On 03/07/2013, at 10:11 PM, Mark Felder f...@feld.me wrote:
On Wed, 03 Jul 2013 07:00:02 -0500, Loïc Blot loic.b...@unix-experience.fr
wrote:
Hello,
no carp is used at this time.
pfsync needs to be used with carp... without it you're just playing
whack-a-mole with your session table.
On 03/07/2013, at 6:23 PM, Loïc Blot loic.b...@unix-experience.fr wrote:
Okay, defer is now enabled on pfsync interface (sorry for my last idea,
i haven't the man on me :) ).
It seems the problem isn't resolved.
The transfer starts but blocked at random time.
i have hit this too, despite
am mistaking doing this ?
--
Cordialement,
Pierre BARDOU
-Message d'origine-
De : David Gwynne [mailto:da...@gwynne.id.au]
Envoyé : jeudi 4 juillet 2013 09:47
À : loic.b...@unix-experience.fr
Cc : misc@openbsd.org
Objet : Re: PF sync doesn't not work very well
On 03/07/2013, at 6:23 PM
[pfsync w/o carp]
* Mark Felder f...@feld.me [2013-07-03 16:37]:
First of all, the states of node 1 being synced to node 2 and vice
versa is worthless because they have different IP addresses; the
states wont match anything.
orly.
have you actually LOOKED at your state table?
pfctl -vvss to
* mxb m...@alumni.chalmers.se [2013-07-03 17:33]:
States ARE synced.
IPs are not the same on node1 and node2 for external. The you
initiated connection to ftp.fr, you done it via node1 with its external
IP. On node2 those packets will be DROPPED as those do not belong to
external NIC on
* BARDOU Pierre bardo...@mipih.fr [2013-07-04 14:38]:
I don't know if this may help you, but I have a working BGP setup with two
routers active/active.
I don't use pfsync, but keep state (sloppy).
This is less secure according to pf.conf(5), but that's not really a concern
for me as those
My apologies for just being noise; I missed his first full post with
much more detail. I was picturing him trying to run redundant servers
without CARP and running into issues of states disappearing.
Henning, with all respect(!), I'd cut you off with this home NATing.
My home is far more simple than need of active-active CARP (IT IS NOT as of
writing)
With all respect to ALL devs working and pushing new code upstreams,
we still have MP-problems. For sure, I'm not the one to fix this - I
Hello all,
thanks for this interesting debate about pf syncing.
To remember my initial question:
pfsync seems to sync states but not correctly on my BGP+OSPF routers.
Because each BGP router is master/standby to 2 neighbors (full meshed
bgp) packets which are outgoing by one router can income by
On Thu, 04 Jul 2013 21:30:56 +0200
Loïc BLOT loic.b...@unix-experience.fr wrote:
Hello all,
thanks for this interesting debate about pf syncing.
To remember my initial question:
pfsync seems to sync states but not correctly on my BGP+OSPF routers.
Because each BGP router is master/standby
you could try using sloppy states like henning suggested. you'll still get to
write stateful rules and get the tcp state machine checks but not the tcp
window checks.
if it works with sloppy states it narrows the issue down to the pfsync state
merge code. at the moment im kind of guessing
Hi,
Thanks for your reply. I wasn't careful about this section.
If i understand i must add defer option to my WAN iface (or i'm wrong i
must add it to my vlan995 iface ?) ?
I will test it this morning, and i return back to misc :)
--
Best regards,
Loïc BLOT,
UNIX systems, security and network
Okay, defer is now enabled on pfsync interface (sorry for my last idea,
i haven't the man on me :) ).
It seems the problem isn't resolved.
The transfer starts but blocked at random time.
--
Best regards,
Loïc BLOT, Engineering
UNIX Systems, Security and Networks
http://www.unix-experience.fr
How does your CARP setup looks like. On both machines?
Can you send your ifconfig output?
What is your environment/setup for this 2-node CARP?
How interfaces (ext/int) are connected? What switches do you use?
