select (1000baseT full-duplex,rxpause,txpause)
status: active
# ifconfig egress
carp0: flags=8843 mtu 1500
lladdr 00:00:5e:00:01:01
description: WAN_KRZ
index 7 priority 15 llprio 3
carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 0
groups: carp
he rule you say works.
>> >
>> >
>> > fwiw, the $lan_if came from your configs existing “match”
>> >
>> > https://www.openbsd.org/faq/pf/filter.html#syntax - under “interface”
>> you can find out about “egress”. I definitely prefer it to hard co
On Sun, Apr 28, 2024, at 11:49 AM, Mike wrote:
> If I remember right, you can run 'ifconfig' and see if that interface
> is marked as an egress interface or not. I can't remember how OBSD
> determines what interfaces are egress or not but your em0 seems to be
fwiw, the $lan_if came from your configs existing “match”
> >
> > https://www.openbsd.org/faq/pf/filter.html#syntax - under “interface”
> you can find out about “egress”. I definitely prefer it to hard coding an
> interface in yet another line of a pf.conf
> >
>
gt; I was presuming you didnt mind matching to $ext_if’s ip for new sessions
> outbound, hence (egress:0). Matching to the carp ip works. (this is
> basically a source nat rule in commercial-network-vendor speak)
>
>
> >
> >> ext_if=em0
> >> int_if=vlan2
> >> ext_carpIf=carp0
>
> >> match out on $ext_if inet from $int_if:network to any nat-to $ext_carpIf
> > This rule works as expected.
>
Radek
ching to $ext_if’s ip for new sessions
outbound, hence (egress:0). Matching to the carp ip works. (this is basically
a source nat rule in commercial-network-vendor speak)
>
>> ext_if=em0
>> int_if=vlan2
>> ext_carpIf=carp0
>> match out on $ext_if inet from $int_
ed, 24 Apr 2024 17:14:49 -0400
Mike wrote:
> This command should help but you may need to add some "log" to your rules:
>
> tcpdump -nettti pflog0 will probably tell you.
>
> I don't have a bsd VM around to test but your int_if and ext_if should
> still refer to the u
try using egress and not carp0 on your match out rule. you’re not technically
sending out on the carp interface, only receiving.
make your match rule like this:
match out on egress from $lan_if:network to any nat-to (egress:0)
> On Apr 24, 2024, at 11:05 AM, Radek wrote:
>
> Hi
This command should help but you may need to add some "log" to your rules:
tcpdump -nettti pflog0 will probably tell you.
I don't have a bsd VM around to test but your int_if and ext_if should
still refer to the underlying interface, not the carp.
I'd change:
ext_if=em0
int_if=vlan2
Hi everyone,
it's a lab, the goal is a redundant firewalls with CARP and PFSYNC, I'm trying
to configure the master box. On the LAN side I have created carp2 on vlan2
interface and it works as expected.
On the WAN side I can't figure out how to make NAT work on carp0 interface.
Can someone tell
Hello Theo,
It's disheartening to see the disparity in treatment between entities like
OpenBSD and larger corporations within these governance structures.
However, your resolve in the face of such challenges is commendable. The
creation of CARP, under the circumstances you described, not only
Greetings,
I have now attained a deeper understanding of the topic at hand; thank you
for your insights. It appears that my requirements necessitate
communication between a Cisco router and VRRP, rather than CARP. Upon
reviewing the open-source projects you've recommended, here are my findings
Stuart Henderson wrote:
> On 2024-02-13, Samuel Jayden wrote:
> > From the information provided in the link, it appears that CARP and VRRP
> > protocols aren't inherently interoperable.
>
> They are different protocols - they *had* to be different because VRRP
>
On 2024-02-13, Samuel Jayden wrote:
> From the information provided in the link, it appears that CARP and VRRP
> protocols aren't inherently interoperable.
They are different protocols - they *had* to be different because VRRP
was subject to patents. And if carp was changed now, it wo
Am 13.02.2024 19:07 schrieb Samuel Jayden:
Also I've another question:
Is it feasible to achieve CARP and VRRP interoperability through a
user-space application?
