On 2014-07-24, Waldemar Brodkorb m...@waldemar-brodkorb.de wrote:
Hi OpenBSD hackers,
we like to use OpenBSD for our corporate firewall.
We have two appliances and want to setup carp and pfsync.
In the past I used this for a simple firewall connected to
a provider via dsl without a DMZ
On 2014-07-24, Peter Hessler phess...@theapt.org wrote:
if the addresses on the carp interface are out of sync, then the hashes
won't mash, and the firewalls *WILL* conflict with each other.
I recommend one IP per carp interface. Far nicer in case you screw that
bit up, and much easier
Hi OpenBSD hackers,
we like to use OpenBSD for our corporate firewall.
We have two appliances and want to setup carp and pfsync.
In the past I used this for a simple firewall connected to
a provider via dsl without a DMZ. This worked fine and I know
how to configure it.
Now our firewall is used
if the addresses on the carp interface are out of sync, then the hashes
won't mash, and the firewalls *WILL* conflict with each other.
I recommend one IP per carp interface. Far nicer in case you screw that
bit up, and much easier to balance IPs to one system or the other.
On 2014 Jul 24 (Thu
Hi Peter,
Peter Hessler wrote,
if the addresses on the carp interface are out of sync, then the hashes
won't mash, and the firewalls *WILL* conflict with each other.
I recommend one IP per carp interface. Far nicer in case you screw that
bit up, and much easier to balance IPs to one system
#1 is
somewhat valid - using carppeer would prevent me from learning that
multicast was broken. I'm not sure how it could ever break on a L2 VLAN,
but still...
I've had bad broadcom (bnx (4)) cards do that to me.
Worked better with carppeer but best with intels instead.
Hi all,
in the official CARP/pfsync faq here: http://www.openbsd.org/faq/pf/carp.html
I found an information, that suggests that it's possible to use CARP without
IPs attached to the physical interfaces used in a CARP group:
ipaddress
This is the shared IP address assigned to the redundancy
* Peus, Christoph christoph.p...@uni-wh.de [2014-06-30 17:24]:
Is it really possible to use CARP without IPs assigned to the physical
interfaces?
Sure.
How does the communication between the interfaces of a group work
if there are no IPs assigned to them?
multicast
Which disadvantages
Henning, thanks for your quick reply.
Which disadvantages could this mode of operation have compared to the
classic mode with IPs assigned?
the backup node might not be able to reach the network on the carp if
Hmm... what does this mean to me..? To make it more precise - my setup looks
like
On 2014-06-30 11:11, Peus, Christoph wrote:
Henning, thanks for
your quick reply.
Which disadvantages could this mode of
operation have compared to the classic mode with IPs assigned?
the
backup node might not be able to reach the network on the carp if
Hmm... what does this mean to me
the canary-in-the-coal-mine to inform me of any
layer 2 weirdness
2) I prefer predictability and normal use cases
3)
if I ever stop using CARP and switch to HSRP or VRRP, I'll need those
addresses again
you are creating massive confusion here regarding carppeer and
unnumbered carpdevs
using CARP and switch to HSRP or VRRP, I'll need
those addresses again
you are creating massive confusion here
regarding carppeer and
unnumbered carpdevs - those really have nothing
to do with each other.
That said, I do use unnumbered carpdevs in
some cases and places.
If carp0 has
* Adam Thompson athom...@athompso.net [2014-06-30 21:31]:
Nor is using carpdev [the typical case], although I have the
impression that use of carpdev (and therefore only needing 1 IP
address) is increasing.
I consider carpdev that natural use, we're stacking interfaces after
all.
I even
their experiences too, it would be nice.
P.s.: If you are going to use CARP on top of this, it can work, but all
the carped machines must see all your ISP's router/modems/etc. I used a
separate switch for this, but there are other options too. CARP adds
complexity to the mix, for instance, you'll will need
On May 13, 2014, at 22:13, Giancarlo Razzolini grazzol...@gmail.com wrote:
go there, this e-mail would be too big. If you want I can elaborate more.
yes please! do elaborate a bit!
fl
Hello Misc-Users,
I'm looking in to the possibility to do multihoming (more than one isp)
on a Carp setup.
