this connection through the same switch without VLAN's enabled for this connection and still have no connectivity through this provider. If I plug in a laptop directly to the switch and use any of the 3 IP's in question, I have a good Internet connection. On the D-Link Switch, Spanning Tree is disabled. The ports containing the PFSense box links are tagged VLAN trunks with no untagged ports allowed. The port leading to the ISP is an untagged VLAN that is only a member of 1 VLAN. I know I could set this up without fussing with the VLANS, but I wanted to be consistent between the 2 switches. I believe this is a switch related issue and not a PFSense related issue directly. I am hesitant to run this connection through the other managed switch because I'm looking for redundancy. If anyone has any suggestions about where my problem may be, I'd really appreciate the help. Thanks! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
[snip] Address Learning enabled on the Switch (default setting): [snip] Can you briefly explain what 'address learning' is according to D-Link? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
According to page 15 of the reference manual address learning is: Enable or disable MAC address learning for the selected ports. When Enabled, destination and source MAC addresses are automatically listed in the forwarding table. When address learning is Disabled, MAC addresses must be manually entered into the forwarding table. This is sometimes done for reasons of security or efficiency. See the section on Forwarding/Filtering for information on entering MAC addresses into the forwarding table. The default setting is Enabled. One other thing. I need to note that I have dedicated a CARP interface on each Pfsense box connected to each over via a cross-over cable. On 2/9/2011 2:35 PM, e...@tm-k.com wrote: [snip] Address Learning enabled on the Switch (default setting): [snip] Can you briefly explain what 'address learning' is according to D-Link? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
On 2/9/11 1:12 PM, Vaughn L. Reid III wrote: According to page 15 of the reference manual address learning is: Enable or disable MAC address learning for the selected ports. When Enabled, destination and source MAC addresses are automatically listed in the forwarding table. When address learning is Disabled, MAC addresses must be manually entered into the forwarding table. This is sometimes done for reasons of security or efficiency. See the section on Forwarding/Filtering for information on entering MAC addresses into the forwarding table. The default setting is Enabled. This just means the switch dynamically learns the source MAC of each attached device. 99.999 percent of all switches on the market have dynamic MAC learning enabled. This isn't the problem. One other thing. I need to note that I have dedicated a CARP interface on each Pfsense box connected to each over via a cross-over cable. Sorry, I don't completely understand your CARP setup. I too use a crossover cable between pairs of boxes but that's for pfsync, not CARP. pfsync migrates table state between pf boxes; CARP is for redundant sharing of a virtual IP address among multiple pf boxes, and would be of little use on a network consisting of a crossover cable. IIRC CARP uses multicast addressing for its keepalive messages. You might also want to verify that the switch is configured to forward multicast. dn On 2/9/2011 2:35 PM, e...@tm-k.com wrote: [snip] Address Learning enabled on the Switch (default setting): [snip] Can you briefly explain what 'address learning' is according to D-Link? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
My understanding of forwarding also was that address learning is a normal part of switch operation. But, I find it odd that turning that off lets the fail-over box ping the CARP IP on the primary box, with address learning on, I am unable to do that. A clarification about the Carp setup -- Each PfSense server has a dedicated interface connected to each other via a crossover cable. This is the interface that is configured to send and receive pfsync and its related traffic in the carp setup page. The firewall rules for this dedicated interface on each server are to allow all traffic on the interface. With a dedicated interface for the Carp related stuff to use, do the other interfaces still send and receive multi-cast pfsync traffic? On 2/9/2011 5:10 PM, David Newman wrote: On 2/9/11 1:12 PM, Vaughn L. Reid III wrote: According to page 15 of the reference manual address learning is: Enable or disable MAC address learning for the selected ports. When Enabled, destination and source MAC addresses are automatically listed in the forwarding table. When address learning is Disabled, MAC addresses must be manually entered into the forwarding table. This is sometimes done for reasons of security or efficiency. See the section on Forwarding/Filtering for information on entering MAC addresses into the forwarding table. The default setting is Enabled. This just means the switch dynamically learns the source MAC of each attached device. 99.999 percent of all switches on the market have dynamic MAC learning enabled. This isn't the problem. One other thing. I need to note that I have dedicated a CARP interface on each Pfsense box connected to each over via a cross-over cable. Sorry, I don't completely understand your CARP setup. I too use a crossover cable between pairs of boxes but that's for pfsync, not CARP. pfsync migrates table state between pf boxes; CARP is for redundant sharing of a virtual IP address among multiple pf boxes, and would be of little use on a network consisting of a crossover cable. IIRC CARP uses multicast addressing for its keepalive messages. You might also want to verify that the switch is configured to forward multicast. dn On 2/9/2011 2:35 PM, e...@tm-k.com wrote: [snip] Address Learning enabled on the Switch (default setting): [snip] Can you briefly explain what 'address learning' is according to D-Link? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
On 2/9/2011 2:35 PM, e...@tm-k.com wrote: [snip] Address Learning enabled on the Switch (default setting): [snip] Can you briefly explain what 'address learning' is according to D-Link? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org On 11-02-09 04:12 PM, Vaughn L. Reid III wrote: According to page 15 of the reference manual address learning is: Enable or disable MAC address learning for the selected ports. When Enabled, destination and source MAC addresses are automatically listed in the forwarding table. When address learning is Disabled, MAC addresses must be manually entered into the forwarding table. This is sometimes done for reasons of security or efficiency. See the section on Forwarding/Filtering for information on entering MAC addresses into the forwarding table. The default setting is Enabled. One other thing. I need to note that I have dedicated a CARP interface on each Pfsense box connected to each over via a cross-over cable. Please do not top-post. So Address Learing should be enabled. 1) do you see one box as stand-by, another one as active in web-interface? 2) connect laptop instead of ISP's cable and run packet capture you should be able to see once a second carp-heartbeat (multicast mac + carp IP in destination field). If one pfSense shows Active, another one shows Stand-by and on the laptop you see heartbeat from only one (master) pfSense then you did not mess up with carp configuration and vlans on the switch. Evgeny. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
On Wed, Feb 9, 2011 at 8:51 PM, Vaughn L. Reid III vaughn_reid_...@elitemail.org wrote: My understanding of forwarding also was that address learning is a normal part of switch operation. But, I find it odd that turning that off lets the fail-over box ping the CARP IP on the primary box, with address learning on, I am unable to do that. A clarification about the Carp setup -- Each PfSense server has a dedicated interface connected to each other via a crossover cable. This is the interface that is configured to send and receive pfsync and its related traffic in the carp setup page. The firewall rules for this dedicated interface on each server are to allow all traffic on the interface. With a dedicated interface for the Carp related stuff to use, do the other interfaces still send and receive multi-cast pfsync traffic? No but they send the multicast CARP traffic on all interfaces where a CARP IP resides. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
On 2/9/2011 9:20 PM, Evgeny Yurchenko wrote: On 2/9/2011 2:35 PM, e...@tm-k.com wrote: [snip] Address Learning enabled on the Switch (default setting): [snip] Can you briefly explain what 'address learning' is according to D-Link? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org On 11-02-09 04:12 PM, Vaughn L. Reid III wrote: According to page 15 of the reference manual address learning is: Enable or disable MAC address learning for the selected ports. When Enabled, destination and source MAC addresses are automatically listed in the forwarding table. When address learning is Disabled, MAC addresses must be manually entered into the forwarding table. This is sometimes done for reasons of security or efficiency. See the section on Forwarding/Filtering for information on entering MAC addresses into the forwarding table. The default setting is Enabled. One other thing. I need to note that I have dedicated a CARP interface on each Pfsense box connected to each over via a cross-over cable. Please do not top-post. So Address Learing should be enabled. 1) do you see one box as stand-by, another one as active in web-interface? 2) connect laptop instead of ISP's cable and run packet capture you should be able to see once a second carp-heartbeat (multicast mac + carp IP in destination field). If one pfSense shows Active, another one shows Stand-by and on the laptop you see heartbeat from only one (master) pfSense then you did not mess up with carp configuration and vlans on the switch. Evgeny. 1. All the Master and backup status notifications in the web interface on both PFSense boxes show the correct status 2. I'll do a packet capture tomorrow and see if the carp-heartbeat shows up I was unaware that any Carp related traffic passed between any of the interfaces except the one designated as the synchronization interface. I need to double-check the multi-cast configuration on the switch tomorrow also ( I think I have multi-cast enabled on the switch, but need to confirm that). - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
On 2/9/2011 10:09 PM, Chris Buechler wrote: On Wed, Feb 9, 2011 at 8:51 PM, Vaughn L. Reid III vaughn_reid_...@elitemail.org wrote: My understanding of forwarding also was that address learning is a normal part of switch operation. But, I find it odd that turning that off lets the fail-over box ping the CARP IP on the primary box, with address learning on, I am unable to do that. A clarification about the Carp setup -- Each PfSense server has a dedicated interface connected to each other via a crossover cable. This is the interface that is configured to send and receive pfsync and its related traffic in the carp setup page. The firewall rules for this dedicated interface on each server are to allow all traffic on the interface. With a dedicated interface for the Carp related stuff to use, do the other interfaces still send and receive multi-cast pfsync traffic? No but they send the multicast CARP traffic on all interfaces where a CARP IP resides. Thanks for this clarification. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
Op 10-2-2011 4:18, Vaughn L. Reid III schreef: 1. All the Master and backup status notifications in the web interface on both PFSense boxes show the correct status 2. I'll do a packet capture tomorrow and see if the carp-heartbeat shows up I was unaware that any Carp related traffic passed between any of the interfaces except the one designated as the synchronization interface. I need to double-check the multi-cast configuration on the switch tomorrow also ( I think I have multi-cast enabled on the switch, but need to confirm that). Yes, some switch support multicast filtering, I know from experience with HP switches that it works with the setting on. So I know they have it implemented correctly. This way not all switch ports get the carp traffic unless they participate in the multicast group. This cuts down on broadcast a lot. I recommend the HP switches, they have never given me any grief as long as I've worked with them. I even have a carp cluster spanning 2 building across the street over a fiber connection. It just works. If you need a managed switch on a budget I can confirm that the HP Procurve 1810-8G works well. It's web managed, supports vlans and basic traffic counters. It is also fanless. The smallest I have in use on a carp cluster is a Procurcve 2650 in combination with a 2900-48G. The biggest I have is a 8212zl. Do note that the software in the 1810 differs a lot from the other managed switches. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] [CARP issue] can someone to reproduce it?
Hello, I've posted a bug (http://redmine.pfsense.org/issues/1226) but could, please anyone check if it is reproduceable on your boxes? Thank you, st41ker - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP support broken in kernel?