One step back.. you're looking for using one cisco router and one
OpenBSD box as a redundant pair? I've no idea and in over 20y I
Hello Marcus,
Thank you for your response.
>From the information provided in the link, it appears that CARP and VRRP
protocols aren't inherently interoperable.
While Cisco may have attempted to address this by introducing a command
like "disable-loop-detection carp" in its Nexus
Hello Samuel,
samueljaydan1...@gmail.com (Samuel Jayden), 2024.02.13 (Tue) 17:35 (CET):
> I am reaching out to seek guidance on creating redundancy between a Cisco
> Router and OpenBSD. After conducting extensive research on the subject, I
> find myself in need of clarification on a specific
Hello OpenBSD,
I am reaching out to seek guidance on creating redundancy between a Cisco
Router and OpenBSD. After conducting extensive research on the subject, I
find myself in need of clarification on a specific point.
My intention is to employ the use of the CARP protocol in OpenBSD and VRRP
seldom (or
perhaps never?) on fail-back when the master returned, so it was ok for
giving me nice redundancy if the current carp master died, then I could
choose a suitable time after fixing this node when to take a the hit of a
new tunnel-setup as I flipped back. Never knew why it would only w
(or
perhaps never?) on fail-back when the master returned, so it was ok for
giving me nice redundancy if the current carp master died, then I could
choose a suitable time after fixing this node when to take a the hit of a
new tunnel-setup as I flipped back. Never knew why it would only work
one-way
>I'd like to add sasyncd in the mix and a 2nd router for higher availability.
Don't do it. sasyncd is known not to work properly in failover scenarios.
>Will gre over carp work?
I think you can just try out in a vm. Don't see the reason why it would not.
But perhaps there are some fe
I was wondering if anyone runs gre tunnels over carp.
We have an OpenBSD router that does ipsec over gre tunnels with remote location
routers in order to pass voip traffic.
Routing is done with ospf on top of gre.
I'd like to add sasyncd in the mix and a 2nd router for higher availability
the carp multicast frame between 3 and 4. I’m wondering if this is the
current best practice or is there a better way?
Image: https://i.redd.it/4i1lu4aeydzb1.jpg
Thanks!
Followup...
On 5/12/23 08:17, Stuart Henderson wrote:
On 2023-05-12, Nick Holland wrote:
...
I had several other people suggest network problems. I'm not going to
say "impossible" or even "unlikely", but my understanding is that the
two machines are both plugged into the same switch, in the
to this scheme on all our proxies and firewalls seven
years ago and have never looked back.
--lyndon
Totally agree on this and on top of that add load balancers/routers in
the mix which will run carp/relayd/pfsync/forwarding.
With sticky sessions, all requests will redirect to the same backend
server
Nick, spare yourself the pain and just designate one machine as the
master. This is how we run all our proxy server pairs (nginx,
squid, other stuff). For a pair fooa/foob, 'a' is the master, and
gets advskew 100. The 'b' host gets 150. Make sure preemption is
enabled.
When it's upgrade time,
On 12/05/2023 14:43, Nick Holland wrote:
> I had several other people suggest network problems. I'm not going to
> say "impossible" or even "unlikely", but my understanding is that the
> two machines are both plugged into the same switch, in the same rack.
>
> Several people pointed out I was
e's
>>> downloads. Longest period betweek flips was less than two weeks.
>>>
>>> So ... I cranked up the carp logging to 5 and then 7 to see what it had
>>> to say about why...and it had almost nothing to say.
>>
>> Does netstat -s -p carp give any
... I cranked up the carp logging to 5 and then 7 to see what it had
to say about why...and it had almost nothing to say.
Does netstat -s -p carp give any enlightenment?
ok, I just skewed the stats by taking the opportunity to bring the now
backup up to -current, so node1 does not have the most
On 2023-05-12, Nick Holland wrote:
> Here's the problem I've seen: I have my two machines flipping state
> randomly(?). This bothers me because that means it is breaking people's
> downloads. Longest period betweek flips was less than two weeks.
