Debugging no route to host problem?
Hi, I run OpenBSD 4.4 GENERIC#1021 i386 on a Dell Poweredeg 2650 System as a firewall. Lan side I configured multiple carp Interfaces - without any backup system at the moment (for testing purposes). Almost all is running fine, but sometimes I get a no route to host error - not for all routes/interfaces, but one or two... (BTW: Is there any way to follow 4.4 -STABLE with OpenBSD-binary- upgrade?) Any idea how to debug this kind of trouble? (Another problem is, that the route is not unknown for a long time, only for a few seconds. So I can't tell much about the state of the carp interface in the moment when the route is unknown) Alle interfaces are configured this way (vmstat, ps aux, sysctl and dmesg below) carp310: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:01 description: routing problem test carp: MASTER carpdev vlan310 vhid 1 advbase 1 advskew 0 groups: carp inet6 fe80::200:5eff:fe00:101%carp310 prefixlen 64 scopeid 0x27 inet IP netmask 0xfff8 broadcast Broadcast vlan310: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:02:a5:ce:48:4f description: routing problem test vlan: 310 priority: 0 parent interface: em2 groups: vlan inet6 fe80::202:a5ff:fece:484f%vlan310 prefixlen 64 scopeid 0x9 em2: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:02:a5:ce:48:4f description: Link to vtsw02 g0/1 Trunk media: Ethernet autoselect (1000baseSX full-duplex) status: active inet6 fe80::202:a5ff:fece:484f%em2 prefixlen 64 scopeid 0x5 $ vmstat procsmemory pagedisks traps cpu r b wavm fre flt re pi po fr sr cd0 sd0 int sys cs us sy id 0 0 0 61392 3793148 34 0 0 0 0 0 0 1 4827 322 81 0 9 91 $ cat /etc/sysctl.conf net.inet.tcp.keepidle=28800 kern.maxclusters=128000 net.inet.ip.ifq.maxlen=2500 net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of IPv4 packets net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of IPv6 packets net.inet.carp.preempt=1 # 1=Enable carp(4) preemption net.inet.icmp.errppslimit=1000 ddb.panic=0 # 0=Do not drop into ddb on a kernel panic ddb.console=1 # 1=Permit entry of ddb from the console $ ps aux USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 1 0.0 0.0 504 292 ?? Ss 4:30AM0:00.03 / sbin/init root 12828 0.0 0.0 464 628 ?? Is 4:34AM0:00.00 syslogd: [priv] (syslogd) _syslogd 32700 0.0 0.0 500 688 ?? S 4:34AM0:00.44 syslogd -a /var/named/dev/log -a /var/empty/dev/log root 22296 0.0 0.0 480 372 ?? Is 4:34AM0:00.00 pflogd: [priv] (pflogd) _pflogd 26695 0.0 0.0 544 312 ?? S 4:34AM0:01.33 pflogd: [running] -s 116 -i pflog0 -f /var/log/pflog (pflogd) proxy 8154 0.0 0.0 572 1132 ?? Ss 4:36AM0:23.45 /usr/ sbin/ftp-proxy -a lo1IP -m 500 root 1161 0.0 0.0 624 1192 ?? Ss 4:36AM0:00.16 /usr/ sbin/sshd -o UseDNS=no root 17374 0.0 0.1 2120 4144 ?? S 4:36AM0:54.97 /usr/ local/sbin/snmpd root 12471 0.0 0.0 1100 1784 ?? Ss 4:36AM0:01.10 sendmail: accepting connections (sendmail) root 15666 0.0 0.0 576 808 ?? Is 4:38AM0:00.05 cron root 15531 0.0 0.0 632 1120 ?? Ss 4:43AM0:00.93 ospfd: parent (ospfd) _ospfd 27351 0.0 0.0 628 1108 ?? I 4:43AM0:00.20 ospfd: route decision engine (ospfd) _ospfd8827 0.0 0.0 888 1408 ?? S 4:43AM0:01.31 ospfd: ospf engine (ospfd) root 13772 0.0 0.1 916 2696 ?? S 5:41AM0:00.72 /usr/ local/sbin/arpwatch -i carp110 -f /var/arpwatch/carp110.dat root 26478 0.0 0.1 1000 2700 ?? S 5:41AM0:00.73 /usr/ local/sbin/arpwatch -i carp120 -f /var/arpwatch/carp120.dat root 8729 0.0 0.1 908 2712 ?? S 5:41AM0:00.70 /usr/ local/sbin/arpwatch -i carp130 -f /var/arpwatch/carp130.dat root 27014 0.0 0.1 1036 2688 ?? S 5:41AM0:00.74 /usr/ local/sbin/arpwatch -i carp132 -f /var/arpwatch/carp132.dat root 2304 0.0 0.1 872 2684 ?? S 5:41AM0:00.71 /usr/ local/sbin/arpwatch -i carp150 -f /var/arpwatch/carp150.dat root 2384 0.0 0.1 924 2684 ?? S 5:41AM0:00.69 /usr/ local/sbin/arpwatch -i carp160 -f /var/arpwatch/carp160.dat root 29466 0.0 0.1 912 2688 ?? S 5:41AM0:00.71 /usr/ local/sbin/arpwatch -i carp170 -f /var/arpwatch/carp170.dat root 2258 0.0 0.1 908 2680 ?? S 5:41AM0:00.71 /usr/ local/sbin/arpwatch -i carp180 -f /var/arpwatch/carp180.dat root 9026 0.0 0.1 1040 2700 ?? S 5:41AM0:00.74 /usr/ local/sbin/arpwatch -i carp190
How do I monitor my PF based firewall?
Hello, I like to monitor my firewalls using snmp and cacti. But I don't know how to get all the information about pf, states, etc. On the net I only found hints about older OpenBSD Versions (I use OpenBSD 4.4 - stable and the included snmpd). Can you please give me a hint into the right direction? Regards, Falk
Re: How do I monitor my PF based firewall?
Am 04.03.2009 um 11:23 schrieb Lars Noodin: It's probably simplest to start with pftop. After a first quick look pftop is a great tool for debugging und manually monitoring firewall activity. But it seems that I really can't use it for a data source collector for cacti, can I? Or do you want visualization? http://www.openbsd.org/4.4_packages/i386/pfstat-2.3p0.tgz-long.html Yes, but I want to use cacti for visualization as I use it for anything else :) Regards -Lars Thanks! Falk
Re: How do I monitor my PF based firewall?
Am 04.03.2009 um 11:11 schrieb Stephan A. Rickauer: As far as I remember, including a 'PF-MIB' into opensnmpd is on reyk@'s ever growing todo list already. Good news, that this is on a todo list. Bad news, that this list is ever growing. :) But thanks for this information anyways! Stephan A. Rickauer Regards, Falk
Re: How do I monitor my PF based firewall?
Am 04.03.2009 um 14:10 schrieb Jason Dixon:
Here's how you can use net-snmp's extend functionality:
$ cat /usr/local/sbin/countPFstates.sh
#!/bin/sh
pfctl -si | grep entries | awk '{print $3}'
Ok, this is a way we can go. Is there any possibility to use the
extend feature with openbsd builtin snmpd?
Does anybody monitor pf values this (or another) way and may share
which information from pf should be monitored?
Regards,
Falk
Re: How do I monitor my PF based firewall?
Am 04.03.2009 um 14:46 schrieb Jason Dixon: Other people use the PF-MIB patch to net-snmp. We don't need that functionality. We like to monitor the following for our PF firewalls in Cacti: The number of the passed and blocked packets would be also interesting. Perfect, if I can get this values per vlan... Any idea how to get this values? Regards, Falk
relayd: rdr instead of proxy mode?
Hi, I'm using relayd for loadbalancing incoming tcp traffic, works fine like a charme :-) But as relayd works like a proxy, in the log files of my applications, there is always the ip address of the load balancing node and not of the real client. Is there a way to have relayd have all packets redirect like pf's rdr function instead of working like a classical proxy? Another way to reach the final goal is touse pf with rdr statements, but in this case I haven't any check if the target node is available or not. Both solutions only make half of the way I want to go - any idea, hints, suggestions? Regards, Falk
Re: Tentakel and exec sudo ...