Hello, Is there is any update on the issue? On 11.12.2010 12:30, st41...@st41ker.net wrote: Hello, Understood. The requested changes has been made and the result is the same. Please, clarify, what exactly statistics do you need? Here is complete output of netstat -ss #uptime; netstat -ss 12:28PM up 33 mins, 2 users, load averages: 0.23, 0.23, 0.11 tcp: 14643 packets sent 6316 data packets (2478656 bytes) 433 data packets (375832 bytes) retransmitted 25 data packets unnecessarily retransmitted 7266 ack-only packets (0 delayed) 85 window update packets 552 control packets 12769 packets received 6093 acks (for 2483590 bytes) 255 duplicate acks packets (2405848 bytes) received in-sequence 1 out-of-order packet (0 bytes) 11 window update packets 193 connection requests 205 connection accepts 4 ignored RSTs in the windows 396 connections established (including accepts) 388 connections closed (including 17 drops) 119 connections updated cached RTT on close 128 connections updated cached RTT variance on close 41 connections updated cached ssthresh on close 2 embryonic connections dropped 5376 segments updated rtt (of 5566 attempts) 638 retransmit timeouts 12 connections dropped by rexmit timeout 2 keepalive timeouts 2 connections dropped by keepalive 1986 correct data packet header predictions 205 syncache entries added 5 retransmitted 3 dropped 205 completed 208 cookies sent 130 SACK options (SACK blocks) received udp: 2200 datagrams received 173 dropped due to no socket 589 broadcast/multicast datagrams undelivered 1438 delivered 11169 datagrams output sctp: Packet drop statistics: Timeouts: ip: 68772 total packets received 125 bad header checksums 56439 packets for this host 6 packets for unknown/unsupported protocol 7670 packets forwarded 150 packets not forwardable 29848 packets sent from this host 1182 output packets discarded due to no route icmp: 1544 calls to icmp_error Output histogram: echo reply: 56 destination unreachable: 148 Input histogram: echo reply: 1900 echo: 56 56 message responses generated ICMP address mask responses are disabled igmp: 509 messages received 506 membership reports received 503 membership reports received with invalid field(s) 15 membership reports sent ipsec: ah: esp: ipcomp: pim: carp: 17235 packets received (IPv4) 17225 discarded for bad vhid 12296 packets sent (IPv4) pfsync: 21776 packets received (IPv4) 21768 packets discarded for bad interface 12898 packets sent (IPv4) arp: 2381 ARP requests sent 61 ARP replies sent 3735 ARP requests received 27 ARP replies received 3762 ARP packets received 2317 total packets dropped due to no ARP entry 26 ARP entrys timed out ip6: 51 total packets received 51 packets sent from this host Input histogram: ICMP6: 51 Mbuf statistics: 0 one mbuf 51 one ext mbuf 0 two or more ext mbuf Source addresses selection rule applied: icmp6: Output histogram: neighbor solicitation: 12 MLDv2 listener report: 37 Histogram of error messages to be generated: ipsec6: rip6: pfkey: 2 requests sent from userland 32 bytes sent from userland histogram by message type: flush: 1 x_spdflush: 1 2 requests sent to userland 32 bytes sent to userland histogram by message type: flush: 1 x_spdflush: 1 According to ip_carp.c this counter (discarded for bad vhid) incremented each time when phys. interface on which carp packet was received does not contains any carp interface assosiated or if VHID of assotiated CARP interfaces does not contains the VHID got in the received packet. IMHO the problem could be in binaries. Anyway I've double checked each VLAN interface on router for CARP packets that could get on the wrong one due to switch\pfSense interface misconfiguration and there were no signs of such misconfiguration. Every CARP packet getting right to the destination. Also there is intermittent CARP status
Re: [pfSense Support] CARP support broken in kernel?
I've updated bug 1072 (http://redmine.pfsense.org/issues/1072) According to packet dump carp vhid=1 192.168.252.254 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 0, authtype #128, intvl 1s, length 36, addrs(7): 107.95.16.142,89.11.4.1,28.106.118.248,149.43.12.212,148.195.215.246,252.189.185.117,56.253.61.5 0x: 0100 5e00 0012 5e00 0101 0800 4510 0x0010: 0038 d66a 4000 ff70 c0a8 fcfe e000 0x0020: 0012 2101 0007 8001 b7a9 6b5f 108e 590b 0x0030: 0401 1c6a 76f8 952b 0cd4 94c3 d7f6 fcbd 0x0040: b975 38fd 3d05 carp vhid=256 192.168.253.254 224.0.0.18: VRRPv2, Advertisement, vrid 0, prio 0, authtype simple, intvl 1s, length 36, addrs(7): 137.7.31.146,238.223.10.81,90.241.214.208,59.45.154.124,64.216.227.11,117.38.205.9,26.19.86.208[|vrrp] 0x: 0100 5e00 0012 5e00 0100 0800 4510 0x0010: 0038 8271 4000 ff70 c0a8 fdfe e000 0x0020: 0012 2100 0007 0101 5dc9 8907 1f92 eedf 0x0030: 0a51 5af1 d6d0 3b2d 9a7c 40d8 e30b 7526 0x0040: cd09 1a13 56d0 seems like there is something wrong with bit shifting for vhidx field (previously it was known as carp_pad1 field). When interface's vhid=255 - it's allways 1000b (0x80) and only when interface's vhid=255 everything works as expected. 2ALL: Temporary workaround for this situation is to use VHID greater than 255. On 15.12.2010 1:23, st41ker wrote: Hello, Is there is any update on the issue? On 11.12.2010 12:30, st41...@st41ker.net wrote: Hello, Understood. The requested changes has been made and the result is the same. Please, clarify, what exactly statistics do you need? Here is complete output of netstat -ss #uptime; netstat -ss 12:28PM up 33 mins, 2 users, load averages: 0.23, 0.23, 0.11 tcp: 14643 packets sent 6316 data packets (2478656 bytes) 433 data packets (375832 bytes) retransmitted 25 data packets unnecessarily retransmitted 7266 ack-only packets (0 delayed) 85 window update packets 552 control packets 12769 packets received 6093 acks (for 2483590 bytes) 255 duplicate acks packets (2405848 bytes) received in-sequence 1 out-of-order packet (0 bytes) 11 window update packets 193 connection requests 205 connection accepts 4 ignored RSTs in the windows 396 connections established (including accepts) 388 connections closed (including 17 drops) 119 connections updated cached RTT on close 128 connections updated cached RTT variance on close 41 connections updated cached ssthresh on close 2 embryonic connections dropped 5376 segments updated rtt (of 5566 attempts) 638 retransmit timeouts 12 connections dropped by rexmit timeout 2 keepalive timeouts 2 connections dropped by keepalive 1986 correct data packet header predictions 205 syncache entries added 5 retransmitted 3 dropped 205 completed 208 cookies sent 130 SACK options (SACK blocks) received udp: 2200 datagrams received 173 dropped due to no socket 589 broadcast/multicast datagrams undelivered 1438 delivered 11169 datagrams output sctp: Packet drop statistics: Timeouts: ip: 68772 total packets received 125 bad header checksums 56439 packets for this host 6 packets for unknown/unsupported protocol 7670 packets forwarded 150 packets not forwardable 29848 packets sent from this host 1182 output packets discarded due to no route icmp: 1544 calls to icmp_error Output histogram: echo reply: 56 destination unreachable: 148 Input histogram: echo reply: 1900 echo: 56 56 message responses generated ICMP address mask responses are disabled igmp: 509 messages received 506 membership reports received 503 membership reports received with invalid field(s) 15 membership reports sent ipsec: ah: esp: ipcomp: pim: carp: 17235 packets received (IPv4) 17225 discarded for bad vhid 12296 packets sent (IPv4) pfsync: 21776 packets received (IPv4) 21768 packets discarded for bad interface 12898 packets sent (IPv4) arp: 2381 ARP requests sent 61 ARP replies sent 3735 ARP requests received 27 ARP replies received 3762 ARP packets received 2317 total packets dropped due to no ARP entry 26 ARP entrys timed out ip6: 51 total packets received 51 packets sent from this host Input histogram: ICMP6: 51 Mbuf statistics: 0 one mbuf 51 one ext mbuf 0 two or more ext mbuf Source addresses selection rule applied: icmp6: Output histogram: neighbor solicitation: 12 MLDv2 listener report: 37 Histogram of error messages to be generated: ipsec6: rip6: pfkey: 2 requests sent from userland 32 bytes sent from userland histogram by message type: flush: 1 x_spdflush: 1 2 requests sent to userland 32 bytes sent to userland histogram by message type: flush: 1 x_spdflush: 1 According to ip_carp.c this counter (discarded for bad vhid) incremented each time when phys. interface on which carp packet was received does not contains any carp interface assosiated or if VHID of assotiated CARP interfaces does not contains the VHID got in the received packet. IMHO the problem could be in binaries. Anyway I've double checked each VLAN interface on router for CARP packets that could get on the wrong one due to
Re: [pfSense Support] CARP support broken in kernel?
Hello, Understood. The requested changes has been made and the result is the same. Please, clarify, what exactly statistics do you need? Here is complete output of netstat -ss #uptime; netstat -ss 12:28PM up 33 mins, 2 users, load averages: 0.23, 0.23, 0.11 tcp: 14643 packets sent 6316 data packets (2478656 bytes) 433 data packets (375832 bytes) retransmitted 25 data packets unnecessarily retransmitted 7266 ack-only packets (0 delayed) 85 window update packets 552 control packets 12769 packets received 6093 acks (for 2483590 bytes) 255 duplicate acks packets (2405848 bytes) received in-sequence 1 out-of-order packet (0 bytes) 11 window update packets 193 connection requests 205 connection accepts 4 ignored RSTs in the windows 396 connections established (including accepts) 388 connections closed (including 17 drops) 119 connections updated cached RTT on close 128 connections updated cached RTT variance on close 41 connections updated cached ssthresh on close 2 embryonic connections dropped 5376 segments updated rtt (of 5566 attempts) 638 retransmit timeouts 12 connections dropped by rexmit timeout 2 keepalive timeouts 2 connections dropped by keepalive 1986 correct data packet header predictions 205 syncache entries added 5 retransmitted 3 dropped 205 completed 208 cookies sent 130 SACK options (SACK blocks) received udp: 2200 datagrams received 173 dropped due to no socket 589 broadcast/multicast datagrams undelivered 1438 delivered 11169 datagrams output sctp: Packet drop statistics: Timeouts: ip: 68772 total packets received 125 bad header checksums 56439 packets for this host 6 packets for unknown/unsupported protocol 7670 packets forwarded 150 packets not forwardable 29848 packets sent from this host 1182 output packets discarded due to no route icmp: 1544 calls to icmp_error Output histogram: echo reply: 56 destination unreachable: 148 Input histogram: echo reply: 1900 echo: 56 56 message responses generated ICMP address mask responses are disabled igmp: 509 messages received 506 membership reports received 503 membership reports received with invalid field(s) 15 membership reports sent ipsec: ah: esp: ipcomp: pim: carp: 17235 packets received (IPv4) 17225 discarded for bad vhid 12296 packets sent (IPv4) pfsync: 21776 packets received (IPv4) 21768 packets discarded for bad interface 12898 packets sent (IPv4) arp: 2381 ARP requests sent 61 ARP replies sent 3735 ARP requests received 27 ARP replies received 3762 ARP packets received 2317 total packets dropped due to no ARP entry 26 ARP entrys timed out ip6: 51 total packets received 51 packets sent from this host Input histogram: ICMP6: 51 Mbuf statistics: 0 one mbuf 51 one ext mbuf 0 two or more ext mbuf Source addresses selection rule applied: icmp6: Output histogram: neighbor solicitation: 12 MLDv2 listener report: 37 Histogram of error messages to be generated: ipsec6: rip6: pfkey: 2 requests sent from userland 32 bytes sent from userland histogram by message type: flush: 1 x_spdflush: 1 2 requests sent to userland 32 bytes sent to userland histogram by message type: flush: 1 x_spdflush: 1 According to ip_carp.c this counter (discarded for bad vhid) incremented each time when phys. interface on which carp packet was received does not contains any carp interface assosiated or if VHID of assotiated CARP interfaces does not contains the VHID got in the received packet. IMHO the problem could be in binaries. Anyway I've double checked each VLAN interface on router for CARP packets that could get on the wrong one due to switch\pfSense interface misconfiguration and there were no signs of such misconfiguration. Every CARP packet getting right to the destination. Also there is intermittent CARP status changes but not for all interfaces and without any logic. On Fri, 10 Dec 2010 20:58:16 +0100, Ermal Luçi ermal.l...@gmail.com wrote: Can you please try this change: diff --git
[pfSense Support] CARP support broken in kernel?