On 3 jul 2013, at 10:23, Loïc Blot loic.b...@unix-experience.fr wrote:
Okay, defer
Hello,
no carp is used at this time.
My configuration on each router is simple:
em0 + em3 = trunk0
em1 + em2 = trunk1
4 interco vlan (at this time, only 2 are active, 1 for a BGP neighbor
IPv4, 1 for a BGP neighbor IPv6) on trunk0
vlan 50 + vlan 90 + vlan995 on trunk1
pfsync on vlan 995
--
On Wed, 03 Jul 2013 07:00:02 -0500, Loïc Blot
loic.b...@unix-experience.fr wrote:
Hello,
no carp is used at this time.
pfsync needs to be used with carp... without it you're just playing
whack-a-mole with your session table.
It's not possible to sync pf table without CARP ?
I must use it in some case, then those case will be fixed but the other
(OSPFd routing) may fail i think ?
--
Best regards,
Loïc BLOT, Engineering
UNIX Systems, Security and Networks
http://www.unix-experience.fr
Le mercredi 03 juillet 2013
On Wed, 03 Jul 2013 07:40:08 -0500, Loïc Blot
loic.b...@unix-experience.fr wrote:
It's not possible to sync pf table without CARP ?
In order to answer that I'll need to understand what you believe the pf
table is.
Sure it syncs, but
node1 has completely different IP addresses than node2(both external and
internal ??), if no CARP.
So storing states from node1, which passes/initiated connection to ftp.fr , on
node2 does not help.
In your case, you'd probably to decide to ever have MASTER-BACKUP or to have
For me pf table is (sorry for the missing precisions) the pf state
stable for stateful operations
--
Best regards,
Loïc BLOT, Engineering
UNIX Systems, Security and Networks
http://www.unix-experience.fr
Le mercredi 03 juillet 2013 à 08:22 -0500, Mark Felder a écrit :
On Wed, 03 Jul 2013
Le Wed, 03 Jul 2013 07:11:08 -0500,
Mark Felder f...@feld.me a écrit :
On Wed, 03 Jul 2013 07:00:02 -0500, Loïc Blot
loic.b...@unix-experience.fr wrote:
Hello,
no carp is used at this time.
pfsync needs to be used with carp... without it you're just playing
whack-a-mole with your
On Wed, 03 Jul 2013 09:24:54 -0500, Loïc Blot
loic.b...@unix-experience.fr wrote:
For me pf table is (sorry for the missing precisions) the pf state
stable for stateful operations
First of all, the states of node 1 being synced to node 2 and vice versa
is worthless because they have
I don't understand why they can't be synced because if i have this
scheme:
server 1 - | Router 1 + Router 2 | remote
server 1 contact remote, outgoing by Router 1 and the return traffic
comes from Router 2.
The state may have server 1 port A to remote port B, then the virtual
IP is useless in
States ARE synced.
IPs are not the same on node1 and node2 for external. The you initiated
connection to ftp.fr, you done it via node1 with its external IP. On node2
those packets will be DROPPED as those do not belong to external NIC on node2
(IP)
On 3 jul 2013, at 17:16, Loïc Blot
The connection is not done by my routers themselves but by DMZ servers
behind them !
--
Best regards,
Loïc BLOT, Engineering
UNIX Systems, Security and Networks
http://www.unix-experience.fr
Le mercredi 03 juillet 2013 à 17:32 +0200, mxb a écrit :
States ARE synced.
IPs are not the same on
Hi all
I have a strange issue (or i haven't read pfsync correctly but i don't
think this is the problem :D)
I'm using 2 OpenBSD as BGP+OSPF routers at the border of one site.
Those BGP routers are secure with strong PF in stateful mode, and the
stateful is working very well on each router.
pfsync(4) explains this:
… The pfsync interface will attempt to collapse multiple state updates into
a single packet where possible. The maximum number of times a single
state can be updated before a pfsync packet will be sent out is
controlled by the maxupd parameter
…
and
…
27 matches
Mail list logo
