Re: [ovirt-users] Connection hickups with Pfsense and Carp

[Dan Kenigsberg]

On Thu, May 15, 2014 at 02:18:39PM +0200, Matt . wrote:
> Hi,
> 
> I don't do top-postings, just a reply to all.
> 
> It works now on all hosts!
> 
> I was testing with a Run Once with no macspoof option and changed the CARP
> IP on the pfsense box to alias, and back to carp... where with alias I was
> able to ping with carp not... and this was good because of the disabled
> macspoof option. After this change I was also, with spoof true and not set,
> able to ping the IP on the CARP interface itself, so I think Pfsense messed
> something up here with ARP tables (I know form the past).
> 
> After a restart of the VM I was able to ping all IP, also CARP as it was
> starting with macspoof true again.
> 
> Some other thing I'm curious about... let's say you have 3 servers in a
> cluster, 2 installed with the macspoof hook and one not. The VM with
> macspoof enabled starts on the host without the hook and you migrate it to
> a host where the hooks is installed. What happens... ?

When I answer to your question immediately after it, it's easier to
corrolate a question and an answer. Top-posting is frowned upon.

Once a domain xml has been created by Vdsm, it is migrated intact to the
destination, so there too, no filtering would take place.

Do note that having different installed on your cluster is bound to
cause random problem, and is better avoided.

Dan.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Connection hickups with Pfsense and Carp

[Matt .]

Hi,

I don't do top-postings, just a reply to all.

It works now on all hosts!

I was testing with a Run Once with no macspoof option and changed the CARP
IP on the pfsense box to alias, and back to carp... where with alias I was
able to ping with carp not... and this was good because of the disabled
macspoof option. After this change I was also, with spoof true and not set,
able to ping the IP on the CARP interface itself, so I think Pfsense messed
something up here with ARP tables (I know form the past).

After a restart of the VM I was able to ping all IP, also CARP as it was
starting with macspoof true again.

Some other thing I'm curious about... let's say you have 3 servers in a
cluster, 2 installed with the macspoof hook and one not. The VM with
macspoof enabled starts on the host without the hook and you migrate it to
a host where the hooks is installed. What happens... ?

Cheers,

Matt


2014-05-15 13:39 GMT+02:00 Dan Kenigsberg :

> On Thu, May 15, 2014 at 12:45:46PM +0200, Matt . wrote:
> > OK, we are on the same line there.
> >
> > The issue is that it doesn't work on this host, others do.
>
> It is very hard for me to follow your condition, and top-posting does
> not help.
>
> Does the macspoof hook work fine on other host? And only here unknown
> macs are filtered? In that case, we should figure out what is different
> in this host, and see the domxml of the troublesome VM.
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Connection hickups with Pfsense and Carp

[Dan Kenigsberg]

On Thu, May 15, 2014 at 12:45:46PM +0200, Matt . wrote:
> OK, we are on the same line there.
> 
> The issue is that it doesn't work on this host, others do.

It is very hard for me to follow your condition, and top-posting does
not help.

Does the macspoof hook work fine on other host? And only here unknown
macs are filtered? In that case, we should figure out what is different
in this host, and see the domxml of the troublesome VM.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Connection hickups with Pfsense and Carp

[Itamar Heim]

On 05/15/2014 06:45 AM, Matt . wrote:

OK, we are on the same line there.

The issue is that it doesn't work on this host, others do.

I have a 3.3 cluster and 3.4... both are enabled using the command... or
can't you have 2 versions ?


multiple versions shouldn't be an issue.
I'll let danken and others continue to torubleshoot why not working though.




2014-05-15 12:43 GMT+02:00 Itamar Heim mailto:ih...@redhat.com>>:

On 05/15/2014 06:42 AM, Matt . wrote:

OK, now I'm confused.

For MacSpoofing we per default don't have the "macspoof" feature
in the
engine am I right ?

To get that... you need to set:

engine-config -s EnableMACAntiSpoofingFilterRul__es=false --cver=3.X

But no hook needs to be installed for this ? I don't have ping
at the momment with macspoof set on true on a VM.


macspoofing is more than just promiscuous mode for port mirroring,
which does require the hook to be installed (and the VM to be restarted)




2014-05-15 12:35 GMT+02:00 Itamar Heim mailto:ih...@redhat.com>
>>:


 On 05/15/2014 04:26 AM, Matt . wrote:

 Itamar,

 On some testhost I'm updating now to 3.4(.x) I also need to
 install the
 hook it seems... it's not there by default.