Hello, It seems like this question should be addressed to the pfSense kernel maintainer(s). I've two firewalls on 2.0-BETA4 with CARP enabled. Until the recent upgrade everything worked almost perfect. Now both routers got all CARP devices in MASTER state. Firewall 1: vip6: flags=49UP,LOOPBACK,RUNNING metric 0 mtu 1500 inet 192.168.199.1 netmask 0xff00 carp: MASTER vhid 6 advbase 2 advskew 100 vip10: flags=49UP,LOOPBACK,RUNNING metric 0 mtu 1500 inet 192.168.0.51 netmask 0xff00 carp: MASTER vhid 10 advbase 2 advskew 100 vip12: flags=49UP,LOOPBACK,RUNNING metric 0 mtu 1500 inet 192.168.253.252 netmask 0xff00 carp: MASTER vhid 12 advbase 2 advskew 100 #netstat -ssp carp carp: 92555 packets received (IPv4) 14 discarded for bad authentication 9 discarded for bad vhid 39869 packets sent (IPv4) Firewall 2: vip6: flags=49UP,LOOPBACK,RUNNING metric 0 mtu 1500 inet 192.168.199.1 netmask 0xff00 carp: MASTER vhid 6 advbase 1 advskew 0 vip10: flags=49UP,LOOPBACK,RUNNING metric 0 mtu 1500 inet 192.168.0.51 netmask 0xff00 carp: MASTER vhid 10 advbase 1 advskew 0 vip12: flags=49UP,LOOPBACK,RUNNING metric 0 mtu 1500 inet 192.168.253.252 netmask 0xff00 carp: MASTER vhid 12 advbase 1 advskew 0 #netstat -ssp carp carp: 39184 packets received (IPv4) 1 discarded for bad authentication 39074 discarded for bad vhid 93005 packets sent (IPv4) Here is a packet dump: #tcpdump -nvei re0_vlan5 not tcp and not udp tcpdump: listening on re0_vlan5, link-type EN10MB (Ethernet), capture size 96 bytes 20:28:26.227652 00:00:5e:00:01:0a 01:00:5e:00:00:12, ethertype IPv4 (0x0800), length 70: (tos 0x10, ttl 255, id 13532, offset 0, flags [DF], proto VRRP (112), length 56, bad cksum 0 (-a57a)!) 192.168.0.52 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 0, authtype #128, intvl 1s, length 36, addrs(7): 227.234.177.249,120.162.118.75,40.102.130.17,242.232.0.66,58.203.185.41,64.96.187.4,114.121.226.49 20:28:26.723778 00:00:5e:00:01:0a 01:00:5e:00:00:12, ethertype IPv4 (0x0800), length 70: (tos 0x10, ttl 255, id 13772, offset 0, flags [DF], proto VRRP (112), length 56) 192.168.0.53 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 100, authtype #128, intvl 2s, length 36, addrs(7): 227.234.177.249,120.162.117.92,228.194.169.203,197.128.149.181,204.97.168.247,234.48.188.234,14.68.23.250 20:28:27.223192 00:00:5e:00:01:0a 01:00:5e:00:00:12, ethertype IPv4 (0x0800), length 70: (tos 0x10, ttl 255, id 57411, offset 0, flags [DF], proto VRRP (112), length 56, bad cksum 0 (-fa12)!) 192.168.0.52 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 0, authtype #128, intvl 1s, length 36, addrs(7): 227.234.177.249,120.162.118.76,5.159.71.110,98.90.217.70,117.200.253.191,117.207.179.185,132.131.241.197 20:28:28.218741 00:00:5e:00:01:0a 01:00:5e:00:00:12, ethertype IPv4 (0x0800), length 70: (tos 0x10, ttl 255, id 26425, offset 0, flags [DF], proto VRRP (112), length 56, bad cksum 0 (-731d)!) 192.168.0.52 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 0, authtype #128, intvl 1s, length 36, addrs(7): 227.234.177.249,120.162.118.77,156.42.80.119,212.10.43.254,52.127.252.175,13.193.236.116,250.186.146.126 20:28:29.115843 00:00:5e:00:01:0a 01:00:5e:00:00:12, ethertype IPv4 (0x0800), length 70: (tos 0x10, ttl 255, id 17830, offset 0, flags [DF], proto VRRP (112), length 56) 192.168.0.53 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 100, authtype #128, intvl 2s, length 36, addrs(7): 227.234.177.249,120.162.117.93,134.208.204.108,14.90.209.13,71.169.61.99,222.84.234.186,206.168.118.252 20:28:29.214280 00:00:5e:00:01:0a 01:00:5e:00:00:12, ethertype IPv4 (0x0800), length 70: (tos 0x10, ttl 255, id 20580, offset 0, flags [DF], proto VRRP (112), length 56, bad cksum 0 (-89f2)!) 192.168.0.52 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 0, authtype #128, intvl 1s, length 36, addrs(7): 227.234.177.249,120.162.118.78,152.171.173.48,92.93.224.15,236.101.105.252,83.24.68.20,227.104.66.63 Overall picture is the same as it was before the upgrade, except that each machine now ignores the carp packets. Did someone make changes in FreeBSD carp subsystem? -- Thanks, St41ker. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP support broken in kernel?
Can you please try this change: diff --git a/etc/rc.filter_synchronize b/etc/rc.filter_synchronize index 0a8316b..7bece74 100755 --- a/etc/rc.filter_synchronize +++ b/etc/rc.filter_synchronize @@ -66,7 +66,7 @@ function backup_vip_config_section() { } if($section['advbase'] ) { $section_val = intval($section['advbase']); - $section_val=$section_val+1; + $section_val=$section_val; if($section_val 255) $section_val = 255; $section['advbase'] = $section_val; I would like to see even some statistics of your interfaces. On Fri, Dec 10, 2010 at 7:38 PM, st41...@st41ker.net wrote: Hello, It seems like this question should be addressed to the pfSense kernel maintainer(s). I've two firewalls on 2.0-BETA4 with CARP enabled. Until the recent upgrade everything worked almost perfect. Now both routers got all CARP devices in MASTER state. Firewall 1: vip6: flags=49UP,LOOPBACK,RUNNING metric 0 mtu 1500 inet 192.168.199.1 netmask 0xff00 carp: MASTER vhid 6 advbase 2 advskew 100 vip10: flags=49UP,LOOPBACK,RUNNING metric 0 mtu 1500 inet 192.168.0.51 netmask 0xff00 carp: MASTER vhid 10 advbase 2 advskew 100 vip12: flags=49UP,LOOPBACK,RUNNING metric 0 mtu 1500 inet 192.168.253.252 netmask 0xff00 carp: MASTER vhid 12 advbase 2 advskew 100 #netstat -ssp carp carp: 92555 packets received (IPv4) 14 discarded for bad authentication 9 discarded for bad vhid 39869 packets sent (IPv4) Firewall 2: vip6: flags=49UP,LOOPBACK,RUNNING metric 0 mtu 1500 inet 192.168.199.1 netmask 0xff00 carp: MASTER vhid 6 advbase 1 advskew 0 vip10: flags=49UP,LOOPBACK,RUNNING metric 0 mtu 1500 inet 192.168.0.51 netmask 0xff00 carp: MASTER vhid 10 advbase 1 advskew 0 vip12: flags=49UP,LOOPBACK,RUNNING metric 0 mtu 1500 inet 192.168.253.252 netmask 0xff00 carp: MASTER vhid 12 advbase 1 advskew 0 #netstat -ssp carp carp: 39184 packets received (IPv4) 1 discarded for bad authentication 39074 discarded for bad vhid 93005 packets sent (IPv4) Here is a packet dump: #tcpdump -nvei re0_vlan5 not tcp and not udp tcpdump: listening on re0_vlan5, link-type EN10MB (Ethernet), capture size 96 bytes 20:28:26.227652 00:00:5e:00:01:0a 01:00:5e:00:00:12, ethertype IPv4 (0x0800), length 70: (tos 0x10, ttl 255, id 13532, offset 0, flags [DF], proto VRRP (112), length 56, bad cksum 0 (-a57a)!) 192.168.0.52 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 0, authtype #128, intvl 1s, length 36, addrs(7): 227.234.177.249,120.162.118.75,40.102.130.17,242.232.0.66,58.203.185.41,64.96.187.4,114.121.226.49 20:28:26.723778 00:00:5e:00:01:0a 01:00:5e:00:00:12, ethertype IPv4 (0x0800), length 70: (tos 0x10, ttl 255, id 13772, offset 0, flags [DF], proto VRRP (112), length 56) 192.168.0.53 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 100, authtype #128, intvl 2s, length 36, addrs(7): 227.234.177.249,120.162.117.92,228.194.169.203,197.128.149.181,204.97.168.247,234.48.188.234,14.68.23.250 20:28:27.223192 00:00:5e:00:01:0a 01:00:5e:00:00:12, ethertype IPv4 (0x0800), length 70: (tos 0x10, ttl 255, id 57411, offset 0, flags [DF], proto VRRP (112), length 56, bad cksum 0 (-fa12)!) 192.168.0.52 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 0, authtype #128, intvl 1s, length 36, addrs(7): 227.234.177.249,120.162.118.76,5.159.71.110,98.90.217.70,117.200.253.191,117.207.179.185,132.131.241.197 20:28:28.218741 00:00:5e:00:01:0a 01:00:5e:00:00:12, ethertype IPv4 (0x0800), length 70: (tos 0x10, ttl 255, id 26425, offset 0, flags [DF], proto VRRP (112), length 56, bad cksum 0 (-731d)!) 192.168.0.52 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 0, authtype #128, intvl 1s, length 36, addrs(7): 227.234.177.249,120.162.118.77,156.42.80.119,212.10.43.254,52.127.252.175,13.193.236.116,250.186.146.126 20:28:29.115843 00:00:5e:00:01:0a 01:00:5e:00:00:12, ethertype IPv4 (0x0800), length 70: (tos 0x10, ttl 255, id 17830, offset 0, flags [DF], proto VRRP (112), length 56) 192.168.0.53 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 100, authtype #128, intvl 2s, length 36, addrs(7): 227.234.177.249,120.162.117.93,134.208.204.108,14.90.209.13,71.169.61.99,222.84.234.186,206.168.118.252 20:28:29.214280 00:00:5e:00:01:0a 01:00:5e:00:00:12, ethertype IPv4 (0x0800), length 70: (tos 0x10, ttl 255, id 20580, offset 0, flags [DF], proto VRRP (112), length 56, bad cksum 0 (-89f2)!) 192.168.0.52 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 0, authtype #128, intvl 1s, length 36, addrs(7): 227.234.177.249,120.162.118.78,152.171.173.48,92.93.224.15,236.101.105.252,83.24.68.20,227.104.66.63 Overall picture is the
RE: [pfSense Support] CARP IP/Hyper-V/Hyper-V R2
On Mon, Nov 15, 2010 at 9:57 PM, Evgeny Yurchenko evg.yu...@rogers.com wrote: I do not know a lot about Hyper-v but in VMWare for instance you can block frames with 'faked' mac-addresses. Probably you hit the same problem as CARP-packets have MAC-addresses 'not real' but specifically crafted. I'm sure that's exactly the problem, something in hyper-v changed to block/break that. Better to ask on a Microsoft forum why you can no longer use two MAC addresses on the same host. For what it's worth, I figured this out a few days back thanks to Evgeny's hint. On the virtual NICs on the Virtual Machine itself in Hyper-V R2, there is a checkbox labeled Allow MAC Address Spoofing (or something close to that). Checking that box allows the CARP addresses to work fine. smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] CARP IP/Hyper-V/Hyper-V R2
On 10-11-15 09:22 PM, Dimitri Rodis wrote: I recently migrated a pfSense virtual machine (version 1.2.2) that was running flawlessly on Hyper-V (first release) with 2 additional CARP IP addresses on the WAN interface for about 16 months. Over the weekend, I migrated that virtual machine over to a Hyper-V R2 machine, and all was well except that the 2 additional CARP IPs do not respond to traffic (although traffic to/from/in/out of the WAN's actual IP works fine). After rebooting nearly every piece of equipment between the servers and the ISP, the only thing that made the CARP IPs work again was migrating the virtual machine back to the original Hyper-V (non-R2) host. Any ideas on why CARP IPs wouldn't work on Hyper-V R2? Is there something since 1.2.2 that might change this? Thanks, Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com I do not know a lot about Hyper-v but in VMWare for instance you can block frames with 'faked' mac-addresses. Probably you hit the same problem as CARP-packets have MAC-addresses 'not real' but specifically crafted. Weird thing though in your e-mail is that you mention only one virtual machine... do you use CARP-IPs with one pfSense? if yes then why would you need such set up? Evgeny. I have several public IPs from the ISP, and need to use each of them for different purposes (SSL/TCP-443 for different sites services). I use CARP addresses for the rest of the IPs I've been given-then if I get the opportunity to add redundancy, they are already set up that way. Obviously the point is that the additional CARP addresses don't seem to function at all when pfSense is run under Hyper-V R2 as opposed to Hyper-V R1, and I am hoping to resolve that issue so that the old server can be formatted and upgraded and added to the cluster.. FWIW, both hosts are Dell PowerEdge 2900s *identically* configured, with the only exception currently being the of the amount of RAM, smime.p7s Description: S/MIME cryptographic signature
Re: [pfSense Support] CARP IP/Hyper-V/Hyper-V R2
On 10-11-16 12:19 PM, Dimitri Rodis wrote: On 10-11-15 09:22 PM, Dimitri Rodis wrote: I recently migrated a pfSense virtual machine (version 1.2.2) that was running flawlessly on Hyper-V (first release) with 2 additional CARP IP addresses on the WAN interface for about 16 months. Over the weekend, I migrated that virtual machine over to a Hyper-V R2 machine, and all was well except that the 2 additional CARP IPs do not respond to traffic (although traffic to/from/in/out of the WAN's actual IP works fine). After rebooting nearly every piece of equipment between the servers and the ISP, the only thing that made the CARP IPs work again was migrating the virtual machine back to the original Hyper-V (non-R2) host. Any ideas on why CARP IPs wouldn't work on Hyper-V R2? Is there something since 1.2.2 that might change this? Thanks, Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com I do not know a lot about Hyper-v but in VMWare for instance you can block frames with 'faked' mac-addresses. Probably you hit the same problem as CARP-packets have MAC-addresses 'not real' but specifically crafted. Weird thing though in your e-mail is that you mention only one virtual machine... do you use CARP-IPs with one pfSense? if yes then why would you need such set up? Evgeny. I have several public IPs from the ISP, and need to use each of them for different purposes (SSL/TCP-443 for different sites services). I use CARP addresses for the rest of the IPs I've been given---then if I get the opportunity to add redundancy, they are already set up that way. Obviously the point is that the additional CARP addresses don't seem to function at all when pfSense is run under Hyper-V R2 as opposed to Hyper-V R1, and I am hoping to resolve that issue so that the old server can be formatted and upgraded and added to the cluster.. FWIW, both hosts are Dell PowerEdge 2900s **identically** configured, with the only exception currently being the of the amount of RAM, It should be pretty easy to check. Under Hyper-V R2 do tcpdump and see whether packets with CARP IPs leave your virtual machine and physical host. And if you do not see them coming out of physical interface then this question should be addressed to Hyper-V community. Evgeny.