To do live failover if one isp goes down, the other takes over.
Just as carp does if one of the routers goes down.
I'm thinking that in combination with ifstated it might be possible
On Tue, May 13, 2014 at 4:58 AM, Magnus mag...@tokra.org wrote:
Hello Misc-Users,
I'm looking in to the possibility to do multihoming (more than one isp)
on a Carp setup.
To do live failover if one isp goes down, the other takes over.
Just as carp does if one of the routers goes down.
You
Em 13-05-2014 08:58, Magnus escreveu:
Hello Misc-Users,
I'm looking in to the possibility to do multihoming (more than one isp)
on a Carp setup.
To do live failover if one isp goes down, the other takes over.
Just as carp does if one of the routers goes down.
I'm thinking
=12857462784
and operating system OpenBSD 5.4 (patched until 005_sha512.patch), dmesg
is below.
It has about 20 vlan interfaces over four physical interfaces, and 19
carp interfaces, two vethers, three rdomains (most traffic running in
default domain). Mostly ipv4 but very little ipv6 also. Besides
Hi again!
I forgot to mention that although carp is configured i do not use there
pfsync (even no pfsync0 interface). (There have been problems with
pfsync, at least in the past and for me).
Imre
On Fri, 2014-04-11 at 15:45 +0300, Imre Oolberg wrote:
Hi!
I have run two node active-passive
Hi folks,
how does carp + vpn integrate in a two server firewall ?
Does carp make vpn redundant too ?
Thanks in advance.
With sasyncd(8) and carp, yes.
2014-03-10 14:09 GMT+01:00 Friedrich Locke friedrich.lo...@gmail.com:
Hi folks,
how does carp + vpn integrate in a two server firewall ?
Does carp make vpn redundant too ?
Thanks in advance.
--
May the most significant bit of your life be positive.
}
}
match to 170.16.3.1 set nexthop 170.16.3.4
Setup overview;
OpenBSD1;
vlan1: 170.16.3.2
carp1: 170.16.3.4
OpenBSD1;
vlan1: 170.16.3.3
carp1: 170.16.3.4
Cisco ISP1-RT;
170.16.3.1
Summary;
When the OpenBSD box is a CARP backup there is *not* a route for
170.16.3.4/32 in 'netstat -rn
Hello,
I have recently stumbled over a problem with a CARP router setup.
The routers have 2 carped interfaces, one for network A and B respectively.
We had the scenario that Router1 was Master for A and Backup for B,
Router2 Backup A and Master B. A manual demote managed to get one router
The sysctl for carp preempt sounds like that you are looking for.
2014-02-20 11:24 GMT+01:00 Kim Zeitler kim.zeit...@konzept-is.de:
Hello,
I have recently stumbled over a problem with a CARP router setup.
The routers have 2 carped interfaces, one for network A and B respectively.
We had
CARP stability issues are often due to not being able to send or
receive CARP protocol messages properly across networks A and B, and/or
not being able to send or recieve pfsync protocol messages across the
crossover cable between the firewalls.
pass out quick proto carp keep state (no-sync
On Tue, Feb 11, 2014 at 10:17:46PM +, andy wrote:
Hi,
You should be able to ping the CARP IP addresses from any host (including
the master), so something is wrong here.
This can sometimes be due to a routing problem.
Your routing table should look similar to;
10.0.0.1
On Wed, 12 Feb 2014 20:26:32 +0100, Laurent CARON
lca...@unix-scripts.info wrote:
On Tue, Feb 11, 2014 at 10:17:46PM +, andy wrote:
Hi,
You should be able to ping the CARP IP addresses from any host
(including
the master), so something is wrong here.
This can sometimes be due
Hi,
Any clue about this issue ?
Thanks
On Fri, Jan 31, 2014 at 06:13:15PM +0100, Laurent CARON wrote:
Hi,
I'm currently experiencing what I would call a strange behavior (maybe a
total config fuck up on my side, who knows...).
