True indeed. complexity does bring in the failure as it has for me.
I've reverted back to one master and one backup and it works like a
charm. I guess the electricity we have to pay for on the backup is the
price we pay for high availability. Perhaps I could make the backup
useful for DNS
On Thu, Nov 13, 2008 at 05:51:49PM -0800, Vivek Ayer wrote:
Yay! I got ssh and http to work on the CARP interface. Thanks.
However, the httpd redirect is not working just yet on the CARP
interface for one of the computers. Does IP balancing mess up
redirect?
Well, that depends.
IP balancing
I got that snippet from the pf book. What should I change it to?
On Tue, Nov 18, 2008 at 4:32 AM, Marco Pfatschbacher [EMAIL PROTECTED] wrote:
On Thu, Nov 13, 2008 at 05:51:49PM -0800, Vivek Ayer wrote:
Yay! I got ssh and http to work on the CARP interface. Thanks.
However, the httpd redirect
I may actually end up just turning off load balancing on the router
for now and just leave it on the web servers. Then again, it would be
nice if the router did some work since it'll be on all the time using
all that electricity. Is there a clever cron script I could write to
manually change the
Vivek Ayer [EMAIL PROTECTED] writes:
I got that snippet from the pf book. What should I change it to?
actually The Book of PF leaves the definition of the carpdevs macro
as an excercise to the reader. The main reason to mention it at all is
to alert the reader that carp traffic needs to pass.
So any resolution on the apache redirection? When I go to the website,
I get the Connection Interrupted error. This only occurs when both
routers are on. Oddly enough, when I ssh into the virtual IP, ssh
traffic doesn't get jumbled up because of the ip balancing. I suspect
I may have to up the
I suspect I'm getting this connection reset error because:
IN---ROUTERS---WEB SERVER1
T---ROUTERW---WEB SERVER2
SW is switch here.
If one router is on, it has carp0 and carp1 on either side and it can
send the request to the servers which may be load-balanced which is
fine. But when I
On Wed, Nov 12, 2008 at 11:40:36AM -0800, Vivek Ayer wrote:
i don't think I understand. Clarify. you mean carpdev is like your
physical interface..eth0, re0, etc.?
say you have a carp configured like:
carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr
Oh ok. That kind of makes sense.
Thanks
On Thu, Nov 13, 2008 at 2:11 AM, Marco Pfatschbacher [EMAIL PROTECTED] wrote:
On Wed, Nov 12, 2008 at 11:40:36AM -0800, Vivek Ayer wrote:
i don't think I understand. Clarify. you mean carpdev is like your
physical interface..eth0, re0, etc.?
say you
Yay! I got ssh and http to work on the CARP interface. Thanks.
However, the httpd redirect is not working just yet on the CARP
interface for one of the computers. Does IP balancing mess up
redirect?
When I only have one router up doing the redirect, the CARP interface
works, but when I have both
Confirmed. If I have both routers on, the http redirection on the CARP
interface doesn't work. But when I only have one on, then the
redirection works just fine. Is CARP getting confused with the
packets?
On Thu, Nov 13, 2008 at 5:51 PM, Vivek Ayer [EMAIL PROTECTED] wrote:
Yay! I got ssh and
On Tue, Nov 11, 2008 at 03:53:54PM -0800, Vivek Ayer wrote:
[...]
# macros
[...]
carpdevs = { carp0 , carp1 }
[...]
# pass rules
[...]
pass in on $carpdevs inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state # Allow SSH Access from Outside
just from a quick
i don't think I understand. Clarify. you mean carpdev is like your
physical interface..eth0, re0, etc.?
On Wed, Nov 12, 2008 at 12:40 AM, Marco Pfatschbacher [EMAIL PROTECTED] wrote:
On Tue, Nov 11, 2008 at 03:53:54PM -0800, Vivek Ayer wrote:
[...]
# macros
[...]
carpdevs = { carp0 , carp1 }
On 2008-11-12, Vivek Ayer [EMAIL PROTECTED] wrote:
i don't think I understand. Clarify. you mean carpdev is like your
physical interface..eth0, re0, etc.?
yes
On Wed, Nov 12, 2008 at 12:40 AM, Marco Pfatschbacher [EMAIL PROTECTED]
wrote:
On Tue, Nov 11, 2008 at 03:53:54PM -0800, Vivek
then, what about this: pass on $carpdev proto carp keep state
Looks like it's filtering on the $carpdev, which is carp0 and carp1 in
this case. It's just what I read in the pf book. I'd like to resolve
this soon so I can go ahead an launch my website. I feel like there's
a lot of carp in the pf
On 2008/11/12 14:35, Vivek Ayer wrote:
then, what about this: pass on $carpdev proto carp keep state
the proto carp packets are all strictly on the parent interfaces,
that is the only place you need to pass them.