 Any idea why you thought it should be ?


 there is no need for the hook for port mirroring. you can
define a
 vnic profile with port mirroring via the engine and vdsm
has this
 feature built-in.

 if you need more than just port mirroring (say, port
forwarding),
 then you still need the hook.


 Cheers,

 Matt


 2014-05-12 14:55 GMT+02:00 Matt .
mailto:yamakasi@gmail.com>
 __>
  __>__>>:


  Hi,

  I really needed to enable the hook... Will
investigate on
 new hosts!


  2014-05-11 22:37 GMT+02:00 Itamar Heim
mailto:ih...@redhat.com>
 >
  

>
   >>
  
 >

 :



   On Thu, Apr 17, 2014 at 01:11:13AM
+0200, Matt
 . wrot

Re: [ovirt-users] Connection hickups with Pfsense and Carp

[Matt .]

OK, we are on the same line there.

The issue is that it doesn't work on this host, others do.

I have a 3.3 cluster and 3.4... both are enabled using the command... or
can't you have 2 versions ?


2014-05-15 12:43 GMT+02:00 Itamar Heim :

> On 05/15/2014 06:42 AM, Matt . wrote:
>
>> OK, now I'm confused.
>>
>> For MacSpoofing we per default don't have the "macspoof" feature in the
>> engine am I right ?
>>
>> To get that... you need to set:
>>
>> engine-config -s EnableMACAntiSpoofingFilterRules=false --cver=3.X
>>
>> But no hook needs to be installed for this ? I don't have ping at the
>> momment with macspoof set on true on a VM.
>>
>>
> macspoofing is more than just promiscuous mode for port mirroring, which
> does require the hook to be installed (and the VM to be restarted)
>
>
>>
>>
>> 2014-05-15 12:35 GMT+02:00 Itamar Heim > >:
>>
>>
>> On 05/15/2014 04:26 AM, Matt . wrote:
>>
>> Itamar,
>>
>> On some testhost I'm updating now to 3.4(.x) I also need to
>> install the
>> hook it seems... it's not there by default.
>>
>> Any idea why you thought it should be ?
>>
>>
>> there is no need for the hook for port mirroring. you can define a
>> vnic profile with port mirroring via the engine and vdsm has this
>> feature built-in.
>>
>> if you need more than just port mirroring (say, port forwarding),
>> then you still need the hook.
>>
>>
>> Cheers,
>>
>> Matt
>>
>>
>> 2014-05-12 14:55 GMT+02:00 Matt . > 
>> > >__>>:
>>
>>
>>  Hi,
>>
>>  I really needed to enable the hook... Will investigate on
>> new hosts!
>>
>>
>>  2014-05-11 22:37 GMT+02:00 Itamar Heim > 
>>  >>:
>>
>>
>>
>>  On 04/17/2014 04:08 AM, Matt . wrote:
>>
>>  Hi Guys,
>>
>>  I'm not able to write a howto yet as we need to
>> check how
>>  this is
>>  running on high traffic and we are going soon.
>> Than, we need
>>  to test
>>  some other functions before I can actually write
>> something down.
>>
>>  Because this is not all documented well indeed I'm in
>>  testmode and doing
>>  some @ life system as reallife environments are
>> always
>>  coming with other
>>  things than your prefec test.
>>
>>  I cannot say I needed promiscuouity, I did some
>> things you would
>>  normally do on pfsense which fixed that part. Some
>> old
>>  message you
>>  really need to discard instead of clicking it away
>> was
>>  confusing this test.
>>
>>
>>
>>  you are not supposed to need the promiscious hook for
>>  sniffing/mirroring - that's by now part of engine/vdsm
>> (at vnic
>>  level in earlier versions, and at network profile in
>> later
>>  versions iirc)
>>
>>
>>
>>  2014-04-17 9:08 GMT+02:00 Dan Kenigsberg
>> mailto:dan...@redhat.com>
>>  > >>
>>  >  > >
>>
>>
>>   On Thu, Apr 17, 2014 at 01:11:13AM +0200, Matt
>> . wrote:
>>> OK, also this is finetuned, but it would be
>> nice to
>>  have some
>>   more info
>>> about the hooks in these cases... it's
>> interesting
>>  as oVirt has
>>   the right
>>> settings to start with but we need to know
>> what we
>>  need to set
>>   when we have
>>> a setup like this for an example.
>>
>>   Could you explain what you have done, and what
>> do you
>>  need promiscuouity
>>   for? oVirt has "port mirroring" that allows to
>> mirror
>>  ip traffic from
>>   one vm network to another.
>>
>>>
>>>
>>> 2014-04-17 0:35 GMT+02:00 Matt .
>>  >  > __>
>>  

Re: [ovirt-users] Connection hickups with Pfsense and Carp

[Itamar Heim]

On 05/15/2014 06:42 AM, Matt . wrote:

OK, now I'm confused.