I'm basically having 2 boxes acting as a CARP gateway for my
I can't remember specifically where I read it, but I recall specific
warnings somewhere in the CARP documentation about ping and the virtual IP.
I encountered similar oddities configuring CARP for IPv4 and IPv6. You
may want to look at your route tables.
On 02/11/2014 04:41 PM, Laurent CARON
Hi,
You should be able to ping the CARP IP addresses from any host (including
the master), so something is wrong here.
This can sometimes be due to a routing problem.
Your routing table should look similar to;
10.0.0.1 10.0.0.1 UH 04 - 4 carp0
10.0.0.2
Hi,
I'm running carp with rtadvd on 5.4, and see some strange behavior
regarding NDP during failover.
I run rtadvd with no configuration file and it runs on the carp
interface (carp is using carpdev, so no address on the physical
interface) on both carp nodes.
When rtadvd starts on the MASTER
Hi,
I'm currently experiencing what I would call a strange behavior (maybe a
total config fuck up on my side, who knows...).
I'm basically having 2 boxes acting as a CARP gateway for my servers.
Adressing:
- Box 1 (bge1): 46.21.116.1
- Box 2 (bge1): 46.21.116.2
- CARP116
On Tue, Jan 21, 2014 at 03:51:23PM -0800, Gabriel Kuri wrote:
I am running obsd 5.4 as my NAT router. I decided to setup a second obsd
box and run carp between the two for the external NATed interface (facing
the ISP). After I setup everything and switched pf to NAT using the address
/dns to router - Why are you addressing the physical
routers IP directly? Generaly it is better for all inbound traffic
(public DNS) to refer to CARP IPs so it doesn't matter which firewall
is live/if one is down etc.
pass in quick on $ext_if proto { tcp, udp } from any to { $router,
$carp_ip
are needed too for this.
On 22 jan 2014, at 00:51, Gabriel Kuri gk...@ieee.org wrote:
I am running obsd 5.4 as my NAT router. I decided to setup a second obsd
box and run carp between the two for the external NATed interface (facing
the ISP). After I setup everything and switched pf to NAT using
I am running obsd 5.4 as my NAT router. I decided to setup a second obsd
box and run carp between the two for the external NATed interface (facing
the ISP). After I setup everything and switched pf to NAT using the address
on the carp interface, I'm seeing about 12Mbps - 13Mbps on the download, I
advbase 3
advskew 0 carpdev em0 pass hash_removed
hostname.em4:
inet 10.50.1.1 255.255.255.0 NONE
hostname.pfsync0:
up syncdev em4
On Tue, Jan 21, 2014 at 3:51 PM, Gabriel Kuri gk...@ieee.org wrote:
I am running obsd 5.4 as my NAT router. I decided to setup a second obsd
box and run carp
You PF rules are needed too for this.
On 22 jan 2014, at 00:51, Gabriel Kuri gk...@ieee.org wrote:
I am running obsd 5.4 as my NAT router. I decided to setup a second obsd
box and run carp between the two for the external NATed interface (facing
the ISP). After I setup everything and switched
:100 balancing ip-unicast
carppeer 10.0.2.202 pass xxyyzz
inet 10.0.2.200 255.255.0.0 NONE
inet alias 172.20.0.200 255.255.255.0 NONE
description lan CARP
---
# cat /etc/hostname.carp2
carpdev vlan1337 carpnodes 21:0,22:100 balancing ip-unicast
carppeer xx.yy.zz.158 pass yyzzxx
inet xx.yy.zz.156
CARP(ish) Question:
I have a /30 transit network from my ISP, where there obviously isn't
room for both routers in the carp setup to have a dedicated IP address
in addition to the IP assigned to the carp interface.
If it matters, I've assigned both routers private addresses in my
network
Em 12-12-2013 17:42, Ted Bullock escreveu:
CARP(ish) Question:
I have a /30 transit network from my ISP, where there obviously isn't
room for both routers in the carp setup to have a dedicated IP address
in addition to the IP assigned to the carp interface.