>
> So ... I cranked up the ca
Hi,
I have a couple identical servers that provide a few services (not FW or
gateway -- http, ftp, etc.). Figured they would make a great CARP pair,
so if the primary broke, the secondary would take over immediately.
It would also make maintenance windows shorter...make changes on secondary
Please ignore this duplicate post and reply to the other thread on
this mailing list. I had used my private EMail account by accident.
Regards
Harri
Hi folks,
Using 7.3 on a HA gateway ("redgatea" and "redgateb", one external
network, 2 internal networks, carp on all interfaces) I see a high
network latency for incoming network traffic every couple of seconds.
Trying to ping redgatea from redgateb over the pfsync in
"real" ip of the remote
> ext_if to make carp use normal unicast ip for sync and just see if it
> helps. If it does, it is related to the boxes ability to talk
> multicast and you would have to either stick with carppeer setup, or
> "fix" the multicast issue, which can be hard
ink on their carp0 carpdev interfaces?
Yes.
> If both are master, both should be sending out CARP advertisements, so
> I'd try to run tcpdump on both external interfaces and look for those:
> tcpdump -n -e -i carp0 proto carp
I did that yesterday and for both firewalls I could see the CARPv2
ad
for my external carp interface both firewalls show master as status
The config is below for reference:
/etc/hostname.carp0 on fw1
inet x.x.x.114 255.255.255.240 x.x.x.127 vhid 40 carpdev em2 pass password
advskew 1
inet alias x.x.x.115 0xfff0
inet alias x.x.x.116 0xfff0
/etc
Hello,
I am running two OpenBSD 7.3 firewalls with pfsync and CARP for redundancy and
have one carp interface carp0 for the public internet and one carp interface
carp1 for my private (NAT) internal network. The private carp interface has
status master on the first firewall and status backup
On Sun, Jan 8, 2023 at 5:23 PM Nick Holland
wrote:
>
> Does this actually maintain state? I'm thinking pfsync might
> not work properly when the external interface "changes" like that.
> It wouldn't actually matter much in *my case*, but I'm wondering
> about the more general case.
>
>
>
I no
On 1/6/23 02:31, Christer Solskogen wrote:
On Mon, Jan 2, 2023 at 5:14 PM Nick Holland
wrote:
hiya.
Goal: home (i.e., DHCP external network config) redundant
firewalls with CARP and PFSYNC.
Totally doable. I've been running it like that for the last 7 years at
home.
My ISP doesn't like
On Mon, Jan 2, 2023 at 5:14 PM Nick Holland
wrote:
> hiya.
>
> Goal: home (i.e., DHCP external network config) redundant
> firewalls with CARP and PFSYNC.
>
>
Totally doable. I've been running it like that for the last 7 years at
home.
My ISP doesn't like it when the
hiya.
Goal: home (i.e., DHCP external network config) redundant
firewalls with CARP and PFSYNC.
Long ago, I think the word was "CARP and DHCP network
configs don't work well together". A bit of searching man
pages isn't showing me anything. A bit of googling is
showing some old
On Tue, Jun 28, 2022 at 2:58 PM Stuart Henderson
wrote:
>
> So for this you would need to monitor the interface status and change
> the default route, you couldn't rely on /etc/mygate.
>
>
I don't. I use ifstated :-)
On 2022-06-28, Christer Solskogen wrote:
> On Tue, Jun 28, 2022 at 12:18 PM Łukasz Moskała wrote:
>
>> You wanted to set the CARP IP as default gateway on both master and
>> backup, right?
>>
>>
> No, the master is the gateway. So what would not make sense as all
On Tue, Jun 28, 2022 at 12:18 PM Łukasz Moskała wrote:
> You wanted to set the CARP IP as default gateway on both master and
> backup, right?
>
>
No, the master is the gateway. So what would not make sense as all.