For MacSpoofing we per default don't have the "macspoof" feature in the
engine am I right ?

To get that... you need to set:

engine-config -s EnableMACAntiSpoofingFilterRules=false --cver=3.X

But no hook needs to be installed for this ? I don't have ping at the momment 
with macspoof set on true on a VM.



macspoofing is more than just promiscuous mode for port mirroring, which 
does require the hook to be installed (and the VM to be restarted)






2014-05-15 12:35 GMT+02:00 Itamar Heim mailto:ih...@redhat.com>>:

On 05/15/2014 04:26 AM, Matt . wrote:

Itamar,

On some testhost I'm updating now to 3.4(.x) I also need to
install the
hook it seems... it's not there by default.

Any idea why you thought it should be ?


there is no need for the hook for port mirroring. you can define a
vnic profile with port mirroring via the engine and vdsm has this
feature built-in.

if you need more than just port mirroring (say, port forwarding),
then you still need the hook.


Cheers,

Matt


2014-05-12 14:55 GMT+02:00 Matt . mailto:yamakasi@gmail.com>
__>>:


 Hi,

 I really needed to enable the hook... Will investigate on
new hosts!


 2014-05-11 22:37 GMT+02:00 Itamar Heim mailto:ih...@redhat.com>
 >>:


 On 04/17/2014 04:08 AM, Matt . wrote:

 Hi Guys,

 I'm not able to write a howto yet as we need to
check how
 this is
 running on high traffic and we are going soon.
Than, we need
 to test
 some other functions before I can actually write
something down.

 Because this is not all documented well indeed I'm in
 testmode and doing
 some @ life system as reallife environments are always
 coming with other
 things than your prefec test.

 I cannot say I needed promiscuouity, I did some
things you would
 normally do on pfsense which fixed that part. Some old
 message you
 really need to discard instead of clicking it away was
 confusing this test.



 you are not supposed to need the promiscious hook for
 sniffing/mirroring - that's by now part of engine/vdsm
(at vnic
 level in earlier versions, and at network profile in later
 versions iirc)



 2014-04-17 9:08 GMT+02:00 Dan Kenigsberg
mailto:dan...@redhat.com>
 >
   OK, also this is finetuned, but it would be
nice to
 have some
  more info
   > about the hooks in these cases... it's
interesting
 as oVirt has
  the right
   > settings to start with but we need to know
what we
 need to set
  when we have
   > a setup like this for an example.

  Could you explain what you have done, and what
do you
 need promiscuouity
  for? oVirt has "port mirroring" that allows to
mirror
 ip traffic from
  one vm network to another.

   >
   >
   > 2014-04-17 0:35 GMT+02:00 Matt .
 mailto:yamakasi@gmail.com> __>
  
 __>__>>:


   >
   > > Traffic issues are solved, but the
advertising in
 not that well.
   > >
   > > I see on ESXi (vSphere) that you need to
enable
 "Promiscuous
  Mode", but
   > > how on oVirt ?
   > >
   > >
 

Re: [ovirt-users] Connection hickups with Pfsense and Carp

[Matt .]

OK, now I'm confused.

For MacSpoofing we per default don't have the "macspoof" feature in the
engine am I right ?

To get that... you need to set:

engine-config -s EnableMACAntiSpoofingFilterRules=false --cver=3.X

But no hook needs to be installed for this ? I don't have ping at the
momment with macspoof set on true on a VM.