Looks like it's filtering on the $carpdev, which is carp0 and carp1 in
this
Here's my current configuration for my entire network. Two routers
working as one using IP balancing and two web servers on the inside
working as one using IP balancing. I'm still getting issues as to
reaching the web servers from the outside. I just feel like it's
gotten too complicated CARPing
On Wed, Nov 12, 2008 at 12:53 AM, Vivek Ayer [EMAIL PROTECTED] wrote:
Here's my current configuration for my entire network. Two routers
working as one using IP balancing and two web servers on the inside
working as one using IP balancing. I'm still getting issues as to
reaching the web
I can ssh from the outside into the non-CARP interface. Actually, this
is weird, but I can now ssh from the outside into the CARP address.
But as far rdr goes in my pf.conf, I still can't reach the webserver
from the outside. I can reach the web server inside my network, but
the rdr in the router
I can access the web servers from the Internet on the two
internet-facing ext_if, but not the CARP interface yet. I assume I
just have to add an rdr rule which includes carp as well?
On Tue, Nov 11, 2008 at 4:58 PM, Vivek Ayer [EMAIL PROTECTED] wrote:
I can ssh from the outside into the non-CARP
On 2008-10-19, Vivek Ayer [EMAIL PROTECTED] wrote:
block in
make this block log in, then look at the tcpdump command line
for Display the logs in real time shown in pflogd(8).
I'll give that a shot. But in the meanwhile, it appears ntpd doesn't
listen on the carp interface. I set up ntpd on the carp firewalls, but
internally, I had to provide the two physical addresses to sync time
instead of the one carp interface. Could this also be due my current
pf.conf?
So far, I
On Mon, 2008-10-20 at 14:19 -0700, Vivek Ayer wrote:
So far, I can't ssh into the carp from the outside, can't ntp from the
Try:
% sudo tcpdump -ttt -e -vvv -n -i pflog0 -s 1024
--
Brian A. Seklecki [EMAIL PROTECTED]
Collaborative Fusion, Inc.
IMPORTANT: This message contains
On 2008/10/20 14:19, Vivek Ayer wrote:
I'll give that a shot. But in the meanwhile, it appears ntpd doesn't
listen on the carp interface.
unlikely, unless you restricted in the listen on... line.
$ grep ^listen /etc/ntpd.conf
listen on *
$ ifconfig carp83|grep -w
On 21:26:51 Oct 18, Vivek Ayer wrote:
[demime 1.01d removed an attachment of type application/octet-stream which
had a name of pf.conf]
[demime 1.01d removed an attachment of type application/x-trash which had a
name of pf.conf.BAK]
This list does not allow attachments.
You can
On 22:45:49 Oct 18, Vivek Ayer wrote:
Actually, I feel kind of stupid for asking the question. Of course you
can never ssh into the virtual carp interface, which is what I was
trying to do. SSHing into the physical interface still works no
problem. Then again, it would be Yay..CARP is working
On 2008-10-19, Vivek Ayer [EMAIL PROTECTED] wrote:
The only thing you can do to the CARP interface (which is the public
IP in this case) is ping it, right?
No, you can run services on it too.
On Sun, Oct 19, 2008 at 01:04:35PM +0530, Girish Venkatachalam wrote:
On 22:45:49 Oct 18, Vivek Ayer wrote:
Actually, I feel kind of stupid for asking the question. Of course you
can never ssh into the virtual carp interface, which is what I was
trying to do. SSHing into the physical
Here's my pf.conf:
# $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
#
snip
# pass rules
block in
pass out keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in quick on $int_if
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto tcp from any to
So you're saying I need to explicitly pass traffic to $carpdevs too?
Would that let me ssh into the carp interface then?
On Sun, Oct 19, 2008 at 2:52 PM, Bryan Irvine [EMAIL PROTECTED] wrote:
snip
# pass rules
block in
pass out keep state
pass in inet proto icmp all icmp-type $icmp_types
Hey guys,
So after I setup CARP on my routers/firewalls, I've been having some
problems. CARP for the most part works. There was a minor glitch that
both CARP systems saw themselves as Master, but that was solved.
The main problem now is I can't ssh from the Internet into them.
Before CARP, I
Actually, I feel kind of stupid for asking the question. Of course you
can never ssh into the virtual carp interface, which is what I was
trying to do. SSHing into the physical interface still works no
problem. Then again, it would be Yay..CARP is working 100%.
The only thing you can do to the
33 matches
Mail list logo