I would like to have the CARP IP as default gateway on the backup. (An
Dnia Tue, Jun 28, 2022 at 11:36:55AM +0200, Christer Solskogen napisał(a):
> On Tue, Jun 28, 2022 at 10:44 AM Stuart Henderson
> wrote:
>
> >
> > It makes no sense to set your own address as the default gateway?
> >
> >
> It would *if* backup didn't resp
On Tue, Jun 28, 2022 at 10:44 AM Stuart Henderson
wrote:
>
> It makes no sense to set your own address as the default gateway?
>
>
It would *if* backup didn't respond to the carp IP. But it does, so no it
does not make sense.
The reason I was hoping it would work was the wording in the FAQ.
teway. I was hoping I could just use the carp
> address as default gateway.
It makes no sense to set your own address as the default gateway?
--
Please keep replies on the mailing list.
On Tue, Jun 28, 2022 at 10:21 AM Łukasz Moskała wrote:
>
> What problem are you trying to solve?
>
>
Having identical config files on both the master and backup when it comes
to setting up the default gateway. I was hoping I could just use the carp
address as default gateway.
--
chs
t; So the question now is should master respond?
>
> --
> chs
Master can't respond to that traffic, as it never goes over wire. Just like
pinging 127.0.0.1
If you have 192.0.2.10/24 on em0, and ping 192.0.2.10 from host that has this
IP, this traffic newer goes over network c
On Tue, Jun 28, 2022 at 9:52 AM Łukasz Moskała wrote:
> Run tcpdump on master, ping on backup. If you see pings in tcpdump, then
> master is responding.
> If not, backup is responding to itself.
>
>
Good catch.
The backup is responding to it self. But should it? In the FAQ I find this:
"The
Dnia Tue, Jun 28, 2022 at 09:47:40AM +0200, Christer Solskogen napisał(a):
> if you ping the carp ip from the backup, does the master respond or the
> backup it self?
>
> --
> chs
Hi,
Run tcpdump on master, ping on backup. If you see pings in tcpdump, then master
is responding.
if you ping the carp ip from the backup, does the master respond or the
backup it self?
--
chs
I have some more info (this time from physical machines):
After a switchover I can see incoming flow on enc0 on the new master,
and it IS decoded correctly. It is just not pushed out into the
protected network.
Additionally, the replay counters seem to be all in sync except for
one - return
cd[20476]: net_handle_messages: got msg
type 1 len 224 from peer 10.0.1.161
Mar 4 12:35:17 ipsec2 sasyncd[20476]: pfkey_queue_message: pfkey
X_ADDFLOW len 224 seq 21
ipsecctl -v sa on BOTH sides (192.168.1.46 is my mobile WAN,
192.168.1.16
Hello!
I'm trying to build a redundant IPSEC VPN concentrator.
What have I done by now:
* I have a working CARP. Verified from each side. 1-2 pings lost.
Works as expected.
* I have a working iked deployment. Test client can connect, sees
internal network as expected.
* I have a working pfsync
On 9/24/21 6:13 PM, Don Tek wrote:
Would there be any ‘problem’ with configuring a 2-machine CARP
setup and then just keeping one machine powered-off until needed?
I realize this defeats live failover, but this is not a requirement
for my customer.
I just want them to be able
On 2021-09-25, leonard wrote:
> What is the power draw? I use a 1500 VA apc backups with 6 outlets on ups and
> 5 on surge protection. As long as your total draw is less than 1200 VA, for <
> $200 canadian you have a cheap simple solution. Just put on on the ups side
> and the other on the
ard@on the road
Original message From: Don Tek Date:
2021-09-25 11:40 (GMT-05:00) To: jslee Cc:
misc@openbsd.org Subject: Re: CARP Cold Spare I'm not sure why the hardware
matters, but the two machines are a couple HP 1U Gen 8 Xeon servers. Suffice
to say, they are identi
gle point of failure will be their cable modem, and Comcast can handle
replacing that.