2014-05-15 12:35 GMT+02:00 Itamar Heim :

> On 05/15/2014 04:26 AM, Matt . wrote:
>
>> Itamar,
>>
>> On some testhost I'm updating now to 3.4(.x) I also need to install the
>> hook it seems... it's not there by default.
>>
>> Any idea why you thought it should be ?
>>
>
> there is no need for the hook for port mirroring. you can define a vnic
> profile with port mirroring via the engine and vdsm has this feature
> built-in.
>
> if you need more than just port mirroring (say, port forwarding), then you
> still need the hook.
>
>
>> Cheers,
>>
>> Matt
>>
>>
>> 2014-05-12 14:55 GMT+02:00 Matt . > >:
>>
>>
>> Hi,
>>
>> I really needed to enable the hook... Will investigate on new hosts!
>>
>>
>> 2014-05-11 22:37 GMT+02:00 Itamar Heim > >:
>>
>>
>> On 04/17/2014 04:08 AM, Matt . wrote:
>>
>> Hi Guys,
>>
>> I'm not able to write a howto yet as we need to check how
>> this is
>> running on high traffic and we are going soon. Than, we need
>> to test
>> some other functions before I can actually write something
>> down.
>>
>> Because this is not all documented well indeed I'm in
>> testmode and doing
>> some @ life system as reallife environments are always
>> coming with other
>> things than your prefec test.
>>
>> I cannot say I needed promiscuouity, I did some things you
>> would
>> normally do on pfsense which fixed that part. Some old
>> message you
>> really need to discard instead of clicking it away was
>> confusing this test.
>>
>>
>>
>> you are not supposed to need the promiscious hook for
>> sniffing/mirroring - that's by now part of engine/vdsm (at vnic
>> level in earlier versions, and at network profile in later
>> versions iirc)
>>
>>
>>
>> 2014-04-17 9:08 GMT+02:00 Dan Kenigsberg > 
>> >>:
>>
>>
>>
>>  On Thu, Apr 17, 2014 at 01:11:13AM +0200, Matt . wrote:
>>   > OK, also this is finetuned, but it would be nice to
>> have some
>>  more info
>>   > about the hooks in these cases... it's interesting
>> as oVirt has
>>  the right
>>   > settings to start with but we need to know what we
>> need to set
>>  when we have
>>   > a setup like this for an example.
>>
>>  Could you explain what you have done, and what do you
>> need promiscuouity
>>  for? oVirt has "port mirroring" that allows to mirror
>> ip traffic from
>>  one vm network to another.
>>
>>   >
>>   >
>>   > 2014-04-17 0:35 GMT+02:00 Matt .
>> mailto:yamakasi@gmail.com>
>>  > __>>:
>>
>>
>>   >
>>   > > Traffic issues are solved, but the advertising in
>> not that well.
>>   > >
>>   > > I see on ESXi (vSphere) that you need to enable
>> "Promiscuous
>>  Mode", but
>>   > > how on oVirt ?
>>   > >
>>   > >
>> http://www.blissfulidiot.com/__2013/11/using-carp-with-__
>> vmware-esxi.html
>>
>> > vmware-esxi.html>
>>   > >
>>   > > Do I need the vdsm-hook-promisc for it ? as I need
>> to make real
>>  settings
>>   > > on a VM there I think the vswitch only needs the
>> mode.
>>   > >
>>   > > Information is welcome!
>>
>>
>>
>>
>> _
>> Users mailing list
>> Users@ovirt.org 
>> http://lists.ovirt.org/__mailman/listinfo/users
>> 
>>
>>
>>
>>
>>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Connection hickups with Pfsense and Carp

[Itamar Heim]

On 05/15/2014 04:26 AM, Matt . wrote:

Itamar,

On some testhost I'm updating now to 3.4(.x) I also need to install the
hook it seems... it's not there by default.

Any idea why you thought it should be ?


there is no need for the hook for port mirroring. you can define a vnic 
profile with port mirroring via the engine and vdsm has this feature 
built-in.


if you need more than just port mirroring (say, port forwarding), then 
you still need the hook.




Cheers,

Matt


2014-05-12 14:55 GMT+02:00 Matt . mailto:yamakasi@gmail.com>>:

Hi,

I really needed to enable the hook... Will investigate on new hosts!


2014-05-11 22:37 GMT+02:00 Itamar Heim mailto:ih...@redhat.com>>:

On 04/17/2014 04:08 AM, Matt . wrote:

Hi Guys,

I'm not able to write a howto yet as we need to check how
this is
running on high traffic and we are going soon. Than, we need
to test
some other functions before I can actually write something down.

Because this is not all documented well indeed I'm in
testmode and doing
some @ life system as reallife environments are always
coming with other
things than your prefec test.

