I think i have figured it out, the pfctl -vsi checksums are identical,
everything works if I load filter rules via include(include
/etc/pf.filter ) , but when filter rules are loaded into anchor ( load
anchor shape from /etc/pf.filter) ,then after sync the ongoing
traffic wont hit right queue
On Thu, Jun 4, 2009 at 5:49 AM, Georg Kahest ge...@viatel.ee wrote:
I think i have figured it out, the pfctl -vsi checksums are identical,
everything works if I load filter rules via include(include
/etc/pf.filter ) , but when filter rules are loaded into B anchor ( load
anchor shape from
Hello
The rules look identical to me at the moment, but i will doublecheck
them, one thing thou i dont have same interface names at both boxes,
thou the rules/queues are identical (they are built of out script for
both boxes) only exception is that interface names are macros rather
then static
A little update, the filter rules are these, except the interface name
they are identical, and queue names are identical aswell, only
difference is on what interface the queues are present.
Node1
pass in log on vlan0 inet from zzz.xxx.yyy./30 to any flags S/SA
keep state
Hello again
I made identical configurations to both boxes pf wise only difference
was the physical interface under the vlan interfaces on top of what carp
was built, and i couldnot get carp/pfsync to work correctly, ongoing
traffic at failover didnot hit right queue, only new traffic did.
Note:
* Georg Kahest ge...@viatel.ee [2009-06-02 10:01]:
The rules look identical to me at the moment, but i will doublecheck
them, one thing thou i dont have same interface names at both boxes,
that is your problem.
checksum in pfctl -vsi must be identical.
--
Henning Brauer, h...@bsws.de,
# $OpenBSD: netstart,v 1.122 2008/07/23 16:05:47 sthen Exp $
# $OpenBSD: rc,v 1.318 2008/07/09 20:23:47 djm Exp $
# uname -a
OpenBSD node1 4.4 GENERIC.MP#1 amd64
On P, 2009-05-31 at 19:32 +0200, Stuart Henderson wrote:
On 2009-05-28, Georg Kahest ge...@viatel.ee wrote:
Hello, i
On 2009/06/01 12:55, Georg Kahest wrote:
# $OpenBSD: netstart,v 1.122 2008/07/23 16:05:47 sthen Exp $
# $OpenBSD: rc,v 1.318 2008/07/09 20:23:47 djm Exp $
# uname -a
OpenBSD node1 4.4 GENERIC.MP#1 amd64
It's not what I was thinking it might be then (there was a change
to the
This log from prefered (master node), it seems that the problem is carp0
takes master even before carp1 has went to backup, how to resolve it, so
that they would go master at the same time.
Jun 1 14:45:54 node1 /bsd: carp0: state transition: INIT - BACKUP
Jun 1 14:45:54 node1 /bsd: carp: carp0
i had modified rc conf a little and last log paste was because of that
modification, this is the current log, but still the client behind lan
carp loses its packets, first to his gateway with host uncreachable and
after few packets its timeout, and then everything starts working okey.
Jun 1
Okey i think i figured it out, the problem was with my switch spanning
tree, when i disabled it for appropiate vlans everything started to work
correctly.
On E, 2009-06-01 at 13:14 +0200, Stuart Henderson wrote:
On 2009/06/01 12:55, Georg Kahest wrote:
# $OpenBSD: netstart,v 1.122
Okey now that the failover seems to be work i have hit another problem,
the thing is when failover occurs and other node takes over, the client
connection wont hit right ALTQ queue anymore, rather it goes
unqueued(full speed) , and only the new connections initated after
failover will hit the
On 2009/06/01 15:57, Georg Kahest wrote:
Okey now that the failover seems to be work i have hit another problem,
the thing is when failover occurs and other node takes over, the client
connection wont hit right ALTQ queue anymore, rather it goes
unqueued(full speed) , and only the new
Yes the rulesets are identical, strange thing is from pftop it seems
that it hits default queue (25mbit queue) but somehow the client gets
10~MB/s what seems more of interface root queue value rather then that
default queue. Thou the real queue it should use is at 8mbit.
On E, 2009-06-01 at 15:09
* Georg Kahest ge...@viatel.ee [2009-06-01 15:21]:
Yes the rulesets are identical, strange thing is from pftop it seems
that it hits default queue (25mbit queue) but somehow the client gets
10~MB/s what seems more of interface root queue value rather then that
default queue. Thou the real
On 2009-05-28, Georg Kahest ge...@viatel.ee wrote:
Hello, i have strange problem with my Carp/Pfsync, when i manualy
failover via carpdemote or ifconfig carpX down, then the failover works
okey, it even works okey when one box goes down, but when the prefered
master comes up again and starts
Hi Georg
I think I remember something like this ... could it be that carp takes
over the interface before pfsync has finished updating the booted
machine's connection table?
TCP (and many other protocols) takes care of such situations by simply
retransmitting, so any TCP connections should
* David Newman [EMAIL PROTECTED] [2007-06-04 03:59]:
but it says carp doesn't work with bridging
carp alows two hosts to share an IP.
now explain me how that is supposed to work with bridges, where the
forwarding does not happen at the IP layer.
--
Henning Brauer, [EMAIL PROTECTED], [EMAIL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Henning Brauer wrote:
* David Newman [EMAIL PROTECTED] [2007-06-04 03:59]:
but it says carp doesn't work with bridging
carp alows two hosts to share an IP.
now explain me how that is supposed to work with bridges, where the
forwarding does not
On 2007/06/04 07:11, David Newman wrote:
I could divide the /26 into smaller netblocks and configure pf to route
between them but I'm reluctant to do that given that I'd burn a network
and broadcast address for each netblock, and a /26 is small enough as it is.
Is there a better way? Thanks.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Stuart Henderson wrote:
On 2007/06/04 07:11, David Newman wrote:
I could divide the /26 into smaller netblocks and configure pf to route
between them but I'm reluctant to do that given that I'd burn a network
and broadcast address for each
* David Newman [EMAIL PROTECTED] [2007-06-04 16:27]:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Henning Brauer wrote:
* David Newman [EMAIL PROTECTED] [2007-06-04 03:59]:
but it says carp doesn't work with bridging
carp alows two hosts to share an IP.
now explain me how that is
On 2007/06/04 08:19, David Newman wrote:
Stuart Henderson wrote:
On 2007/06/04 07:11, David Newman wrote:
I could divide the /26 into smaller netblocks and configure pf to route
between them but I'm reluctant to do that given that I'd burn a network
and broadcast address for each
On Monday 04 June 2007 17:19:10 David Newman wrote:
OK, but how then to get redundancy across the firewalls?
STP - see brconfig(8).
--
Antoine
--- Quoting Gilles Chehade on 2007/04/18 at 22:23 +0200:
Hi misc@,
I am trying to setup a set of carp-ed firewalls as follow:
ISP 1 ISP 2
| |
\ /
_ SWITCH # 1 _
25 matches
Mail list logo