Re: [pfSense Support] CARP IP/Hyper-V/Hyper-V R2
On Mon, Nov 15, 2010 at 9:57 PM, Evgeny Yurchenko evg.yu...@rogers.com wrote: I do not know a lot about Hyper-v but in VMWare for instance you can block frames with 'faked' mac-addresses. Probably you hit the same problem as CARP-packets have MAC-addresses 'not real' but specifically crafted. I'm sure that's exactly the problem, something in hyper-v changed to block/break that. Better to ask on a Microsoft forum why you can no longer use two MAC addresses on the same host. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] CARP IP/Hyper-V/Hyper-V R2
I recently migrated a pfSense virtual machine (version 1.2.2) that was running flawlessly on Hyper-V (first release) with 2 additional CARP IP addresses on the WAN interface for about 16 months. Over the weekend, I migrated that virtual machine over to a Hyper-V R2 machine, and all was well except that the 2 additional CARP IPs do not respond to traffic (although traffic to/from/in/out of the WAN's actual IP works fine). After rebooting nearly every piece of equipment between the servers and the ISP, the only thing that made the CARP IPs work again was migrating the virtual machine back to the original Hyper-V (non-R2) host. Any ideas on why CARP IPs wouldn't work on Hyper-V R2? Is there something since 1.2.2 that might change this? Thanks, Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com smime.p7s Description: S/MIME cryptographic signature
Re: [pfSense Support] CARP IP/Hyper-V/Hyper-V R2
On 10-11-15 09:22 PM, Dimitri Rodis wrote: I recently migrated a pfSense virtual machine (version 1.2.2) that was running flawlessly on Hyper-V (first release) with 2 additional CARP IP addresses on the WAN interface for about 16 months. Over the weekend, I migrated that virtual machine over to a Hyper-V R2 machine, and all was well except that the 2 additional CARP IPs do not respond to traffic (although traffic to/from/in/out of the WAN's actual IP works fine). After rebooting nearly every piece of equipment between the servers and the ISP, the only thing that made the CARP IPs work again was migrating the virtual machine back to the original Hyper-V (non-R2) host. Any ideas on why CARP IPs wouldn't work on Hyper-V R2? Is there something since 1.2.2 that might change this? Thanks, Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com I do not know a lot about Hyper-v but in VMWare for instance you can block frames with 'faked' mac-addresses. Probably you hit the same problem as CARP-packets have MAC-addresses 'not real' but specifically crafted. Weird thing though in your e-mail is that you mention only one virtual machine... do you use CARP-IPs with one pfSense? if yes then why would you need such set up? Evgeny.
[pfSense Support] carp with bridge
We desire to add carp to our current pfsense firewall Purchased a second server for the slave/secondary Currently bridging the WAN/Opt(Servers) interfaces on the master/primary Using pfsense 1.2.3 Looking for howto links and any other info TIA -- Gerald - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] carp with bridge
On 10/28/2010 12:25 PM, Gerald Waugh wrote: We desire to add carp to our current pfsense firewall Purchased a second server for the slave/secondary Currently bridging the WAN/Opt(Servers) interfaces on the master/primary Using pfsense 1.2.3 Looking for howto links and any other info I can tell you from experience that it is ugly, a mess, and likely to not work at all, possibly resulting in a hardware lock on both 1.2.3 and 2.0. Route, don't bridge, and it's perfect. http://redmine.pfsense.org/issues/910 Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] carp with bridge
On Thu, Oct 28, 2010 at 11:35 AM, Gerald Waugh gwa...@frontstreetnetworks.com wrote: We use bridging as the pfsense machine firewalls servers with public IP addresses. Clues on how to accomplish with routing appreciated. You have a public subnet from your ISP, 1.1.1.0/24, for example. You get a static IP from your ISP that is outside your subnet, 2.2.2.1, for example. Your ISP has to route your subnet to your static IP. On pfsense: WAN is 2.2.2.1 LAN is 1.1.1.1/24 dhcp server on LAN (if desired) gives out 1.1.1.2 - 1.1.1.254 Did I understand your question correctly? Or is this somehow more complicated when carp is involved? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] carp with bridge
On Thu, 2010-10-28 at 11:43 -0600, David Burgess wrote: On Thu, Oct 28, 2010 at 11:35 AM, Gerald Waugh gwa...@frontstreetnetworks.com wrote: We use bridging as the pfsense machine firewalls servers with public IP addresses. Clues on how to accomplish with routing appreciated. You have a public subnet from your ISP, 1.1.1.0/24, for example. You get a static IP from your ISP that is outside your subnet, 2.2.2.1, for example. Your ISP has to route your subnet to your static IP. On pfsense: WAN is 2.2.2.1 LAN is 1.1.1.1/24 dhcp server on LAN (if desired) gives out 1.1.1.2 - 1.1.1.254 Did I understand your question correctly? Or is this somehow more complicated when carp is involved? Thinking ... Gerald - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] carp with bridge
On 10/28/2010 1:43 PM, David Burgess wrote: On Thu, Oct 28, 2010 at 11:35 AM, Gerald Waugh gwa...@frontstreetnetworks.com wrote: We use bridging as the pfsense machine firewalls servers with public IP addresses. Clues on how to accomplish with routing appreciated. You have a public subnet from your ISP, 1.1.1.0/24, for example. You get a static IP from your ISP that is outside your subnet, 2.2.2.1, for example. Your ISP has to route your subnet to your static IP. On pfsense: WAN is 2.2.2.1 LAN is 1.1.1.1/24 dhcp server on LAN (if desired) gives out 1.1.1.2 - 1.1.1.254 Did I understand your question correctly? Or is this somehow more complicated when carp is involved? Close. You just need at least a /29 on the WAN side so you have enough IPs for CARP - one for each box and the shared IP. The other subnet is routed to the shared CARP IP. On the internal side, one IP out of your block is for CARP on your LAN/OPT interface, and again one for each box. Items in the internal side use the shared CARP IP as their gateway. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] carp with bridge
On Thu, 2010-10-28 at 14:34 -0400, Jim Pingle wrote: On 10/28/2010 1:43 PM, David Burgess wrote: On Thu, Oct 28, 2010 at 11:35 AM, Gerald Waugh gwa...@frontstreetnetworks.com wrote: We use bridging as the pfsense machine firewalls servers with public IP addresses. Clues on how to accomplish with routing appreciated. You have a public subnet from your ISP, 1.1.1.0/24, for example. You get a static IP from your ISP that is outside your subnet, 2.2.2.1, for example. Your ISP has to route your subnet to your static IP. On pfsense: WAN is 2.2.2.1 LAN is 1.1.1.1/24 dhcp server on LAN (if desired) gives out 1.1.1.2 - 1.1.1.254 Did I understand your question correctly? Or is this somehow more complicated when carp is involved? Close. You just need at least a /29 on the WAN side so you have enough IPs for CARP - one for each box and the shared IP. The other subnet is routed to the shared CARP IP. On the internal side, one IP out of your block is for CARP on your LAN/OPT interface, and again one for each box. Items in the internal side use the shared CARP IP as their gateway. Appears to be ongoing expense to have to get another subnet from ISP. We have a /24 now and the servers use this, We use bridging to get them through the pfsense firewall, and works great. Just looking for the redundancy carp provides. Gerald
Re: [pfSense Support] carp with bridge
On 10/28/2010 3:22 PM, Gerald Waugh wrote: Appears to be ongoing expense to have to get another subnet from ISP. We have a /24 now and the servers use this, We use bridging to get them through the pfsense firewall, and works great. Just looking for the redundancy carp provides. Yes, but the headaches involved with doing a redundant bridging scenario are not worth the effort. If it works at all, it requires special handling on the switches (having to change STP port costs and priorities) and/or having special scripts on each box to enable or disable the bridge for failover actions. But if you want to try it, go ahead, just remember you were warned. :-) I ran a bridged CARP setup for 2+ years and I would never do it again. I have zero regrets about converting it to a routed setup. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP between pfSenses (server embedded) - is it possible
On Wed, Oct 27, 2010 at 5:27 AM, Michel Servaes mic...@mcmc.be wrote: Hi, I was wondering, if I have a fully installed pfSense on a real server platform... it would be possible to add an Alix-embedded as backup ? I've set that up before, works fine. I read that when using multiple WAN interfaces, CARP isn't behaving well... on a 1.2.3 platform... true to be cautious, or true to indeed have issues ? Not true. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] CARP ip on different network range
Hi, I've an internet connection on which my ISP provides a /29 network, just one IP for my pfSense (1.2.1) box and on ip for their gateway. I'd like to set up this IP as CARP and be shared with the second pfSense box I have, but as far as I understand, in order to have this IP address as CARP I must set up another two IPs on **the same range** the CARP IP is.But I don't have more real IPs. What is your recommendation in this situation? Thanks for your help. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP ip on different network range
Matias wrote: Hi, I've an internet connection on which my ISP provides a /29 network, just one IP for my pfSense (1.2.1) box and on ip for their gateway. I'd like to set up this IP as CARP and be shared with the second pfSense box I have, but as far as I understand, in order to have this IP address as CARP I must set up another two IPs on **the same range** the CARP IP is.But I don't have more real IPs. What is your recommendation in this situation? Thanks for your help. /29 gives you 6 usable IPs. pfSense-1 pfSense-2 Gateway and you can configure 3 CARPs. Evgeny. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] CARP and NAT problems
If the port forwards are on the WAN addresses themselves, to my knowledge they will not fail over. My understanding is that all addresses (and port forwards) that you intend to survive a failover must be on CARP addresses. Dimitri Rodis Integrita Systems LLC -Original Message- From: Justin The Cynical [mailto:cyni...@penguinness.org] Sent: Sunday, May 30, 2010 10:56 PM To: support@pfsense.com Subject: [pfSense Support] CARP and NAT problems Greetings. I finally set up a failover box for CARP. And so far, everything seems to be working fine, with one minor detail. WAN IP range: .65 - .96 .66 - .68 are setup as CARP .65 and .69 are the WAN interfaces Port forwards on .65 and .69 The problem: When this was a single machine, I had port forwards set up on all the IP's, and everything was peachy. However, now with multiple machines, the port forwards on the WAN interfaces will work, depending on the machine that is active. Take a port forward from .65 to internal address (master) Take a port forward from .69 to internal address (backup) The port forward to .65 works, but the .69 does not. If the machines failover (.69 becomes the active machine), the forward for .69 works, but the .65 does not. When .65 comes back up as the active box, the forward on .69 stops working. And since I don't have the WAN addresses as a VIP, this also breaks AON for the mentioned IP's. Last time I looked, I was told that the WAN addresses were useable for IB/OB NAT, but it appears this is not the case, or I'm missing something. Any suggestions on where to look or any words of wisdom? Thank you, Justin - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
Re: [pfSense Support] CARP and NAT problems
On Mon, May 31, 2010 at 1:56 AM, Justin The Cynical cyni...@penguinness.org wrote: Greetings. I finally set up a failover box for CARP. And so far, everything seems to be working fine, with one minor detail. WAN IP range: .65 - .96 .66 - .68 are setup as CARP .65 and .69 are the WAN interfaces Port forwards on .65 and .69 The problem: When this was a single machine, I had port forwards set up on all the IP's, and everything was peachy. However, now with multiple machines, the port forwards on the WAN interfaces will work, depending on the machine that is active. Take a port forward from .65 to internal address (master) Take a port forward from .69 to internal address (backup) The port forward to .65 works, but the .69 does not. If the machines failover (.69 becomes the active machine), the forward for .69 works, but the .65 does not. When .65 comes back up as the active box, the forward on .69 stops working. That's just how it works. WAN addresses are usable, but only when that particular box is the master. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP and NAT problems