Am 08.02.2009 um 16:18 schrieb Todd C. Miller: Do you know whether tentakel is running ssh with the -t flag or not? I think tentakel's running without this flag. In the file /etc/ tentakel.conf I can see: # first section: global parameters set ssh_path=/usr/bin/ssh Adding a -t at the end doesn't matter :-/ - todd Regards, Falk
Re: bgpd fails to install ipv6 routes in kernel routing table
Am 09.02.2009 um 09:53 schrieb Claudio Jeker: Please try the attached diff. A general question about diffs like this: will these diffs automatically go to -current in the next couple of days/weeks? Or do I have to apply all these patches by hand? :wq Claudio Thanks, Falk
Re: bgpd fails to install ipv6 routes in kernel routing table
Am 09.02.2009 um 11:23 schrieb Claudio Jeker: If the diff works it will go into -current. So currently I'm waiting for positive test results and hopefully an ok by henning@ Perfect. Thank you (and Henning and all the others), once again, for your incredible and fast support! :wq Claudio Regards, Falk
Tentakel and exec sudo ...
Hi there, is there any way to execute sudo (in combination with a password to provide) on remote servers using tentakel? Actualy tentakel hangs, when I'm executing sudo ls -l / on a bunch of servers. Without sudo anything works fine, as you can see from the example below. [f...@management] [~]$ tentakel -g mail interactive mode tentakel(mail) exec uptime ### mail.mx0(0): 13:52:59 up 31 days, 3:19, 1 user, load average: 0.00, 0.00, 0.00 ### mail.mx1(0): 13:53:01 up 31 days, 15:06, 0 users, load average: 0.00, 0.00, 0.00 ### mail.mx2(0): 13:53:01 up 29 days, 18:28, 0 users, load average: 0.00, 0.00, 0.00 ### mail.mail0(0): 14:52:59 up 14 days, 16:56, 0 users, load average: 0.00, 0.00, 0.00 ### mail.mail1(0): 13:56:24 up 14 days, 16:46, 0 users, load average: 0.00, 0.00, 0.00 ### mail.spam0(0): 13:53:01 up 30 days, 15:51, 0 users, load average: 0.00, 0.00, 0.00 ### mail.spam1(0): 13:53:01 up 30 days, 15:52, 0 users, load average: 0.00, 0.00, 0.00 ### mail.spam2(0): 13:53:01 up 29 days, 18:28, 0 users, load average: 0.00, 0.00, 0.00 ### mail.mailout0(0): 13:53:01 up 30 days, 4 min, 0 users, load average: 0.00, 0.00, 0.00 ### mail.mailout1(0): 13:53:01 up 29 days, 23:56, 0 users, load average: 0.00, 0.00, 0.00 tentakel(mail) exec sudo uptime Regards, Falk
Problems getting tentakel running on 4.4
Hi there, I just installied tentakel tentakel-2.1.2p1 using python-2.5.2p4 on OpenBSD 4.4 GENERIC#1021 i386. When I call this utility I get the following error message: $ tentakel Traceback (most recent call last): File /usr/local/bin/tentakel, line 94, in module conf.load(configfile) File /usr/obj/i386/tentakel-2.1.2p1/fake-i386/usr/local/lib/ python2.5/site-packages/lekatnet/config.py, line 163, in load File /usr/obj/i386/tentakel-2.1.2p1/fake-i386/usr/local/lib/ python2.5/site-packages/lekatnet/config.py, line 155, in parse File /usr/obj/i386/tentakel-2.1.2p1/fake-i386/usr/local/lib/ python2.5/site-packages/lekatnet/tpg.py, line 921, in __call__ File /usr/obj/i386/tentakel-2.1.2p1/fake-i386/usr/local/lib/ python2.5/site-packages/lekatnet/tpg.py, line 934, in parse File string, line 8, in START File string, line 5, in SETTING File string, line 15, in PARAM File /usr/obj/i386/tentakel-2.1.2p1/fake-i386/usr/local/lib/ python2.5/site-packages/lekatnet/tpg.py, line 986, in extract TypeError: object cannot be interpreted as an index I found this post to openbsd-security, but I'm not able to install neither python-2.4.4p4 or python-2.4.4p6 (from 4.2 / 4.3 packages) on my (4.4) system: http://archives.neohapsis.com/archives/openbsd/2007-10/1567.html $ sudo pkg_add python-2.4.4p6.tgz Can't install python-2.4.4p6: lib not found c.43.0 c.43.0: partial match in /usr/lib: major=48, minor=0 (bad major) Can't install python-2.4.4p6: lib not found crypto.13.0 crypto.13.0: partial match in /usr/lib: major=14, minor=0 (bad major) Can't install python-2.4.4p6: lib not found m.2.3 m.2.3: partial match in /usr/lib: major=3, minor=0 (bad major) Can't install python-2.4.4p6: lib not found pthread.9.0 pthread.9.0: partial match in /usr/lib: major=11, minor=0 (bad major) Can't install python-2.4.4p6: lib not found stdc++.44.0 stdc++.44.0: partial match in /usr/lib: major=45, minor=0 (bad major) Any idea how to get tentakel running? dmesg below. Regards, Falk OpenBSD 4.4 (GENERIC) #1021: Tue Aug 12 17:16:55 MDT 2008 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) III CPU - S 1400MHz (GenuineIntel 686- class) 1.40 GHz cpu0: FPU ,V86 ,DE ,PSE ,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 1073250304 (1023MB) avail mem = 1029357568 (981MB) User Kernel Config UKC disable acpi 429 acpi0 disabled UKC di\^H \^H\^H \^Hboot Unknown command, try help UKC exit Continuing... mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 05/01/03, BIOS32 rev. 0 @ 0xffe90, SMBIOS rev. 2.3 @ 0xfb240 (47 entries) bios0: vendor Dell Computer Corporation version A10 date 05/01/2003 bios0: Dell Computer Corporation PowerEdge 1650 acpi at bios0 function 0x0 not configured pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfc220/176 (9 entries) pcibios0: PCI Interrupt Router at 000:15:0 (ServerWorks CSB5 rev 0x00) pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xc9000/0x6000 0xcf000/0x600 0xec000/0x4000! ipmi at mainbus0 not configured cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 ServerWorks CNB20HE Host rev 0x23 pci1 at pchb0 bus 1 em0 at pci1 dev 2 function 0 Intel PRO/1000XT (82544EI) rev 0x02: irq 7, address 00:0b:db:90:e6:67 em1 at pci1 dev 4 function 0 Intel PRO/1000XT (82544EI) rev 0x02: irq 5, address 00:0b:db:90:e6:68 ahc0 at pci1 dev 6 function 0 Adaptec AIC-7899 U160 rev 0x01: irq 11 scsibus0 at ahc0: 16 targets, initiator 7 sd0 at scsibus0 targ 0 lun 0: QUANTUM, ATLAS10K3_18_SCA, 120G SCSI3 0/direct fixed sd0: 17366MB, 31022 cyl, 2 head, 573 sec, 512 bytes/sec, 35566478 sec total safte0 at scsibus0 targ 6 lun 0: PE/PV, 1x3 SCSI BP, 0.29 SCSI2 3/ processor fixed ahc1 at pci1 dev 6 function 1 Adaptec AIC-7899 U160 rev 0x01: irq 7 scsibus1 at ahc1: 16 targets, initiator 7 pchb1 at pci0 dev 0 function 1 ServerWorks CNB20HE Host rev 0x01 pchb2 at pci0 dev 0 function 2 ServerWorks CNB20HE Host rev 0x01 pchb3 at pci0 dev 0 function 3 ServerWorks CNB20HE Host rev 0x01 pci2 at pchb3 bus 2 Dell DRAC 4 Embedded/Optional rev 0x00 at pci0 dev 8 function 0 not configured puc0 at pci0 dev 8 function 1 Dell DRAC 3 Virtual UART rev 0x00: ports: 1 com com3 at puc0 port 0 irq 7: ns16550a, 16 byte fifo com3: probed fifo depth: 0 bytes Dell DRAC 3 Embedded/Optional rev 0x00 at pci0 dev 8 function 2 not configured fxp0 at pci0 dev 10 function 0 Intel 8255x rev 0x0d, i82550: irq 11, address 00:02:b3:ed:94:75 inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4 vga1 at pci0 dev 12 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) drm at vga1 unsupported piixpm0 at pci0 dev 15 function 0 ServerWorks CSB5 rev 0x93: SMI iic0 at piixpm0 spdmem0 at iic0 addr 0x50: 512MB SDRAM registered
Re: Problems getting tentakel running on 4.4
Am 07.02.2009 um 23:11 schrieb Tasmanian Devil: Hello! :-) Hi :) What you need is: Ok, thank you for your hint. I tried, and now tentakel's running fine :) Tas. Regards, Falk
Re: Problems getting tentakel running on 4.4
Am 07.02.2009 um 18:39 schrieb Falk Brockerhoff - smartTERRA GmbH: but I'm not able to install neither python-2.4.4p4 or python-2.4.4p6 (from 4.2 / 4.3 packages) on my (4.4) system: Hint for myself: works with python-2.4.4p7.tgz from 4.4 packages *selfslap* Regards, Falk