Option B is to just have identical configurations and have them need to swap
the network wiring as part of the failover. Will still prevent the days of
downtime we're incurring now due to this failure, but not as simple fo
on the servers almost never change (simple firwall), so besides
having to run a quick syspatch and reboot once at time of failover, I don't see
maintenance being so bad. I keep config files backed-up otherwise centrally
for quick restore to the running box as well.
My primary concern here is if CARP
:
> Would there be any ‘problem’ with configuring a 2-machine CARP setup
> and then just keeping one machine powered-off until needed?
>
> I realize this defeats live failover, but this is not a requirement for
> my customer.
>
> I just want them to be able to, in the event
> On Sep 24, 2021, at 6:16 PM, Don Tek wrote:
>
> Would there be any ‘problem’ with configuring a 2-machine CARP setup and
> then just keeping one machine powered-off until needed?
>
> I realize this defeats live failover, but this is not a requirement for my
> custo
Would there be any ‘problem’ with configuring a 2-machine CARP setup and then
just keeping one machine powered-off until needed?
I realize this defeats live failover, but this is not a requirement for my
customer.
I just want them to be able to, in the event of a primary machine failure
- Original Message -
> From: "Tom K"
> To: "misc"
> Sent: Tuesday, July 13, 2021 3:32:04 AM
> Subject: [EXTERNAL] Why demotion counter for group carp is set to 33 on boot?
> Hallo,
>
> why demotion counter for group carp is set to 3
On 7/13/21 9:32 AM, Tom K wrote:
> why demotion counter for group carp is set to 33 on boot? This is the
> primary firewall and there are no adskew settings in all hostname.carpX
> files or anywhere else.
> Because of this the other firewall which should be normaly the standby
&
Am 2021-07-14 13:01, schrieb Stefan Sperling:
If the demote count never drops then perhaps pfsync traffic isn't
passing
properly?
tcpdump on pfsync device shows me PFSYNCv6 traffic all the time
as well comparing the results of "pfctl -s state" on both
systems shows no differences. The same
On Wed, Jul 14, 2021 at 11:38:15AM +0200, Tom K wrote:
>
> > > but why? If I reboot the other node, the system become MASTER.
> >
> > That is because the other system stops sending carp announcements
> > when you reboot it. This is unrelated to the demote counte
but why? If I reboot the other node, the system become MASTER.
That is because the other system stops sending carp announcements
when you reboot it. This is unrelated to the demote counter. The demote
counter only matters as long as another carp MASTER remains visible.
A forced failover like
On Wed, Jul 14, 2021 at 08:28:09AM +0200, Tom K wrote:
> JP,
>
> but why? If I reboot the other node, the system become MASTER.
That is because the other system stops sending carp announcements
when you reboot it. This is unrelated to the demote counter. The demote
counter only matter
JP,
but why? If I reboot the other node, the system become MASTER. At this
time, no other system has more recent rule states and the 2nd system
comes back, the 1st will fall to BACKUP although it has no adskew
settings and demotecount still on 33.
I'm very confused about this issue.
Am
Tom,
Assuming the fw cluster is properly set up, I guess because PF rule states
is unsync.
As times goes by, states gets synchronized.
JP
Em ter., 13 de jul. de 2021 às 05:50, Tom K escreveu:
> Hallo,
>
> why demotion counter for group carp is set to 33 on boot? This is the
Hallo,
why demotion counter for group carp is set to 33 on boot? This is the
primary firewall and there are no adskew settings in all hostname.carpX
files or anywhere else.
Because of this the other firewall which should be normaly the standby
(adskew 100), is always MASTER (comes up
MJ J(mikedotjack...@gmail.com) on 2021.05.23 17:58:47 +0300:
> Hi,
>
> I have a carp master and backup on a pair of one-armed Rapsberry Pi 4B
> devices (router1 and router2) and when I ssh to the backup using the
> carp IP as my gateway, it repeatedly throws me out afte
Hi,
I have a carp master and backup on a pair of one-armed Rapsberry Pi 4B
devices (router1 and router2) and when I ssh to the backup using the
carp IP as my gateway, it repeatedly throws me out after a few seconds
with the message:
My laptop's network config
cian. As part of my education i have to do a
> presentation on a self-elected subject and i have chosen to talk about CARP.