I cannot say I needed promiscuouity, I did some things you would
normally do on pfsense which fixed that part. Some old
message you
really need to discard instead of clicking it away was
confusing this test.



you are not supposed to need the promiscious hook for
sniffing/mirroring - that's by now part of engine/vdsm (at vnic
level in earlier versions, and at network profile in later
versions iirc)



2014-04-17 9:08 GMT+02:00 Dan Kenigsberg mailto:dan...@redhat.com>
>>:


 On Thu, Apr 17, 2014 at 01:11:13AM +0200, Matt . wrote:
  > OK, also this is finetuned, but it would be nice to
have some
 more info
  > about the hooks in these cases... it's interesting
as oVirt has
 the right
  > settings to start with but we need to know what we
need to set
 when we have
  > a setup like this for an example.

 Could you explain what you have done, and what do you
need promiscuouity
 for? oVirt has "port mirroring" that allows to mirror
ip traffic from
 one vm network to another.

  >
  >
  > 2014-04-17 0:35 GMT+02:00 Matt .
mailto:yamakasi@gmail.com>
 __>>:

  >
  > > Traffic issues are solved, but the advertising in
not that well.
  > >
  > > I see on ESXi (vSphere) that you need to enable
"Promiscuous
 Mode", but
  > > how on oVirt ?
  > >
  > >

http://www.blissfulidiot.com/__2013/11/using-carp-with-__vmware-esxi.html


  > >
  > > Do I need the vdsm-hook-promisc for it ? as I need
to make real
 settings
  > > on a VM there I think the vswitch only needs the mode.
  > >
  > > Information is welcome!




_
Users mailing list
Users@ovirt.org 
http://lists.ovirt.org/__mailman/listinfo/users







___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Connection hickups with Pfsense and Carp

[Matt .]

Itamar,

On some testhost I'm updating now to 3.4(.x) I also need to install the
hook it seems... it's not there by default.

Any idea why you thought it should be ?

Cheers,

Matt


2014-05-12 14:55 GMT+02:00 Matt . :

> Hi,
>
> I really needed to enable the hook... Will investigate on new hosts!
>
>
> 2014-05-11 22:37 GMT+02:00 Itamar Heim :
>
> On 04/17/2014 04:08 AM, Matt . wrote:
>>
>>> Hi Guys,
>>>
>>> I'm not able to write a howto yet as we need to check how this is
>>> running on high traffic and we are going soon. Than, we need to test
>>> some other functions before I can actually write something down.
>>>
>>> Because this is not all documented well indeed I'm in testmode and doing
>>> some @ life system as reallife environments are always coming with other
>>> things than your prefec test.
>>>
>>> I cannot say I needed promiscuouity, I did some things you would
>>> normally do on pfsense which fixed that part. Some old message you
>>> really need to discard instead of clicking it away was confusing this
>>> test.
>>>
>>>
>>>
>> you are not supposed to need the promiscious hook for sniffing/mirroring
>> - that's by now part of engine/vdsm (at vnic level in earlier versions, and
>> at network profile in later versions iirc)
>>
>>
>>>
>>> 2014-04-17 9:08 GMT+02:00 Dan Kenigsberg >> >:
>>>
>>>
>>> On Thu, Apr 17, 2014 at 01:11:13AM +0200, Matt . wrote:
>>>  > OK, also this is finetuned, but it would be nice to have some
>>> more info
>>>  > about the hooks in these cases... it's interesting as oVirt has
>>> the right
>>>  > settings to start with but we need to know what we need to set
>>> when we have
>>>  > a setup like this for an example.
>>>
>>> Could you explain what you have done, and what do you need
>>> promiscuouity
>>> for? oVirt has "port mirroring" that allows to mirror ip traffic from
>>> one vm network to another.
>>>
>>>  >
>>>  >
>>>  > 2014-04-17 0:35 GMT+02:00 Matt . >> >:
>>>
>>>  >
>>>  > > Traffic issues are solved, but the advertising in not that well.
>>>  > >
>>>  > > I see on ESXi (vSphere) that you need to enable "Promiscuous
>>> Mode", but
>>>  > > how on oVirt ?
>>>  > >
>>>  > >
>>> http://www.blissfulidiot.com/2013/11/using-carp-with-
>>> vmware-esxi.html
>>>  > >
>>>  > > Do I need the vdsm-hook-promisc for it ? as I need to make real
>>> settings
>>>  > > on a VM there I think the vswitch only needs the mode.
>>>  > >
>>>  > > Information is welcome!
>>>
>>>
>>>
>>>
>>> ___
>>> Users mailing list
>>> Users@ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>>
>>>
>>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Connection hickups with Pfsense and Carp

[Matt .]

Hi,

I really needed to enable the hook... Will investigate on new hosts!