On 5/31/10 1:43 PM, Dimitri Rodis wrote: If the port forwards are on the WAN addresses themselves, to my knowledge they will not fail over. My understanding is that all addresses (and port forwards) that you intend to survive a failover must be on CARP addresses. Dimitri Rodis Integrita Systems LLC Yes, I expected the WAN address forwards to not fail-over, and had planned on that. What I did not expect was to have the forwards on the non-active machine not work. Once it became the active machine, they worked, then stopped once the master came back up and took back over. If it matters, one machine was running pfs 1.2.2 and the other 1.2.3, nothing in what I have found indicates that it does. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP and NAT problems
On 5/31/10 1:58 PM, Chris Buechler wrote: *snip* The port forward to .65 works, but the .69 does not. If the machines failover (.69 becomes the active machine), the forward for .69 works, but the .65 does not. When .65 comes back up as the active box, the forward on .69 stops working. That's just how it works. WAN addresses are usable, but only when that particular box is the master. Ah, OK, I was given to understand that they were useable all the time as were the CARP addresses, they were just not redundant. Thank you, that's what I was needing to know. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP and NAT problems
On Mon, May 31, 2010 at 5:49 PM, Justin The Cynical cyni...@penguinness.org wrote: On 5/31/10 1:58 PM, Chris Buechler wrote: *snip* The port forward to .65 works, but the .69 does not. If the machines failover (.69 becomes the active machine), the forward for .69 works, but the .65 does not. When .65 comes back up as the active box, the forward on .69 stops working. That's just how it works. WAN addresses are usable, but only when that particular box is the master. Ah, OK, I was given to understand that they were useable all the time as were the CARP addresses, they were just not redundant. Thank you, that's what I was needing to know. With one caveat - if you forward something off the WAN IP of the secondary to an internal host, and set that internal host's default gateway to the LAN IP (not CARP) of the secondary, it will work. The problem with that not working in a normal scenario is because the reply traffic goes to the wrong firewall. You really don't want to do that though, gets to be a real mess. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] CARP and NAT problems
Greetings. I finally set up a failover box for CARP. And so far, everything seems to be working fine, with one minor detail. WAN IP range: .65 - .96 .66 - .68 are setup as CARP .65 and .69 are the WAN interfaces Port forwards on .65 and .69 The problem: When this was a single machine, I had port forwards set up on all the IP's, and everything was peachy. However, now with multiple machines, the port forwards on the WAN interfaces will work, depending on the machine that is active. Take a port forward from .65 to internal address (master) Take a port forward from .69 to internal address (backup) The port forward to .65 works, but the .69 does not. If the machines failover (.69 becomes the active machine), the forward for .69 works, but the .65 does not. When .65 comes back up as the active box, the forward on .69 stops working. And since I don't have the WAN addresses as a VIP, this also breaks AON for the mentioned IP's. Last time I looked, I was told that the WAN addresses were useable for IB/OB NAT, but it appears this is not the case, or I'm missing something. Any suggestions on where to look or any words of wisdom? Thank you, Justin - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP and BGP
Aarno Aukia wrote: Hello, On Sat, Nov 14, 2009 at 03:36, Chris Buechler cbuech...@gmail.com wrote: On Fri, Nov 13, 2009 at 9:13 PM, Glenn Kelley gl...@typo3usa.com wrote: Am I correct in assuming that CARP and BGP cannot work together - as CARP pushes private ip addresses ? CARP doesn't push private IPs, not sure what you mean by that, but it can work just the same as anything with public IPs. Though there are likely complications related to the BGP package in combination with CARP. Haven't tried it personally, not sure. It works fine, you have to configure openbgpd to use the carp-address using local-address. You will still have a short interruption of service until the backup bgpd resyncs the session, but it is a lot faster than to manually reconfigure the routers... We have this running in prodution, feel free to contact me off-list for details. Regards, Aarno Could you explain how it works please? I have no questions about active(CARP) one but what about passive? bgpd on passive one will be continuously trying to connect to peer... using what source IP? Thanks, Evgeny. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP and BGP
Hello Evgeny, On Mon, Nov 16, 2009 at 17:31, Evgeny Yurchenko evg.yu...@rogers.com wrote: Could you explain how it works please? I have no questions about active(CARP) one but what about passive? bgpd on passive one will be continuously trying to connect to peer... using what source IP? The key is to use local-address carp address and depend-on carpX. This way the backup bgpd only starts connecting when carp has fail-overed (when the carp interface becomes active) using the carp address. Beware of asymmetric routing though if not using pfsync... -Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP and BGP
Hello, On Sat, Nov 14, 2009 at 03:36, Chris Buechler cbuech...@gmail.com wrote: On Fri, Nov 13, 2009 at 9:13 PM, Glenn Kelley gl...@typo3usa.com wrote: Am I correct in assuming that CARP and BGP cannot work together - as CARP pushes private ip addresses ? CARP doesn't push private IPs, not sure what you mean by that, but it can work just the same as anything with public IPs. Though there are likely complications related to the BGP package in combination with CARP. Haven't tried it personally, not sure. It works fine, you have to configure openbgpd to use the carp-address using local-address. You will still have a short interruption of service until the backup bgpd resyncs the session, but it is a lot faster than to manually reconfigure the routers... We have this running in prodution, feel free to contact me off-list for details. Regards, Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP and BGP
On Sat, Nov 14, 2009 at 4:53 AM, Aarno Aukia aarnoau...@gmail.com wrote: We have this running in prodution, feel free to contact me off-list for details. Can people contribute these sample configurations for how do I X to the wiki? Having a lot of recipes on how to accomplish various scenarios is key to increasing adoption of the platform, and helps the project community grow and become stronger. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP switchover to backup because of high traffic
Evgeny Yurchenko wrote: Jim Pingle wrote: Evgeny Yurchenko wrote: Yesterday it happened twice on one of my production firewalls. CPU load was less than 10%. Did not pay attention at the moment but accoring to RRD number of states was not unusual - 4-5k. I reproduced it in my lab - only test connection, so number of states was less than 100. When this happens, check the output of ifconfig -a on the master when it won't take back over, see what advskew it is advertising. There are certain failure states that cause it to set an advskew of 240 regardless of what it is actually configured to be. Figuring out what caused that, however, can be a bit trickier. I push quite a lot of traffic through my pfSense boxes and have never seen them failover in this manner. Nightly backups push just about wire speed through my CARP pair (100MBit). Agian hit the same situation on production firewall. All carp interfaces show carp: BACKUP vhid xxx advbase 1 advskew 0 like this: carp0: flags=49UP,LOOPBACK,RUNNING mtu 1500 inet 10.0.0.244 netmask 0xff00 carp: BACKUP vhid 100 advbase 1 advskew 0 On all interfaces see only partner's packets like this # tcpdump -ni vlan1 vrrp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on vlan1, link-type EN10MB (Ethernet), capture size 96 bytes 19:11:39.871724 IP 10.0.0.243 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 100, authtype none, intvl 1s, length 36 19:11:41.264295 IP 10.0.0.243 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 100, authtype none, intvl 1s, length 36 19:11:42.656753 IP 10.0.0.243 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 100, authtype none, intvl 1s, length 36 19:11:44.049203 IP 10.0.0.243 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 100, authtype none, intvl 1s, length 36 19:11:45.441655 IP 10.0.0.243 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 100, authtype none, intvl 1s, length 36 19:11:46.834109 IP 10.0.0.243 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 100, authtype none, intvl 1s, length 36 ^C # sysctl net.inet.ip.intr_queue_drops net.inet.ip.intr_queue_drops: 0 but now there is no load. If anybody can give any advice I can keep this situation for some time as it is afterbusiness hours Friday. Thanks, Evgeny. One more time on different pfSense cluster. If I pay for support would somebody be able to login and see what is going on here? Thanks. Evgeny. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP switchover to backup because of high traffic
On Fri, Nov 13, 2009 at 4:31 PM, Evgeny Yurchenko evg.yu...@rogers.com wrote: If I pay for support would somebody be able to login and see what is going on here? Sure, absolutely. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP switchover to backup because of high traffic
Chris Buechler wrote: On Fri, Nov 13, 2009 at 4:31 PM, Evgeny Yurchenko evg.yu...@rogers.com wrote: If I pay for support would somebody be able to login and see what is going on here? Sure, absolutely. BTW https://portal.pfsense.org/index.php/subscribe-for-access does not look nice in IE. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP switchover to backup because of high traffic
Chris Buechler wrote: On Fri, Nov 13, 2009 at 4:31 PM, Evgeny Yurchenko evg.yu...@rogers.com wrote: If I pay for support would somebody be able to login and see what is going on here? Sure, absolutely. Paid. Should we proceed off list? Thanks. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] CARP and BGP
Am I correct in assuming that CARP and BGP cannot work together - as CARP pushes private ip addresses ? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP and BGP
On Fri, Nov 13, 2009 at 9:13 PM, Glenn Kelley gl...@typo3usa.com wrote: Am I correct in assuming that CARP and BGP cannot work together - as CARP pushes private ip addresses ? CARP doesn't push private IPs, not sure what you mean by that, but it can work just the same as anything with public IPs. Though there are likely complications related to the BGP package in combination with CARP. Haven't tried it personally, not sure. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP with captive portal
Might be a long shot, but check your subnet mask for the CARP. I've seen odd things happend when that is not correct. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Mon, Oct 19, 2009 at 9:33 AM, Roberto Greiner mrgrei...@gmail.com wrote: Hi, no one with ideas about this? Roberto Roberto Greiner wrote: Hi, I'm having trouble making captive portal and CARP work togheter. I've set CARP to use the WAN interface for synchronization, and it works fine. Problem is, the moment I enable Captive Portal, the LAN Virtual IP dies out (stops pinging), and the whole setup stops working. I've tried adding the LAN MAC address of the stations on the Pass-through MAC page (added MAC address of both servers), but it didn't work. Also tried the same for IP. The moment I disable captive portal, CARP immediately works again. Any ideas of what I should do to make Captive Portal and CARP work together? Tks, Roberto Greiner -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade James Branch Cabell - - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP with captive portal
On Fri, Oct 16, 2009 at 6:21 PM, Roberto Greiner mrgrei...@gmail.com wrote: Hi, I'm having trouble making captive portal and CARP work togheter. I've set CARP to use the WAN interface for synchronization, and it works fine. Problem is, the moment I enable Captive Portal, the LAN Virtual IP dies out (stops pinging), and the whole setup stops working. I've tried adding the LAN MAC address of the stations on the Pass-through MAC page (added MAC address of both servers), but it didn't work. Also tried the same for IP. The moment I disable captive portal, CARP immediately works again. Any ideas of what I should do to make Captive Portal and CARP work together? Without modification NO. Please open a bug report on redmine.pfsense.org so i can can fix this for 2.0. Do not forget to assign it to me. Tks, Roberto Greiner -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade James Branch Cabell - - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- Ermal - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP with captive portal