If it matters, I've assigned both
selection of NTP Pool Time Servers
# see http://support.ntp.org/bin/view/Servers/NTPPoolServers
servers pool.ntp.org
Works like a charm!
On 12/12/13, 12:42 PM, Ted Bullock wrote:
CARP(ish) Question:
I have a /30 transit network from my ISP, where there obviously isn't
room for both routers
Ted Bullock tbull...@northernartifex.com a écrit :
CARP(ish) Question:
I have a /30 transit network from my ISP, where there obviously isn't
room for both routers in the carp setup to have a dedicated IP address
in addition to the IP assigned to the carp interface.
If it matters, I've assigned
to kill
isakmpd and flush ipsec if the state of the carp interface changes to
backup, or start isakmpd and load ipsec rules when the state changes
to master. When I used sasyncd I got into various situations where
things wouldn't work until I disabled it and rebooted both vpn
gateways.. Obviously
2013/12/5 Anders Berggren and...@halon.se
Interesting. I've got sasyncd to work pretty well by introducing a rather
long sleep before restoring the carp demote, with my main problem being the
fallback/restore to the designated master after a short period of the
backup being active
nexthops. By default bgpd will only use static routes or
routes
added by other routing daemons like ospfd(8).
I've tried various things but nothing works..
The carp IP is on the 'carp' interface and not the phys interface and
so I think thats why the nexthop is not being
On Wed 04 Dec 2013 00:18:40 GMT, Stuart Henderson wrote:
On 2013-12-02, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
I need to deploy IPSec tunnels (lan-to-lan and roadwarriors clients
like linux and windows) under two openbsd carp firewalls.
..
What option can be best to deploy
On 2013/12/04 10:19, Andy wrote:
Yea I had the same problem with sasynd but I found a simple solution that
allows for faster failover than DPD.
The issue I found was that when isakmpd starts on the carp 'backup', the -S
stops it from chatting which is great, but, I also found it also seems
On Wed 04 Dec 2013 12:40:09 GMT, Stuart Henderson wrote:
On 2013/12/04 10:19, Andy wrote:
Yea I had the same problem with sasynd but I found a simple solution that
allows for faster failover than DPD.
The issue I found was that when isakmpd starts on the carp 'backup', the -S
stops it from
Hey everybody,
After reading the man page of carp (4) and since I am currently working
with this protocol I have a question concerning the first bug mentioned
in the bug section and a more general one. I quote from the man page..
If load balancing is used in setups where the carpdev does
2013/12/5 Antonis Manousis antonismanou...@gmail.com
Hey everybody,
After reading the man page of carp (4) and since I am currently working
with this protocol I have a question concerning the first bug mentioned
in the bug section and a more general one. I quote from the man page..
If load
Hi, I've got something really interesting to show, which shows this
clearly and should help point to the root cause.
In short, it seems that the desired nexthop is not applied by the CARP
master when it is in state 'nexthop 180.25.32.20 now valid: via
180.25.32.20'. I.e. when it is 'via' even
On 2013-12-02, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
I need to deploy IPSec tunnels (lan-to-lan and roadwarriors clients
like linux and windows) under two openbsd carp firewalls.
..
What option can be best to deploy in these firewalls: ipsec
(ipsec.conf and isakmpd) or iked
Hi all,
I need to deploy IPSec tunnels (lan-to-lan and roadwarriors clients
like linux and windows) under two openbsd carp firewalls.
Searching in google and reading some docs, I have several doubts
about which one to choose. If I am not wrong, iked doesn't supports
sasyncd, is it correct
On Mon, Dec 2, 2013 at 8:13 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
I need to deploy IPSec tunnels (lan-to-lan and roadwarriors clients
like linux and windows) under two openbsd carp firewalls.