2014-05-11 22:37 GMT+02:00 Itamar Heim :

> On 04/17/2014 04:08 AM, Matt . wrote:
>
>> Hi Guys,
>>
>> I'm not able to write a howto yet as we need to check how this is
>> running on high traffic and we are going soon. Than, we need to test
>> some other functions before I can actually write something down.
>>
>> Because this is not all documented well indeed I'm in testmode and doing
>> some @ life system as reallife environments are always coming with other
>> things than your prefec test.
>>
>> I cannot say I needed promiscuouity, I did some things you would
>> normally do on pfsense which fixed that part. Some old message you
>> really need to discard instead of clicking it away was confusing this
>> test.
>>
>>
>>
> you are not supposed to need the promiscious hook for sniffing/mirroring -
> that's by now part of engine/vdsm (at vnic level in earlier versions, and
> at network profile in later versions iirc)
>
>
>>
>> 2014-04-17 9:08 GMT+02:00 Dan Kenigsberg > >:
>>
>>
>> On Thu, Apr 17, 2014 at 01:11:13AM +0200, Matt . wrote:
>>  > OK, also this is finetuned, but it would be nice to have some
>> more info
>>  > about the hooks in these cases... it's interesting as oVirt has
>> the right
>>  > settings to start with but we need to know what we need to set
>> when we have
>>  > a setup like this for an example.
>>
>> Could you explain what you have done, and what do you need
>> promiscuouity
>> for? oVirt has "port mirroring" that allows to mirror ip traffic from
>> one vm network to another.
>>
>>  >
>>  >
>>  > 2014-04-17 0:35 GMT+02:00 Matt . > >:
>>
>>  >
>>  > > Traffic issues are solved, but the advertising in not that well.
>>  > >
>>  > > I see on ESXi (vSphere) that you need to enable "Promiscuous
>> Mode", but
>>  > > how on oVirt ?
>>  > >
>>  > >
>> http://www.blissfulidiot.com/2013/11/using-carp-with-vmware-esxi.html
>>  > >
>>  > > Do I need the vdsm-hook-promisc for it ? as I need to make real
>> settings
>>  > > on a VM there I think the vswitch only needs the mode.
>>  > >
>>  > > Information is welcome!
>>
>>
>>
>>
>> ___
>> Users mailing list
>> Users@ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Connection hickups with Pfsense and Carp

[Itamar Heim]

On 04/17/2014 04:08 AM, Matt . wrote:

Hi Guys,

I'm not able to write a howto yet as we need to check how this is
running on high traffic and we are going soon. Than, we need to test
some other functions before I can actually write something down.

Because this is not all documented well indeed I'm in testmode and doing
some @ life system as reallife environments are always coming with other
things than your prefec test.

I cannot say I needed promiscuouity, I did some things you would
normally do on pfsense which fixed that part. Some old message you
really need to discard instead of clicking it away was confusing this test.




you are not supposed to need the promiscious hook for sniffing/mirroring 
- that's by now part of engine/vdsm (at vnic level in earlier versions, 
and at network profile in later versions iirc)





2014-04-17 9:08 GMT+02:00 Dan Kenigsberg mailto:dan...@redhat.com>>:

On Thu, Apr 17, 2014 at 01:11:13AM +0200, Matt . wrote:
 > OK, also this is finetuned, but it would be nice to have some
more info
 > about the hooks in these cases... it's interesting as oVirt has
the right
 > settings to start with but we need to know what we need to set
when we have
 > a setup like this for an example.

Could you explain what you have done, and what do you need promiscuouity
for? oVirt has "port mirroring" that allows to mirror ip traffic from
one vm network to another.

 >
 >
 > 2014-04-17 0:35 GMT+02:00 Matt . mailto:yamakasi@gmail.com>>:
 >
 > > Traffic issues are solved, but the advertising in not that well.
 > >
 > > I see on ESXi (vSphere) that you need to enable "Promiscuous
Mode", but
 > > how on oVirt ?
 > >
 > >
http://www.blissfulidiot.com/2013/11/using-carp-with-vmware-esxi.html
 > >
 > > Do I need the vdsm-hook-promisc for it ? as I need to make real
settings
 > > on a VM there I think the vswitch only needs the mode.
 > >
 > > Information is welcome!




___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users



___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Connection hickups with Pfsense and Carp

[Matt .]

Hi Guys,

I'm not able to write a howto yet as we need to check how this is running
on high traffic and we are going soon. Than, we need to test some other
functions before I can actually write something down.