Re: dhcrelay on carp interface (above vlan)
Am 14.03.2008 um 08:13 schrieb Marc Balmer: Falk Brockerhoff - smartTERRA GmbH wrote: I think a good solutions is to look if the given interface is a carp interface and to figure out the carpdev interface. Then this can be used to listen on. But my programming skills are really poor, else I would provide a patch... you can provide the interface name on the command line using -i: e.g. carp0 carpdev vr0 Yes, I know. But I have to provide a numbered interface. In this case the carp interface. This results in have dhcprelay listening on this carp interface, too. But it have to listen on the vlan (in your example the physical interface vr0) interface to catch the dhcp request. That's my problem :-) Regards, Falk Brockerhoff
dhcrelay on carp interface (above vlan)
Hi, I run a firewall cluster with several vlans configured on one physical interface. On this vlans I have a carp interface. Same on a second firewall node, so failover is fine. To be able to install or boot servers from the network I set up an PXE boot server. But it's a little bit annoying to configure the switch port's vlan each time I want to use PXE boot. That's why I like to use dhcrelay on the firewall. But, there is a problem: dhcrelay can only be started on a numbered interface - as expected. Here this is the carp-interface. But the dhcp/ bootp requests are send via the vlan interface, as I can see with tcpdump. So dhcrelay won't forward any of these requests. Actualy I can have failover between the firewalls with carp, or dhcrelay without carp and only with vlans, but no redundandcy. What a pity. Is there a way to have both, failover and dhcrelay capabilities? Regards, Falk
Re: dhcrelay on carp interface (above vlan)
Hi, I think a good solutions is to look if the given interface is a carp interface and to figure out the carpdev interface. Then this can be used to listen on. But my programming skills are really poor, else I would provide a patch... Regards, Falk
Hardware to give away Sun Sparc II / Ultra 5/ DEC Alpha Workstation-II (Duisburg/Germany)
Hi, I cleaned up my attic and found some kind of hardware I do not need any more. I'm not at home at the moment, but AFAIR there is a Sun Sparc 2 and a Sun Ultra 5. Perhaps there is an DEC Alpha Workstation II, too. Can be picked up in Duisburg / Germay. If you like you can spend some money for a local charitable youth- and cultural association - you're welcome. Regards, Falk
OpenBGPd won't receive prefix
Hello,
I just set up two identical machines to make some tests with vlan, carp
and openbgpd to replace my cisco routers in the next couple of months.
VLAN- and carp-configuratin is quite easy, it works out of the box and
without any problems. OpenBGPd runs fine, too. Err, nearly fine.
I named my two boxes Pinky and Brain :) On both I configured the same
VLAN and CARP - this should be the local gateways for the other boxes
connected using a normale cisco switch. I pasted the output of the
ifconfig command to the bottom of this mail.
To reach some kind of redundancy I set up an iBGP-Session between Pinky
and Brain. It is a very simple configuration and has only minor
differences - you can find the complete configuration file at the bottom
of the mail:
router-id 194.9.86.1
router-id 194.9.86.2
neighbor 194.9.86.2 {
neighbor 194.9.86.1 {
local-address 194.9.86.1
local-address 194.9.86.2
I expect to receive the specifed network-prefix from Pinky on Brain via
iBGP and vice versa. But on Brain I can't find any advertised prefix
from Pinky:
Pinky# bgpctl sh
Neighbor ASMsgRcvdMsgSentOutQ Up/Down
State/PrefixRcvd
Brain35548 8 7 0 00:04:23 0
The other side works fine, Brain is receiving the prefix from Pinky.