>
> It is my understanding that it is you (OpenBSD) that have developed CARP.
> I am having trouble finding information about CARP, such as the different
> state
elected subject and i have chosen to talk about CARP.
>>
>> It is my understanding that it is you (OpenBSD) that have developed CARP.
>> I am having trouble finding information about CARP, such as the different
>> states the protocol goes through or how the election of the mas
Den tis 13 apr. 2021 kl 10:29 skrev jannick Weiss :
> Hello,my name is Jannick Weiss and i am currently in the process of taking
> my education as a datatechnician. As part of my education i have to do a
> presentation on a self-elected subject and i have chosen to talk about CARP.
>
Hello,my name is Jannick Weiss and i am currently in the process of taking
my education as a datatechnician. As part of my education i have to do a
presentation on a self-elected subject and i have chosen to talk about CARP.
It is my understanding that it is you (OpenBSD) that have developed CARP
On 2021-02-20, Dev Op wrote:
> Hello, collegues!
>
> In vlan2 I have 4 routers: rt1 (master) and rt2 (slave) grouped into VHID
> 50 in terms of CARP; rt3 (master) and rt4 (slave) grouped into VHID 2. Why
> don't I see carp advertisements from rt1? Instead, I see carp announcements
Hello, collegues!
In vlan2 I have 4 routers: rt1 (master) and rt2 (slave) grouped into VHID
50 in terms of CARP; rt3 (master) and rt4 (slave) grouped into VHID 2. Why
don't I see carp advertisements from rt1? Instead, I see carp announcements
only from rt3 (vhid2). Where am I wrong?
rt1
On 2/7/21 1:38 AM, Bryan Stenson wrote:
31 RTM_IFINFO: iface status change: len 168, if# 3, name cnmac2,
link: no carrier, mtu: 1500,
Just grasping for something here...my next steps are to swap this unit
out with the other one (to try and eliminate hardware failure of THIS
unit). Any
>
>
> > On 1 Feb 2021, at 6:02 pm, Bryan Stenson wrote:
> >
> > Hi all -
> >
> > I'm trying to setup a pair of ERL3 octeon routers in master/standby
> > mode via carp/pfsync to route traffic from my internal lan to the
> > internet. I've seen s
> On 1 Feb 2021, at 6:02 pm, Bryan Stenson wrote:
>
> Hi all -
>
> I'm trying to setup a pair of ERL3 octeon routers in master/standby
> mode via carp/pfsync to route traffic from my internal lan to the
> internet. I've seen strange behavior wrt carp on these machine
Hi all -
I'm trying to setup a pair of ERL3 octeon routers in master/standby
mode via carp/pfsync to route traffic from my internal lan to the
internet. I've seen strange behavior wrt carp on these machines, so
in an attempt to reduce the problem, I've removed one completely.
Even with only
behalf of Kapetanakis
Giannis" wrote:
>
> Check that you have mac spoofing filter disabled on that interface.
For carp to work, I have it disabled on the virtual interface on the
supervisor.
I use ovirt so I do it on the network profile there.
This is a
Check that you have mac spoofing filter disabled on that interface.
For carp to work, I have it disabled on the virtual interface on the
supervisor.
I use ovirt so I do it on the network profile there.
This is a libvirt filter option. Maybe it's applied by default on your
setup
r disabled on that interface.
G
On 12/01/2021 15:30, Carlos Lopez wrote:
> Hi David and misc@,
>
> Sorry to disturb with this.I have realized several tests this morning
with two OpenBSD 6.8 carp'ed firewalls (fully patched) as kvm guests and result
is the same:
is the
same: carp load balancing doesn't work. My host is a RedHat Enterprise Linux
8.3 with kernel .18.0-240.10.1.el8_3.x86_6 (fully patched also). I have tested
all ip load balancing options under these OpenBSD virtual guests: ip,
ip-unicast and ip-stealth.