Because this is not all documented well indeed I'm in testmode and doing
some @ life system as reallife environments are always coming with other
things than your prefec test.

I cannot say I needed promiscuouity, I did some things you would normally
do on pfsense which fixed that part. Some old message you really need to
discard instead of clicking it away was confusing this test.




2014-04-17 9:08 GMT+02:00 Dan Kenigsberg :

> On Thu, Apr 17, 2014 at 01:11:13AM +0200, Matt . wrote:
> > OK, also this is finetuned, but it would be nice to have some more info
> > about the hooks in these cases... it's interesting as oVirt has the right
> > settings to start with but we need to know what we need to set when we
> have
> > a setup like this for an example.
>
> Could you explain what you have done, and what do you need promiscuouity
> for? oVirt has "port mirroring" that allows to mirror ip traffic from
> one vm network to another.
>
> >
> >
> > 2014-04-17 0:35 GMT+02:00 Matt . :
> >
> > > Traffic issues are solved, but the advertising in not that well.
> > >
> > > I see on ESXi (vSphere) that you need to enable "Promiscuous Mode", but
> > > how on oVirt ?
> > >
> > > http://www.blissfulidiot.com/2013/11/using-carp-with-vmware-esxi.html
> > >
> > > Do I need the vdsm-hook-promisc for it ? as I need to make real
> settings
> > > on a VM there I think the vswitch only needs the mode.
> > >
> > > Information is welcome!
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Connection hickups with Pfsense and Carp

[Dan Kenigsberg]

On Thu, Apr 17, 2014 at 01:11:13AM +0200, Matt . wrote:
> OK, also this is finetuned, but it would be nice to have some more info
> about the hooks in these cases... it's interesting as oVirt has the right
> settings to start with but we need to know what we need to set when we have
> a setup like this for an example.

Could you explain what you have done, and what do you need promiscuouity
for? oVirt has "port mirroring" that allows to mirror ip traffic from
one vm network to another.

> 
> 
> 2014-04-17 0:35 GMT+02:00 Matt . :
> 
> > Traffic issues are solved, but the advertising in not that well.
> >
> > I see on ESXi (vSphere) that you need to enable "Promiscuous Mode", but
> > how on oVirt ?
> >
> > http://www.blissfulidiot.com/2013/11/using-carp-with-vmware-esxi.html
> >
> > Do I need the vdsm-hook-promisc for it ? as I need to make real settings
> > on a VM there I think the vswitch only needs the mode.
> >
> > Information is welcome!
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Connection hickups with Pfsense and Carp

[Sven Kieske]

Am 17.04.2014 01:11, schrieb Matt .:
> OK, also this is finetuned, but it would be nice to have some more info
> about the hooks in these cases... it's interesting as oVirt has the right
> settings to start with but we need to know what we need to set when we have
> a setup like this for an example.

Well maybe begin yourself as a good example
and write down for the community / others
what you did to solve your problems?

I'm a little amazed you want to know from
others the settings needed but you don't
provide anything of your settings you already
tweaked to achieve your goal.

a good way to start would maybe

etherpad.ovirt.org and write some FAQ

for the most common use cases?

If no one else is willing to start
I will do it at some time (when I have some).

But this will most likely be in my spare
time, so don't expect too much. :)

-- 
Mit freundlichen Grüßen / Regards

Sven Kieske

Systemadministrator
Mittwald CM Service GmbH & Co. KG
Königsberger Straße 6
32339 Espelkamp
T: +49-5772-293-100
F: +49-5772-293-333
https://www.mittwald.de
Geschäftsführer: Robert Meyer
St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Connection hickups with Pfsense and Carp

[Matt .]

OK, also this is finetuned, but it would be nice to have some more info
about the hooks in these cases... it's interesting as oVirt has the right
settings to start with but we need to know what we need to set when we have
a setup like this for an example.