Searching in google and reading some docs, I have several doubts
about which one
Hi,
Could someone help me with this issue we have found where the OpenBGPd
rule 'match to bgppeerip set nexthop bgpcarpip' doesn't work if OpenBGPd is
started whilst the OpenBSD host is a carp master. It only works if it is a
CARP backup :(
Or could someone give me a clue where in the source
andy [a...@brandwatch.com] wrote:
Hi,
Could someone help me with this issue we have found where the OpenBGPd
rule 'match to bgppeerip set nexthop bgpcarpip' doesn't work if OpenBGPd is
started whilst the OpenBSD host is a carp master. It only works if it is a
CARP backup :(
Or could
No, I'm seeing the same thing - the carp master advertises the carp IP as
next-hop no matter what.
The carp backup advertises whatever you've told it to advertise via set
nexthop.
-Adam
On Dec 2, 2013 6:43 PM, Chris Cappuccio ch...@nmedia.net wrote:
andy [a...@brandwatch.com] wrote:
Hi
On 15/11/13 16:50, Adam Thompson wrote:
On 13-11-15 04:17 AM, Andy wrote:
On 12/11/13 05:48, Chris Cappuccio wrote:
Two BGP sessions from different IPs (no CARP)
BGP next-hop pointing to CARP-protected IP
Hi Chris,
This sounds good.. Could you clarify further?
I can clarify for him, see
to put a production system with
carp+pfsync+relayd on production.
The point is that im facing some trouble setting more than one ip
alias
address with different vhid and different passwd.
So, this is the scenario.
Im trying to relayd more or less 15 sites so i have conceptual
different IPs (no CARP)
BGP next-hop pointing to CARP-protected IP
Hi Chris,
This sounds good.. Could you clarify further?
I can clarify for him, see below. (Apologies if he's already done it
- I'm on the daily digest.)
Setup eBGP to the Transit router on both OBSD boxes using physical
IPs
Ah, so we have a potential bug here then I'm thinking!
After all, why would the setting of nexthop have anything to do with
CARP?
On Thu 21 Nov 2013 16:14:33 GMT, Adam Thompson wrote:
(Apologies for top-posting)
I've seen the same thing, but I assumed I'd made a mistake somewhere. Maybe
Output for
'pfctl -si', 'pfctl -sm' and 'sysctl -a|grep net.inet.ip.ifq would be hie to
see.
//mxb
On 18 nov 2013, at 04:20, Leonardo Santagostini lsantagost...@gmail.com
wrote:
Sorry, looking more detailed at the logs i found this:
/var/log/daemon
Nov 17 18:36:12 v-arcbabalancer01
Ok, thanks for all the replies. Im waiting to this situation appears to
send to you the output of those commands.
Thanks and regards
Saludos.-
Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
2013/11/18 mxb m...@alumni.chalmers.se
Output for
'pfctl -si', 'pfctl -sm' and
Hello list, i found something strange.
By one side, cpu idle is at 0%
[root@v-arcbabalancer01 ~]# vmstat 2 20
procsmemory pagediskstraps cpu
r b wavm fre flt re pi po fr sr wd0 cd0 int sys cs us
sy id
5 0 0 86576 1450072 845 0
Santagostini
http://ar.linkedin.com/in/santagostini
2013/11/14 Andy a...@brandwatch.com
On 14/11/13 15:21, Leonardo Santagostini wrote:
Hello misc,
Im doing my final approach to put a production system with
carp+pfsync+relayd on production.
The point is that im facing some
a production system with
carp+pfsync+relayd on production.
The point is that im facing some trouble setting more than one ip alias
address with different vhid and different passwd.
So, this is the scenario.
Im trying to relayd more or less 15 sites so i have conceptual doubts.
1
/in/santagostini
2013/11/14 Andy a...@brandwatch.com
On 14/11/13 15:21, Leonardo Santagostini wrote:
Hello misc,
Im doing my final approach to put a production system with
carp+pfsync+relayd on production.
The point is that im facing some trouble setting more than
I have two routers in active/passive carp mode that share three pairs
of carp interfaces:
bge1 - DMZ
em0 - ISP1
em1 - ISP2
They are also syncing pf states over syncdev bge0.
Both routers are in BGP sessions with two upstream providers (via /29
networks), and I am achieving graceful failover
On Sun, 17 Nov 2013 15:32:01 +0100, Marko Cupać marko.cu...@mimar.rs
wrote:
I have two routers in active/passive carp mode that share three pairs
of carp interfaces:
bge1 - DMZ
em0 - ISP1
em1 - ISP2
They are also syncing pf states over syncdev bge0.