When I use only "ip" for load balanc
Hi David and misc@,
Sorry to disturb with this.I have realized several tests this morning with two
OpenBSD 6.8 carp'ed firewalls (fully patched) as kvm guests and result is the
same: carp load balancing doesn't work. My host is a RedHat Enterprise Linux
8.3 with kernel .18.0-240.10.1.el8_3
Hello,
The fix recommended by Remi works great. Can we have this into an official
patch?
Why I am not using it as Claudio recommends is that vlan20 in my case also
is a transit vlan like vlan21 so it cannot be a passive interface. From the
docs I understand that having carp listed
On Tue, Dec 22, 2020 at 02:04:27PM +0100, open...@kene.nu wrote:
> Hello,
> I am seeing what I deem to be unexpected behavior with ospfd and depending
> on carp interfaces.
> Running 6.8 with latest patches applied on all three routers.
>
> # uname -a
> OpenBSD extfw1.lab.kam
On Tue, Dec 22, 2020 at 02:04:27PM +0100, open...@kene.nu wrote:
> Hello,
> I am seeing what I deem to be unexpected behavior with ospfd and depending
> on carp interfaces.
> Running 6.8 with latest patches applied on all three routers.
>
> # uname -a
> OpenBSD extfw1.lab.kam
Hello,
I am seeing what I deem to be unexpected behavior with ospfd and depending
on carp interfaces.
Running 6.8 with latest patches applied on all three routers.
# uname -a
OpenBSD extfw1.lab.kambi.com 6.8 GENERIC.MP#2 amd64
My setup is as following;
Two openbsd boxes (FW1 and FW2) acting
Hi folks,
wrt IPsec failover via sasyncd and carp: sasyncd(8) and iked(8) don't
seem to tell, but I would guess that all hosts on the carp interface
have to share the private key to support renegotiation.
How can I tell iked which private key to use, instead of local.key?
Is there a similar
On 21 Oct 07:12, Carlos Lopez wrote:
> Hi all,
>
> Before upgrade from OpenBSD 6.7 to OpenBSD 6.8, my pair firewalls was using
> carp in IP balance mode without problems from several months. These firewalls
> are installed in a RHEL 8.2 (fully patched) KVM host.
>
> After
Ok, done. I have already sent the bug report.
On 21/10/2020, 11:11, "Uwe Werler" wrote:
On 21 Oct 07:12, Carlos Lopez wrote:
> Hi all,
>
> Before upgrade from OpenBSD 6.7 to OpenBSD 6.8, my pair firewalls was
using carp in IP balance mode without problems
Hi all,
Before upgrade from OpenBSD 6.7 to OpenBSD 6.8, my pair firewalls was using
carp in IP balance mode without problems from several months. These firewalls
are installed in a RHEL 8.2 (fully patched) KVM host.
After upgrading to OpenBSD 6.8, carp ip balance mode doesn’t works. I have
> On 23 Jul 2020, at 22:28, Guy Godfroy wrote:
>
> Doesn't work better.
> I guess Sebastian is right, carp has to be assigned an IP to come up.
yeah, i just read the code a bit. they have to be able to communicate to be
able to elect which one is the active and which is t
Doesn't work better.
I guess Sebastian is right, carp has to be assigned an IP to come up.
Le 23/07/2020 à 03:15, David Gwynne a écrit :
On 22 Jul 2020, at 22:59, Guy Godfroy wrote:
Hello,
So I read in 6.7 release note that it's finally possible to use dhclient on
CARP interface. That's
> On 22 Jul 2020, at 22:59, Guy Godfroy wrote:
>
> Hello,
>
> So I read in 6.7 release note that it's finally possible to use dhclient on
> CARP interface. That's great news.
>
> However, I'm not sure how to use it on a hostname.if file. I tried to replace
>
1 - 100 of 2091 matches
Mail list logo