Brain# bgpctl sh
Neighbor ASMsgRcvdMsgSentOutQ Up/Down
State/PrefixRcvd
Pinky35548 6 7 0 00:03:11 1
Both sides advertises the prefix, I can't find any misconfiguration on
this. Brain advertises the prefix as you can see here:
Brain# bgpctl sh rib
flags: * = Valid, = Selected, I = via IBGP, A = Announced
origin: i = IGP, e = EGP, ? = Incomplete
flags destination gateway lpref med aspath origin
I* 195.140.212.0/23194.9.86.1 100 0 i
AI* 195.140.212.0/230.0.0.0100 0 i
But I don't received it on Pinky (as you can see above):
Pinky# bgpctl sh rib
flags: * = Valid, = Selected, I = via IBGP, A = Announced
origin: i = IGP, e = EGP, ? = Incomplete
flags destination gateway lpref med aspath origin
AI* 195.140.212.0/230.0.0.0100 0 i
Does anybody has an explanation for this behaviour? I tried without any
vlan and carp interface only with normal configured interfaces - the
same. I'm at a loss. You are my last hope :-))
Regards,
Falk
--snipp--
Output of the ifconfig command:
##Pinky:
vlan212: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
lladdr 00:06:5b:ec:48:c5
vlan: 212 priority: 0 parent interface: em1
groups: vlan
inet6 fe80::206:5bff:feec:48c5%vlan212 prefixlen 64 scopeid 0x9
inet 195.140.212.2 netmask 0x broadcast 195.140.212.2
carp212: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:d4
carp: MASTER carpdev vlan212 vhid 212 advbase 1 advskew 0
groups: carp
inet6 fe80::200:5eff:fe00:1d4%carp212 prefixlen 64 scopeid 0xe
inet 195.140.212.1 netmask 0xff00 broadcast 195.140.212.255
##Brain:
vlan212: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
lladdr 00:0f:1f:66:3f:d3
vlan: 212 priority: 0 parent interface: em1
groups: vlan
inet6 fe80::20f:1fff:fe66:3fd3%vlan212 prefixlen 64 scopeid 0x9
inet 195.140.212.3 netmask 0x broadcast 195.140.212.3
carp212: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:d4
carp: BACKUP carpdev vlan212 vhid 212 advbase 1 advskew 0
groups: carp
inet6 fe80::200:5eff:fe00:1d4%carp212 prefixlen 64 scopeid 0xf
inet 195.140.212.1 netmask 0xff00 broadcast 195.140.212.255
--snipp--
The complete configuration file:
##Pinky:
# global configuration
AS 35548
router-id 194.9.86.1
network 195.140.212.0/23
holdtime180
holdtime min3
neighbor 194.9.86.2 {
remote-as 35548
descr Brain
local-address 194.9.86.1
announceall
tcp md5sig key foobar
}
# filter out prefixes longer than 24 or shorter than 8 bits
deny from any
allow from any prefixlen 8 - 24
# do not accept a default route
deny from any prefix 0.0.0.0/0
# filter bogus networks
deny from any prefix 10.0.0.0/8 prefixlen = 8
deny from any prefix 172.16.0.0/12 prefixlen = 12
deny from any prefix 192.168.0.0/16 prefixlen = 16
deny from any prefix 169.254.0.0/16 prefixlen = 16
deny from any prefix 192.0.2.0/24 prefixlen = 24
deny from any prefix 224.0.0.0/4 prefixlen = 4
deny from any prefix 240.0.0.0/4 prefixlen = 4
##Brain:
# global configuration
AS 35548
router-id 194.9.86.2
network 195.140.212.0/23
holdtime180
holdtime min3
neighbor 194.9.86.1 {
Nagios plugin for checking OpenBGPd-Peers
Hello, has anybody wrote a nagios plugin to check the presence of some specified bgp-peers set up with openbgpd? In the past I used check_bgp in combination with cisco routers, which checks the peer-state via snmp. Regards, Falk
Trunk to two swichtes, carp on trunk-interfaces
Hello, I want to connect an openbsd router to two swichtes in case of redundancy. These two switches are connected together, so that I think trunk in failover mode may be the right way, isn't it? To create a full redundant setup I want to connect a second openbsd router. Is there a possibility to run carp on the two trunk interfaces? Is this the right gentle way to run a full redundant setup or do you have any other suggestion? Thanks, Falk