Ermal Luçi wrote: On Fri, Oct 16, 2009 at 6:21 PM, Roberto Greiner mrgrei...@gmail.com wrote: Hi, I'm having trouble making captive portal and CARP work togheter. I've set CARP to use the WAN interface for synchronization, and it works fine. Problem is, the moment I enable Captive Portal, the LAN Virtual IP dies out (stops pinging), and the whole setup stops working. I've tried adding the LAN MAC address of the stations on the Pass-through MAC page (added MAC address of both servers), but it didn't work. Also tried the same for IP. The moment I disable captive portal, CARP immediately works again. Any ideas of what I should do to make Captive Portal and CARP work together? Without modification NO. Please open a bug report on redmine.pfsense.org so i can can fix this for 2.0. Do not forget to assign it to me. Ok. I've created the bug report. Tks. Roberto -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade James Branch Cabell - - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] CARP with captive portal
Hi, I'm having trouble making captive portal and CARP work togheter. I've set CARP to use the WAN interface for synchronization, and it works fine. Problem is, the moment I enable Captive Portal, the LAN Virtual IP dies out (stops pinging), and the whole setup stops working. I've tried adding the LAN MAC address of the stations on the Pass-through MAC page (added MAC address of both servers), but it didn't work. Also tried the same for IP. The moment I disable captive portal, CARP immediately works again. Any ideas of what I should do to make Captive Portal and CARP work together? Tks, Roberto Greiner -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade James Branch Cabell - - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP switchover to backup because of high traffic
Jim Pingle wrote: Evgeny Yurchenko wrote: Yesterday it happened twice on one of my production firewalls. CPU load was less than 10%. Did not pay attention at the moment but accoring to RRD number of states was not unusual - 4-5k. I reproduced it in my lab - only test connection, so number of states was less than 100. When this happens, check the output of ifconfig -a on the master when it won't take back over, see what advskew it is advertising. There are certain failure states that cause it to set an advskew of 240 regardless of what it is actually configured to be. Figuring out what caused that, however, can be a bit trickier. I push quite a lot of traffic through my pfSense boxes and have never seen them failover in this manner. Nightly backups push just about wire speed through my CARP pair (100MBit). Agian hit the same situation on production firewall. All carp interfaces show carp: BACKUP vhid xxx advbase 1 advskew 0 like this: carp0: flags=49UP,LOOPBACK,RUNNING mtu 1500 inet 10.0.0.244 netmask 0xff00 carp: BACKUP vhid 100 advbase 1 advskew 0 On all interfaces see only partner's packets like this # tcpdump -ni vlan1 vrrp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on vlan1, link-type EN10MB (Ethernet), capture size 96 bytes 19:11:39.871724 IP 10.0.0.243 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 100, authtype none, intvl 1s, length 36 19:11:41.264295 IP 10.0.0.243 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 100, authtype none, intvl 1s, length 36 19:11:42.656753 IP 10.0.0.243 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 100, authtype none, intvl 1s, length 36 19:11:44.049203 IP 10.0.0.243 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 100, authtype none, intvl 1s, length 36 19:11:45.441655 IP 10.0.0.243 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 100, authtype none, intvl 1s, length 36 19:11:46.834109 IP 10.0.0.243 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 100, authtype none, intvl 1s, length 36 ^C # sysctl net.inet.ip.intr_queue_drops net.inet.ip.intr_queue_drops: 0 but now there is no load. If anybody can give any advice I can keep this situation for some time as it is afterbusiness hours Friday. Thanks, Evgeny. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP switchover to backup because of high traffic
On 07/10/09 18:47, Evgeny Yurchenko wrote: Has anybody noticed this behavior? The simplest set up: two pfSenses with LAN WAN and CARP on both interfaces (with separate interface for SYNC). When there is little traffic active pfSense sends CARP packets with priority 0 every second, everything is ok. Gradually increasing traffic you reach the point when active pfSense starts sending CARP packets not regularily: 1.5, 2, 3 seconds and finally stops sending them completely. Of course at this point backup pfSense kicks in. When you remove traffic former active pfSense does not restore its active role (does not any CARP packets). what's the CPU load at that time, and how full is the state table? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP switchover to backup because of high traffic
Paul Mansfield wrote: On 07/10/09 18:47, Evgeny Yurchenko wrote: Has anybody noticed this behavior? The simplest set up: two pfSenses with LAN WAN and CARP on both interfaces (with separate interface for SYNC). When there is little traffic active pfSense sends CARP packets with priority 0 every second, everything is ok. Gradually increasing traffic you reach the point when active pfSense starts sending CARP packets not regularily: 1.5, 2, 3 seconds and finally stops sending them completely. Of course at this point backup pfSense kicks in. When you remove traffic former active pfSense does not restore its active role (does not any CARP packets). what's the CPU load at that time, and how full is the state table? Yesterday it happened twice on one of my production firewalls. CPU load was less than 10%. Did not pay attention at the moment but accoring to RRD number of states was not unusual - 4-5k. I reproduced it in my lab - only test connection, so number of states was less than 100. Evgeny. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP switchover to backup because of high traffic
On Thu, Oct 8, 2009 at 11:24 AM, Evgeny Yurchenko evg.yu...@rogers.com wrote: Yesterday it happened twice on one of my production firewalls. CPU load was less than 10%. Did not pay attention at the moment but accoring to RRD number of states was not unusual - 4-5k. I reproduced it in my lab - only test connection, so number of states was less than 100. Evgeny. I would lean toward hardware. We regularly push 20 megabit out one of my CARP clusters and I do not see this behavior. If something is preempting the network stack (CARP) from sending its Heartbeats than it's doing what it is designed to do. Probably not what you want to hear but I would look at the hardware closer, interrupts, etc. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP switchover to backup because of high traffic
Scott Ullrich wrote: On Thu, Oct 8, 2009 at 11:24 AM, Evgeny Yurchenko evg.yu...@rogers.com wrote: Yesterday it happened twice on one of my production firewalls. CPU load was less than 10%. Did not pay attention at the moment but accoring to RRD number of states was not unusual - 4-5k. I reproduced it in my lab - only test connection, so number of states was less than 100. Evgeny. I would lean toward hardware. We regularly push 20 megabit out one of my CARP clusters and I do not see this behavior. If something is preempting the network stack (CARP) from sending its Heartbeats than it's doing what it is designed to do. Probably not what you want to hear but I would look at the hardware closer, interrupts, etc. Scott Thanks I will. 20 Mbit/s is nothing though... Evgeny. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP switchover to backup because of high traffic
On Thu, Oct 8, 2009 at 11:42 AM, Evgeny Yurchenko evg.yu...@rogers.com wrote: Thanks I will. 20 Mbit/s is nothing though... I agree but you failed to mention how much traffic you are pushing. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP switchover to backup because of high traffic
Scott Ullrich wrote: On Thu, Oct 8, 2009 at 11:42 AM, Evgeny Yurchenko evg.yu...@rogers.com wrote: Thanks I will. 20 Mbit/s is nothing though... I agree but you failed to mention how much traffic you are pushing. Scott Yes, sorry. It was about 100Mb/s - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP switchover to backup because of high traffic
On Thu, Oct 8, 2009 at 12:51 PM, Evgeny Yurchenko evg.yu...@rogers.com wrote: Yes, sorry. It was about 100Mb/s During heavy load what does this sysctl show? sysctl net.inet.ip.intr_queue_drops Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP switchover to backup because of high traffic
Evgeny Yurchenko wrote: Yesterday it happened twice on one of my production firewalls. CPU load was less than 10%. Did not pay attention at the moment but accoring to RRD number of states was not unusual - 4-5k. I reproduced it in my lab - only test connection, so number of states was less than 100. When this happens, check the output of ifconfig -a on the master when it won't take back over, see what advskew it is advertising. There are certain failure states that cause it to set an advskew of 240 regardless of what it is actually configured to be. Figuring out what caused that, however, can be a bit trickier. I push quite a lot of traffic through my pfSense boxes and have never seen them failover in this manner. Nightly backups push just about wire speed through my CARP pair (100MBit). - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] CARP switchover to backup because of high traffic
Has anybody noticed this behavior? The simplest set up: two pfSenses with LAN WAN and CARP on both interfaces (with separate interface for SYNC). When there is little traffic active pfSense sends CARP packets with priority 0 every second, everything is ok. Gradually increasing traffic you reach the point when active pfSense starts sending CARP packets not regularily: 1.5, 2, 3 seconds and finally stops sending them completely. Of course at this point backup pfSense kicks in. When you remove traffic former active pfSense does not restore its active role (does not any CARP packets). Evgeny. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] CARP and OpenVPN
Are there any plans to get openvpn working well with CARP? I currently have a 2 pfSense CARP setup with VPN access via openvpn for support use, but due to the firewall failover, I have to have 2 openvpn conf files to use depending which firewall is active at the time. If it's already working, please give me some pointers how to use it! :) Much appreciated, TIA - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP and OpenVPN
2009/8/21 Chris Buechler c...@pfsense.org: On Fri, Aug 21, 2009 at 5:13 AM, Simon Dicksim...@irrelevant.org wrote: Are there any plans to get openvpn working well with CARP? I currently have a 2 pfSense CARP setup with VPN access via openvpn for support use, but due to the firewall failover, I have to have 2 openvpn conf files to use depending which firewall is active at the time. If it's already working, please give me some pointers how to use it! :) Works now, put local x.x.x.x in custom options, where x.x.x.x is a CARP IP. You will have to manually configure the secondary to match the primary since the config doesn't sync on 1.2.x. Aah, thanks, good to know, I'm sure I did try that (I already have the config matching between them so that's no big problem, will give that a try soon. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP and Bridging
Joseph Hardeman wrote: One other question now that I think of it. Does CARP work between two firewalls that are running in full Bridge mode, no NATing done at all, just port blocking on the WAN interface? We have two firewalls and I want to make sure any states are kept intact on the chance we have to failover to the secondary. I've done something similar with a CARP cluster that has a LAN and DMZ, where the DMZ is bridged to WAN. I have my switches doing STP and shutting down the ports for the inactive firewall, but there are other ways to get it done, too. There are a couple concepts discussed in this forum thread: http://forum.pfsense.org/index.php/topic,4984.0.html Those involve keeping the bridge interface on the backup unit down until it becomes master. The first is a script that runs from cron that checks every minute to see if the change has happened, and keeps brings the bridge up if a system is master. The main downside is that you have to wait on the cron script to run to see the change. The second is only possible in 1.2.3-RC snapshots and on 2.0, where you can use devd to catch the transition event and call a script to change the bridge accordingly at the exact moment it happens, no waiting for cron to run and pick up on the change. Going this route is faster, but may cause some weirdness if you see the CARP transition flapping at all. In 2.0 I believe you can configure STP right on the bridge interface which may be the better way in the long run. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] CARP and Bridging
One other question now that I think of it. Does CARP work between two firewalls that are running in full Bridge mode, no NATing done at all, just port blocking on the WAN interface? We have two firewalls and I want to make sure any states are kept intact on the chance we have to failover to the secondary. Joe -- This message has been scanned for viruses by Colocube's AV Scanner - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP Bug in 1.2.3