2014-04-17 0:35 GMT+02:00 Matt . :

> Traffic issues are solved, but the advertising in not that well.
>
> I see on ESXi (vSphere) that you need to enable "Promiscuous Mode", but
> how on oVirt ?
>
> http://www.blissfulidiot.com/2013/11/using-carp-with-vmware-esxi.html
>
> Do I need the vdsm-hook-promisc for it ? as I need to make real settings
> on a VM there I think the vswitch only needs the mode.
>
> Information is welcome!
>
>
> 2014-04-16 11:18 GMT+02:00 Matt . :
>
> This is resolved.
>>
>> It seems that skews that pfsense sets on a backup/failover cluster node
>> are much higher than they were set manually. Pfsense synced them again and
>> it's solved.
>>
>>
>> 2014-04-15 8:52 GMT+02:00 Matt . :
>>
>> Hi Guys,
>>>
>>> I'm facing some issues with Pfsense and a Carp setup where connections
>>> are not dropped but the connection is not stable.
>>>
>>> I have set macspoof on the vm that runs Pfsense, this because it needs
>>> it for Carp.
>>>
>>> My TCPdump actually give good results, a single P so that looks also
>>> well.
>>>
>>> I have tested this with things like sending emails and so on, uploading
>>> large files. It seems on sending emails that you most of the time have to
>>> canceld a send and resend it, sending goes well than. A tcpdump on such
>>> mailserver looks well.
>>>
>>> For uploading large images it seems that it's slow in uploading because
>>> of disconnects, also a good tcdump.
>>>
>>> Do I need to make specific settings on the vswitch or the real switch
>>> between ?
>>>
>>> Or is something else going on ?
>>>
>>> Cheers,
>>>
>>> Matt
>>>
>>
>>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Connection hickups with Pfsense and Carp

[Matt .]

Traffic issues are solved, but the advertising in not that well.

I see on ESXi (vSphere) that you need to enable "Promiscuous Mode", but how
on oVirt ?

http://www.blissfulidiot.com/2013/11/using-carp-with-vmware-esxi.html

Do I need the vdsm-hook-promisc for it ? as I need to make real settings on
a VM there I think the vswitch only needs the mode.

Information is welcome!


2014-04-16 11:18 GMT+02:00 Matt . :

> This is resolved.
>
> It seems that skews that pfsense sets on a backup/failover cluster node
> are much higher than they were set manually. Pfsense synced them again and
> it's solved.
>
>
> 2014-04-15 8:52 GMT+02:00 Matt . :
>
> Hi Guys,
>>
>> I'm facing some issues with Pfsense and a Carp setup where connections
>> are not dropped but the connection is not stable.
>>
>> I have set macspoof on the vm that runs Pfsense, this because it needs it
>> for Carp.
>>
>> My TCPdump actually give good results, a single P so that looks also
>> well.
>>
>> I have tested this with things like sending emails and so on, uploading
>> large files. It seems on sending emails that you most of the time have to
>> canceld a send and resend it, sending goes well than. A tcpdump on such
>> mailserver looks well.
>>
>> For uploading large images it seems that it's slow in uploading because
>> of disconnects, also a good tcdump.
>>
>> Do I need to make specific settings on the vswitch or the real switch
>> between ?
>>
>> Or is something else going on ?
>>
>> Cheers,
>>
>> Matt
>>
>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Connection hickups with Pfsense and Carp

[Matt .]

This is resolved.

It seems that skews that pfsense sets on a backup/failover cluster node are
much higher than they were set manually. Pfsense synced them again and it's
solved.


2014-04-15 8:52 GMT+02:00 Matt . :

> Hi Guys,
>
> I'm facing some issues with Pfsense and a Carp setup where connections are
> not dropped but the connection is not stable.
>
> I have set macspoof on the vm that runs Pfsense, this because it needs it
> for Carp.
>
> My TCPdump actually give good results, a single P so that looks also well.
>
> I have tested this with things like sending emails and so on, uploading
> large files. It seems on sending emails that you most of the time have to
> canceld a send and resend it, sending goes well than. A tcpdump on such
> mailserver looks well.
>
> For uploading large images it seems that it's slow in uploading because of
> disconnects, also a good tcdump.
>
> Do I need to make specific settings on the vswitch or the real switch
> between ?
>
> Or is something else going on ?
>
> Cheers,
>
> Matt
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

[ovirt-users] Connection hickups with Pfsense and Carp

[Matt .]

Hi Guys,

I'm facing some issues with Pfsense and a Carp setup where connections are
not dropped but the connection is not stable.

I have set macspoof on the vm that runs Pfsense, this because it needs it
for Carp.

My TCPdump actually give good results, a single P so that looks also well.

I have tested this with things like sending emails and so on, uploading
large files. It seems on sending emails that you most of the time have to
canceld a send and resend it, sending goes well than. A tcpdump on such
mailserver looks well.

For uploading large images it seems that it's slow in uploading because of
disconnects, also a good tcdump.

Do I need to make specific settings on the vswitch or the real switch
between ?

Or is something else going on ?

Cheers,

Matt
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users