Both routers are in BGP sessions
Hello everybody, i still having some issues whit relayd.
Nov 17 21:01:56 v-arcbabalancer01 relayd[4252]: relay relay4, session 75 (1
active), 0, 190.51.90.22 - :0, buffer event timeout
Nov 17 21:01:57 v-arcbabalancer01 relayd[12715]: relay relay4, session 97
(4 active), 0, 190.49.60.30 - :0,
Sorry, looking more detailed at the logs i found this:
/var/log/daemon
Nov 17 18:36:12 v-arcbabalancer01 relayd[13984]: fatal: relay_connect: no
connection in flight
Nov 17 18:36:12 v-arcbabalancer01 relayd[22615]: pfe exiting, pid 22615
Nov 17 18:36:12 v-arcbabalancer01 relayd[31674]: hce
that the
LAN carp(4) interface always stays in sync with the WAN carp(4)
interface. (i.e. router #1 being master for inside-facing while #2
is master for outside-facing will break pf(4).)
Absolutely.. I always put my carp interfaces into the same carp group
to ensure this.
Now it's my
round to pulling down the source and fixing the Power
Technology issue with Ivy Bridge EP on Supermicro I'll also add a doc patch
to mention suggesting the use of the nexthop directive in OpenBGPd to allow
BGP to run on the same interfaces as CARP without 'depends on'.
PS; For those interested I found
..or even iBGP for that matter, an interesting
way to go could be:
Two BGP sessions from different IPs (no CARP)
BGP next-hop pointing to CARP-protected IP
Hi Chris,
This sounds good.. Could you clarify further?
Setup eBGP to the Transit router on both OBSD boxes using physical IPs,
and iBGP between
On 13-11-15 04:17 AM, Andy wrote:
On 12/11/13 05:48, Chris Cappuccio wrote:
Two BGP sessions from different IPs (no CARP)
BGP next-hop pointing to CARP-protected IP
Hi Chris,
This sounds good.. Could you clarify further?
I can clarify for him, see below. (Apologies if he's already done
You sir have just made my weekend! :)
I thought that nexthop directive was a PF rule.. D'oh.. Clearly a long
week ;)
What you *might* have to do is use ifstated(8) to ensure that the LAN carp(4) interface
always stays in sync with the WAN carp(4) interface. (i.e. router #1 being master
On 13-11-15 11:26 AM, Andy wrote:
You sir have just made my weekend! :)
I thought that nexthop directive was a PF rule.. D'oh.. Clearly a long
week ;)
What you *might* have to do is use ifstated(8) to ensure that the
LAN carp(4) interface always stays in sync with the WAN carp(4)
interface
Adam Thompson [athom...@athompso.net] wrote:
What have I missed? (Or is this yet another breakdown in OpenBSD's
documentation?)
If you find a deficiency in the documentation, please submit a patch.
Hello misc,
Im doing my final approach to put a production system with
carp+pfsync+relayd on production.
The point is that im facing some trouble setting more than one ip alias
address with different vhid and different passwd.
So, this is the scenario.
Im trying to relayd more or less 15 sites
15 sites and only 9?
Id put around 50 (and have). You might need even more.
On 14 nov 2013, at 16:21, Leonardo Santagostini lsantagost...@gmail.com
wrote:
set limit states 9
Put all of those into the same relay { } as they are going to the same
forward table.
relay {
listen on addr1 port 80
listen on addr2 port 80
etc
.
}
or youll end up doing check http several times.
and Id do just simple check tcp - faster.
On 14 nov 2013, at
Ok, i will modify the config. But i really want to know about the carp
configuration.
I forget to mention that im doing DSR.
Saludos.-
Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
2013/11/14 mxb m...@alumni.chalmers.se
15 sites and only 9?
Iâd put around 50
On 14/11/13 15:21, Leonardo Santagostini wrote:
Hello misc,
Im doing my final approach to put a production system with
carp+pfsync+relayd on production.