On Wed, Apr 8, 2009 at 11:31 PM, Dimitri Rodis dimit...@integritasystems.com wrote: Currently running: 1.2.3-RC1 built on Wed Apr 1 16:59:10 EDT 2009 Changed the CARP config-- had a redundant member that I removed, so I shut pfsync off. However, I kept getting messages along the top that XMLRPC sync was failing. I checked, and it was disabled--so, I unchecked absolutely everything and saved and rebooted, but the errors persisted. I think I found the problem. I downloaded my config file and had a look. Check out the following section: installedpackages carpsettings config pfsyncenabled/ pfsyncinterfaceopt3/pfsyncinterface pfsyncpeerip/ synchronizerules/ synchronizeschedules/ synchronizealiases/ synchronizenat/ synchronizeipsec/ synchronizewol/ synchronizestaticroutes/ synchronizelb/ synchronizevirtualip/ synchronizetrafficshaper/ synchronizednsforwarder/ synchronizetoip/ password/ /config config pfsyncenabled/on/pfsyncenabled pfsyncinterfaceopt3/pfsyncinterface pfsyncpeerip/ synchronizeruleson/synchronizerules synchronizescheduleson/synchronizeschedules synchronizealiaseson/synchronizealiases synchronizenaton/synchronizenat synchronizeipsecon/synchronizeipsec synchronizewolon/synchronizewol synchronizestaticrouteson/synchronizestaticroutes synchronizelbon/synchronizelb synchronizevirtualipon/synchronizevirtualip synchronizetrafficshaperon/synchronizetrafficshaper synchronizednsforwarder/ synchronizetoip172.19.0.2/synchronizetoip passwordxx/password /config config pfsyncenabledon/pfsyncenabled pfsyncinterfaceopt3/pfsyncinterface pfsyncpeerip/ synchronizeruleson/synchronizerules synchronizescheduleson/synchronizeschedules synchronizealiaseson/synchronizealiases synchronizenaton/synchronizenat synchronizeipsecon/synchronizeipsec synchronizewolon/synchronizewol synchronizestaticrouteson/synchronizestaticroutes synchronizelbon/synchronizelb synchronizevirtualipon/synchronizevirtualip synchronizetrafficshaperon/synchronizetrafficshaper synchronizednsforwarderon/synchronizednsforwarder synchronizetoip172.19.0.3/synchronizetoip passwordx/password /config /carpsettings /installedpackages Shouldn't config/config only be in there once? Looks like it added another config/config section it each time I tried to change/save it, and it's only using the last one. Bug or user error? Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com Doubt its a bug or we would be seeing a lot more of this. Scott
RE: [pfSense Support] CARP Bug in 1.2.3
I think this is more obscure than you think-- this is on a snapshot build, so how many people have 1) run a 1.2.3 snapshot, 2) _had_ a redundant CARP config, and then 3) removed the redundant member and 4) added some Outbound NAT rules and interface rules (which is what finally triggered the XMLRPC sync, and thus the error)? My guess is that people with redundant configs are probably not testing snapshot builds (or even production builds) in this manner. I don't know if this happens on previous builds, and you are probably going to say that the code hasn't changed, and that's very likely to be true if you say so--I'm just saying I think the bug is present, but obscure. Obviously if it happens it's easy enough to fix by downloading the config, deleting the duped sections and uploading the config again, but I would tend to think there's a bug in there somewhere, because like I said, I didn't dupe the section myself. Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:sullr...@gmail.com] Sent: Thursday, April 09, 2009 8:15 AM To: support@pfsense.com Subject: Re: [pfSense Support] CARP Bug in 1.2.3 On Wed, Apr 8, 2009 at 11:31 PM, Dimitri Rodis dimit...@integritasystems.com wrote: Currently running: 1.2.3-RC1 built on Wed Apr 1 16:59:10 EDT 2009 Changed the CARP config-- had a redundant member that I removed, so I shut pfsync off. However, I kept getting messages along the top that XMLRPC sync was failing. I checked, and it was disabled--so, I unchecked absolutely everything and saved and rebooted, but the errors persisted. I think I found the problem. I downloaded my config file and had a look. Check out the following section: installedpackages carpsettings config pfsyncenabled/ pfsyncinterfaceopt3/pfsyncinterface pfsyncpeerip/ synchronizerules/ synchronizeschedules/ synchronizealiases/ synchronizenat/ synchronizeipsec/ synchronizewol/ synchronizestaticroutes/ synchronizelb/ synchronizevirtualip/ synchronizetrafficshaper/ synchronizednsforwarder/ synchronizetoip/ password/ /config config pfsyncenabled/on/pfsyncenabled pfsyncinterfaceopt3/pfsyncinterface pfsyncpeerip/ synchronizeruleson/synchronizerules synchronizescheduleson/synchronizeschedules synchronizealiaseson/synchronizealiases synchronizenaton/synchronizenat synchronizeipsecon/synchronizeipsec synchronizewolon/synchronizewol synchronizestaticrouteson/synchronizestaticroutes synchronizelbon/synchronizelb synchronizevirtualipon/synchronizevirtualip synchronizetrafficshaperon/synchronizetrafficshaper synchronizednsforwarder/ synchronizetoip172.19.0.2/synchronizetoip passwordxx/password /config config pfsyncenabledon/pfsyncenabled pfsyncinterfaceopt3/pfsyncinterface pfsyncpeerip/ synchronizeruleson/synchronizerules synchronizescheduleson/synchronizeschedules synchronizealiaseson/synchronizealiases synchronizenaton/synchronizenat synchronizeipsecon/synchronizeipsec synchronizewolon/synchronizewol synchronizestaticrouteson/synchronizestaticroutes synchronizelbon/synchronizelb synchronizevirtualipon/synchronizevirtualip synchronizetrafficshaperon/synchronizetrafficshaper synchronizednsforwarderon/synchronizednsforwarder synchronizetoip172.19.0.3/synchronizetoip passwordx/password /config /carpsettings /installedpackages Shouldn't config/config only be in there once? Looks like it added another config/config section it each time I tried to change/save it, and it's only using the last one. Bug or user error? Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com Doubt its a bug or we would be seeing a lot more of this. Scott smime.p7s Description: S/MIME cryptographic
Re: [pfSense Support] CARP Bug in 1.2.3
On Thu, Apr 9, 2009 at 12:37 PM, Dimitri Rodis dimit...@integritasystems.com wrote: I think this is more obscure than you think-- this is on a snapshot build, so how many people have 1) run a 1.2.3 snapshot, 2) _had_ a redundant CARP config, and then 3) removed the redundant member and 4) added some Outbound NAT rules and interface rules (which is what finally triggered the XMLRPC sync, and thus the error)? My guess is that people with redundant configs are probably not testing snapshot builds (or even production builds) in this manner. I don't know if this happens on previous builds, and you are probably going to say that the code hasn't changed, and that's very likely to be true if you say so--I'm just saying I think the bug is present, but obscure. Obviously if it happens it's easy enough to fix by downloading the config, deleting the duped sections and uploading the config again, but I would tend to think there's a bug in there somewhere, because like I said, I didn't dupe the section myself. My guess would be that you installed a snapshot that contained xmlparse.inc from HEAD. Right around the hackathon time this was included but has since been removed. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] CARP Bug in 1.2.3
The snapshot I'm using is dated April 1.. that's a couple of days after the hackathon, I believe. Any idea when the xmlparse.inc from HEAD was removed? Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Scott Ullrich [mailto:sullr...@gmail.com] Sent: Thursday, April 09, 2009 10:17 AM To: support@pfsense.com Subject: Re: [pfSense Support] CARP Bug in 1.2.3 On Thu, Apr 9, 2009 at 12:37 PM, Dimitri Rodis dimit...@integritasystems.com wrote: I think this is more obscure than you think-- this is on a snapshot build, so how many people have 1) run a 1.2.3 snapshot, 2) _had_ a redundant CARP config, and then 3) removed the redundant member and 4) added some Outbound NAT rules and interface rules (which is what finally triggered the XMLRPC sync, and thus the error)? My guess is that people with redundant configs are probably not testing snapshot builds (or even production builds) in this manner. I don't know if this happens on previous builds, and you are probably going to say that the code hasn't changed, and that's very likely to be true if you say so--I'm just saying I think the bug is present, but obscure. Obviously if it happens it's easy enough to fix by downloading the config, deleting the duped sections and uploading the config again, but I would tend to think there's a bug in there somewhere, because like I said, I didn't dupe the section myself. My guess would be that you installed a snapshot that contained xmlparse.inc from HEAD. Right around the hackathon time this was included but has since been removed. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
Re: [pfSense Support] CARP Bug in 1.2.3
On Thu, Apr 9, 2009 at 1:57 PM, Dimitri Rodis dimit...@integritasystems.com wrote: The snapshot I'm using is dated April 1.. that's a couple of days after the hackathon, I believe. Any idea when the xmlparse.inc from HEAD was removed? You where affected then. It was removed for causing various problems such as these. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] CARP Bug in 1.2.3
Good deal. I'll go to a later snapshot then. Are upgrades between snapshots on embedded working at the moment, or should I just reflash? Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Scott Ullrich [mailto:sullr...@gmail.com] Sent: Thursday, April 09, 2009 11:37 AM To: support@pfsense.com Subject: Re: [pfSense Support] CARP Bug in 1.2.3 On Thu, Apr 9, 2009 at 1:57 PM, Dimitri Rodis dimit...@integritasystems.com wrote: The snapshot I'm using is dated April 1.. that's a couple of days after the hackathon, I believe. Any idea when the xmlparse.inc from HEAD was removed? You where affected then. It was removed for causing various problems such as these. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
Re: [pfSense Support] CARP Bug in 1.2.3
On Thu, Apr 9, 2009 at 7:00 PM, Dimitri Rodis dimit...@integritasystems.com wrote: Good deal. I'll go to a later snapshot then. Are upgrades between snapshots on embedded working at the moment, or should I just reflash? Yeah you got hit with the xmlparse.inc issue that was in snapshots for a couple days. I know CARP is fine in 1.2.3 outside of those couple days, I've setup 3 CARP pairs on 1.2.3 in the past 2 weeks. Reflash, and either redo your config from scratch or manually remove anything that's out of whack. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] CARP Bug in 1.2.3
Currently running: 1.2.3-RC1 built on Wed Apr 1 16:59:10 EDT 2009 Changed the CARP config-- had a redundant member that I removed, so I shut pfsync off. However, I kept getting messages along the top that XMLRPC sync was failing. I checked, and it was disabled--so, I unchecked absolutely everything and saved and rebooted, but the errors persisted. I think I found the problem. I downloaded my config file and had a look. Check out the following section: installedpackages carpsettings config pfsyncenabled/ pfsyncinterfaceopt3/pfsyncinterface pfsyncpeerip/ synchronizerules/ synchronizeschedules/ synchronizealiases/ synchronizenat/ synchronizeipsec/ synchronizewol/ synchronizestaticroutes/ synchronizelb/ synchronizevirtualip/ synchronizetrafficshaper/ synchronizednsforwarder/ synchronizetoip/ password/ /config config pfsyncenabled/on/pfsyncenabled pfsyncinterfaceopt3/pfsyncinterface pfsyncpeerip/ synchronizeruleson/synchronizerules synchronizescheduleson/synchronizeschedules synchronizealiaseson/synchronizealiases synchronizenaton/synchronizenat synchronizeipsecon/synchronizeipsec synchronizewolon/synchronizewol synchronizestaticrouteson/synchronizestaticroutes synchronizelbon/synchronizelb synchronizevirtualipon/synchronizevirtualip synchronizetrafficshaperon/synchronizetrafficshaper synchronizednsforwarder/ synchronizetoip172.19.0.2/synchronizetoip passwordxx/password /config config pfsyncenabledon/pfsyncenabled pfsyncinterfaceopt3/pfsyncinterface pfsyncpeerip/ synchronizeruleson/synchronizerules synchronizescheduleson/synchronizeschedules synchronizealiaseson/synchronizealiases synchronizenaton/synchronizenat synchronizeipsecon/synchronizeipsec synchronizewolon/synchronizewol synchronizestaticrouteson/synchronizestaticroutes synchronizelbon/synchronizelb synchronizevirtualipon/synchronizevirtualip synchronizetrafficshaperon/synchronizetrafficshaper synchronizednsforwarderon/synchronizednsforwarder synchronizetoip172.19.0.3/synchronizetoip passwordx/password /config /carpsettings /installedpackages Shouldn't config/config only be in there once? Looks like it added another config/config section it each time I tried to change/save it, and it's only using the last one. Bug or user error? Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com smime.p7s Description: S/MIME cryptographic signature
[pfSense Support] CARP over Serial?