The point is that im facing some trouble setting more than one ip alias
address with different vhid and different passwd.
So
approach to put a production system with
carp+pfsync+relayd on production.
The point is that im facing some trouble setting more than one ip alias
address with different vhid and different passwd.
So, this is the scenario.
Im trying to relayd more or less 15 sites so i have conceptual
misc,
Im doing my final approach to put a production system with
carp+pfsync+relayd on production.
The point is that im facing some trouble setting more than one ip alias
address with different vhid and different passwd.
So, this is the scenario.
Im trying to relayd more or less 15 sites
.-
Leonardo Santagostini
http://ar.linkedin.com/in/santagostini
2013/11/14 Andy a...@brandwatch.com
On 14/11/13 15:21, Leonardo Santagostini wrote:
Hello misc,
Im doing my final approach to put a production system with
carp+pfsync+relayd on production.
The point is that im facing
wrote:
Hello misc,
Im doing my final approach to put a production system with
carp+pfsync+relayd on production.
The point is that im facing some trouble setting more than one ip alias
address with different vhid and different passwd.
So, this is the scenario.
Im trying to relayd more
a production system with
carp+pfsync+relayd on production.
The point is that im facing some trouble setting more than one ip alias
address with different vhid and different passwd.
So, this is the scenario.
Im trying to relayd more or less 15 sites so i have conceptual doubts.
1) is it nesessary
with
carp+pfsync+relayd on production.
The point is that im facing some trouble setting more than one ip alias
address with different vhid and different passwd.
So, this is the scenario.
Im trying to relayd more or less 15 sites so i have conceptual doubts.
1) is it nesessary to create one
No,
it is number of currently active sessions for this particular relay.
Eg. 502 users.
On 14 nov 2013, at 21:59, Andy Lemin a...@brandwatch.com wrote:
Hi, as a complete guess (not used relayd yet let alone DSR) a 502 sounds
like
an error return from nginx/apache etc. could be a direct server
Hello Andy. Actually i proved flushing pf rules, tables and counters with
no luck.
But after restart relayd things come to work as expected.
Thanks, Leonardo
El nov 14, 2013 8:15 p.m., mxb m...@alumni.chalmers.se escribió:
No,
it is number of currently active sessions for this particular
..or even iBGP for that matter, an interesting
way to go could be:
Two BGP sessions from different IPs (no CARP)
BGP next-hop pointing to CARP-protected IP
I'm trying this, but I'm not sure it's actually working. I suspect
bgpd.conf cluelessness on my part, suggestions appreciated.
Existing
peer
(one session per router), *not* using the CARP IP to establish BGP
sessions. I had started with one BGP session originating from the CARP
IP, but every time I failed over, all my announcements went away and
instead of a ~60sec outage I had a ~4hr partial outage while my routes
re-propagated
routers communicating with one upstream peer
(one session per router), *not* using the CARP IP to establish BGP
sessions. I had started with one BGP session originating from the CARP
IP, but every time I failed over, all my announcements went away and
instead of a ~60sec outage I had a ~4hr partial
, an interesting
way to go could be:
Two BGP sessions from different IPs (no CARP)
BGP next-hop pointing to CARP-protected IP
becomes the master it's because the master is dead, so losing a few packets
isn't the end of the world?
If you're talking about eBGP..or even iBGP for that matter, an interesting
way to go could be:
Two BGP sessions from different IPs (no CARP)
BGP next-hop pointing to CARP-protected IP
risk insecurity..
Thanks for reading :)
I have (I think) almost exactly the same issue; doesn't pfsync between the
redundant BGP routers solve your state-tracking problem?
In my case, I have two BGP routers communicating with one upstream peer
(one session per router), *not* using the CARP IP
Hi,
We have upgraded to 5.4 in production and now have our OSPF routes being
announced from our CARP 'backup' with a max value metric, and the CARP
'master' announcing with the default/defined metrics. This works great
in testing so far and directs all traffic to the CARP master.
Would
401 - 500 of 2091 matches
Mail list logo