Seems like I'm ending up asking a lot of questions here lately. (Long Version) I have two servers I want to set up as a CARP cluster. So I did, and that's working fine. The only issue is that the servers only have 2 NICs. I setup a VLAN on the LAN interface to function as a temporary CARP interface. However, I'm not sure I really want to take the cluster production unless I have a dedicated physical cluster link. With other clusters that I've setup, the heartbeat/sync interface is often a serial connection rather than an Ethernet connection. (Short Version) Is there any provision for doing CARP over serial/SLIP, or do I have to have a third Ethernet interface? This seems like it would be a handy feature; I'm surprised I haven't been able to find any documentation on it. Best Regards, Nathan Eisenberg Atlas Networks, LLC Phone: 206-577-3078 supp...@atlasnetworks.usmailto:supp...@atlasnetworks.us www.atlasnetworks.ushttp://www.atlasnetworks.us attachment: winmail.dat- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP over Serial?
On Wed, Mar 18, 2009 at 7:55 PM, Nathan Eisenberg nat...@atlasnetworks.us wrote: Is there any provision for doing CARP over serial/SLIP, or do I have to have a third Ethernet interface? No, because it wouldn't work unless you have a 512 Kb Internet pipe or slower. Serial is *way* too slow to sync states with any modern broadband connection. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP over Serial?
Further, CARP doesn't run on a dedicated NIC, pfsync does (and no, it's not required, however it isn't encrypted or authenticated). --Bill Sent from my iPhone On Mar 18, 2009, at 7:01 PM, Chris Buechler c...@pfsense.org wrote: On Wed, Mar 18, 2009 at 7:55 PM, Nathan Eisenberg nat...@atlasnetworks.us wrote: Is there any provision for doing CARP over serial/SLIP, or do I have to have a third Ethernet interface? No, because it wouldn't work unless you have a 512 Kb Internet pipe or slower. Serial is *way* too slow to sync states with any modern broadband connection. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] carp question
Hello everybody I am working with a 2 node failover of 2 pfsense 1.2.2 and it its great!! It works perfect, but I ask you that if its possible to define upscript of carp via web interface, or modifying php code. I think this is a good feature for pfsense 2.0, and in general the magic box of custom options, like in openvpn (1.2.2) is very good for advanced and not standar configurations. Here for example, I can define tap mode openvpn, instead of tun, link-mtu... I don't think that is a good idea to suprime this text box anywhere that could be usefull. I look that in pfsense 2.0 this text box in openvpn doesn't appear. Why? Sorry for my English Thanks!!1 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] CARP not working...
Hello, we just brought up a secondary pfsense firewall, fw02. We are getting the following error on fw01: [sync_settings]An error code was received while attempting XMLRPC sync with username admin http://172.16.4.6:80 - Code 2: Invalid return payload: enable debugging to examine incoming payload on fw02 under carp status there is an enable carp button and a list of pfsync nodes: pfSync nodes: 06b3eef1 13e0f43c 23a1cb65 2ef64c64 42f4845f 548d51bf 705c6a63 7910ead2 b3ade648 f2e22130 clicking the enable carp button seems to have no effect on fw02. Any suggestions for troubleshooting this? Thanks, Joel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CARP not working...
-Ensure that the admin passwords are the same on both firewalls. -If you have a dedicated set of NICs for sync traffic, ensure that you permit this type of traffic. -Create 2 CARP address (LAN and WAN) -Enable manual outbound NAT and specify the CARP address is your default outbound for your inbound LAN (not 100% required) Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Thu, Sep 18, 2008 at 9:23 PM, JJB [EMAIL PROTECTED] wrote: Hello, we just brought up a secondary pfsense firewall, fw02. We are getting the following error on fw01: [sync_settings]An error code was received while attempting XMLRPC sync with username admin http://172.16.4.6:80 - Code 2: Invalid return payload: enable debugging to examine incoming payload on fw02 under carp status there is an enable carp button and a list of pfsync nodes: pfSync nodes: 06b3eef1 13e0f43c 23a1cb65 2ef64c64 42f4845f 548d51bf 705c6a63 7910ead2 b3ade648 f2e22130 clicking the enable carp button seems to have no effect on fw02. Any suggestions for troubleshooting this? Thanks, Joel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CARP
Anil Garg wrote: I have seen some documentation that shows how two pfsense can act as back up to the other (hot standby).. Is it possible for servers behind pfsense to exploit the same capability? Say we have one www.server on lan or dmz. If this server to die, we want the system to point to another www.server on the same subnet. Thanks much. Yes, there are a number of mechanisms that allow this to happen. It depends entirely on the type of operating system and applications you are using. Many database server software offer a clustering feature. Linux has clustering capabilities through a couple of different facilities. Spend some quality time with Google, I'm sure you'll find what you need. -Gary - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CARP
Thanks David and Thanks Gary. I spent a lot of time reading and a few things are somewhat becoming clear.. CARP uses a trusted (preferably dedicated) link to send heartbeat signals to keep who is alive. This common knowledge enables some pfsense to stay inactive (to either act as dhcp server or act as a gateway). When something happens to master next in succession line takes over. Very unique and innovative simple. However most examples are for WAN side traffic and for keeping internet alive. I will keep trying to find something that shows how servers can be balanced. Its amazing because it even keeps the state. Best Regards Anil Garg Gary Buckmaster [EMAIL PROTECTED] wrote: Anil Garg wrote: I have seen some documentation that shows how two pfsense can act as back up to the other (hot standby).. Is it possible for servers behind pfsense to exploit the same capability? Say we have one www.server on lan or dmz. If this server to die, we want the system to point to another www.server on the same subnet. Thanks much. Yes, there are a number of mechanisms that allow this to happen. It depends entirely on the type of operating system and applications you are using. Many database server software offer a clustering feature. Linux has clustering capabilities through a couple of different facilities. Spend some quality time with Google, I'm sure you'll find what you need. -Gary - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CARP
On Tue, Apr 1, 2008 at 9:44 AM, Anil Garg [EMAIL PROTECTED] wrote: However most examples are for WAN side traffic and for keeping internet alive. I will keep trying to find something that shows how servers can be balanced. If balancing is what you need, then use the load balancer built into pfSense. If active/passive, then while the load balancer will also work fine, you might try one of the server high availability solutions available outside of pfSense (CARP for the BSDs, linux's HA stuff, etc - again Google will get you going there) Its amazing because it even keeps the state. FWIW, to correct a few misstatements you've made in this thread. CARP requires a dedicated cable - not correct, CARP is a multi-cast protocol that is broadcast on the same network segment as the address for it. it (CARP) even keeps the state - not correct, pfsync keeps state synchronization. It's also highly recommended (as it's not cryptographically secure) to run this on a dedicated cable. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CARP
Bill Thanks for correcting. I am quite green on this stuff and as they say little knowledge is dangerous! Load balance built in is a great idea. I will test that out too... Bill Marquette [EMAIL PROTECTED] wrote: On Tue, Apr 1, 2008 at 9:44 AM, Anil Garg wrote: However most examples are for WAN side traffic and for keeping internet alive. I will keep trying to find something that shows how servers can be balanced. If balancing is what you need, then use the load balancer built into pfSense. If active/passive, then while the load balancer will also work fine, you might try one of the server high availability solutions available outside of pfSense (CARP for the BSDs, linux's HA stuff, etc - again Google will get you going there) Its amazing because it even keeps the state. FWIW, to correct a few misstatements you've made in this thread. CARP requires a dedicated cable - not correct, CARP is a multi-cast protocol that is broadcast on the same network segment as the address for it. it (CARP) even keeps the state - not correct, pfsync keeps state synchronization. It's also highly recommended (as it's not cryptographically secure) to run this on a dedicated cable. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] CARP Documentation
Several recent forum posts regarding CARP refer to the following page: http://doc.pfsense.org/index.php/Setting_up_CARP_with_pfSense When I go to that page, it says: There is currently no text in this page, you can search for this page title http://doc.pfsense.org/index.php/Special:Search/Setting_up_CARP_with_pf Sense in other pages or edit this page http://doc.pfsense.org/index.php?title=Setting_up_CARP_with_pfSenseact ion=edit . Where'd the CARP doc go? Dimitri Rodis Integrita Systems LLC
Re: [pfSense Support] CARP Documentation
On 3/4/08, Dimitri Rodis [EMAIL PROTECTED] wrote: Several recent forum posts regarding CARP refer to the following page: http://doc.pfsense.org/index.php/Setting_up_CARP_with_pfSense [snip] Try http://olddoc.pfsense.org/index.php/Setting_up_CARP_with_pfSense Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] carp status page wish
Hi, would it be possible to have the carp status page also show the carp description field, as as the moment it's not very informative. AtDhVaAnNkCsE Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Carp FW Rules?
Good Afternoon I have configured 2 IP virtual in virtual IP as Carp mode. I configure the necessary ports in the Nat options for the services that desire to use. In the Internet side all services function ok however I cannot connect to this IP´s for my internal net (LAN) the Firewall logs accuses the following blocks: Jan 31 15:56:08 pf: 2. 439592 rule 527/0(match): block out on carp0: (tos 0x10, ttl 64, id 24317, offset 0, flags [DF], proto: TCP (6), length: 44) 189.2.203.20.56845 189.2.203.19.80: S, cksum 0x330e (correct), 51016579:51016579(0) win 0 mss 1460 Jan 31 15:56:10 pf: 2. 560566 rule 527/0(match): block out on carp0: (tos 0x10, ttl 64, id 1182, offset 0, flags [DF], proto: TCP (6), length: 44) 189.2.203.20.51379 189.2.203.19.80: S, cksum 0x9f8a (correct), 52143:52143(0) win 0 mss 1460 Jan 31 15:56:13 pf: 2. 440578 rule 527/0(match): block out on carp0: (tos 0x10, ttl 64, id 31284, offset 0, flags [DF], proto: TCP (6), length: 44) 189.2.203.20.58885 189.2.203.19.80: S, cksum 0x2b16 (correct), 51016579:51016579(0) win 0 mss 1460 Jan 31 15:56:15 pf: 2. 559579 rule 527/0(match): block out on carp0: (tos 0x10, ttl 64, id 21814, offset 0, flags [DF], proto: TCP (6), length: 44) 189.2.203.20.61750 189.2.203.19.80: S, cksum 0x7707 (correct), 52143:52143(0) win 0 mss 1460 How I can configure to allow conections in that interfaces?? -- - = - = - = - = - = - = - = - = - = - . Of course it runs William David Armstrong |== Bio Systems Security Networking ' FreeBSD MSN / GT biosystems gmail . com -- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]