Hi,
I am trying to set up my firewalls with carp.
I thought everything was working fine, one was set as Master and one as
Backup, I then rebooted the Master and the Backup changed to Master as
expected, however when the one that was rebooted came back online, it set its
self back to Master
Le Fri, 15 Oct 2010 15:29:30 +0100,
Harrower Gary (NHS National Services Scotland)
gary.harro...@nhs.net a icrit :
Hi,
Any ideas why they were both trying to be master?
did you set carp preemption on both machines?
On 2010-10-03, Devin Reade g...@gno.org wrote:
snip *excellent* write-up of the problem and network layout;
if only all problem reports were this good!
So basically there are untrusted machines on the interface on which you
also run pfsync. This is an unsupported configuration, as per pfsync(4):
--On Monday, October 04, 2010 12:11:01 PM + Stuart Henderson
s...@spacehopper.org wrote:
On 2010-10-03, Devin Reade g...@gno.org wrote:
snip *excellent* write-up of the problem and network layout;
if only all problem reports were this good!
Thanks. I'm also a developer, just not in the
On Sat, Oct 02, 2010 at 10:46:59PM -0600, Devin Reade wrote:
I've got a problem where I have a couple of OpenBSD firewalls
running in a redundant configuration using carp, and have found
that CentOS 5.5 (Linux) boxes running on a protected network, if
they have avahi-daemon running
Kenneth R Westerback kwesterb...@rogers.com wrote:
You seem to be using a custom compiled kernel. I didn't spot any
explanation of that (-stable patches? changes to kernel config?).
Non-GENERIC kernels make developers nervous.
Nothing custom; it's 4.7 stable with patches 001 through 006
On Wed, 29 Sep 2010 11:57:10 +0200, you wrote:
sigh. use-after-free (most likely, at least) somewhere. unlikely to be
carp itself. might be re (wild guess).
I think your somewhere near re theory might have some merrit to it. :)
I've had a number of crashes over the past couple days, but this one
* Steve W st...@witucke.net [2010-10-03 22:16]:
On Wed, 29 Sep 2010 11:57:10 +0200, you wrote:
sigh. use-after-free (most likely, at least) somewhere. unlikely to be
carp itself. might be re (wild guess).
I think your somewhere near re theory might have some merrit to it. :)
well
* Henning Brauer lists-open...@bsws.de [2010-10-03 22:28]:
* Steve W st...@witucke.net [2010-10-03 22:16]:
On Wed, 29 Sep 2010 11:57:10 +0200, you wrote:
sigh. use-after-free (most likely, at least) somewhere. unlikely to be
carp itself. might be re (wild guess).
I think your somewhere
On Sun, 3 Oct 2010 22:41:50 +0200, you wrote:
err... reading the trace first helps. this is actually pretty clearly a
problem in re. I don't feel responsible for re tho :)
Is there something else I should do before submitting something to bugs?
Both of these source files haven't been modified
On Sun, 3 Oct 2010 22:24:18 +0200, you wrote:
well, it is easy enough to verify - use something else but re. if it's
stable, we have the guilty party, at least.
Yea, I'm sort of stuck with re. Here's a few quick images of these boxes. It's
a
Jetway NF76 board with a daughter card with 3
I've got a problem where I have a couple of OpenBSD firewalls
running in a redundant configuration using carp, and have found
that CentOS 5.5 (Linux) boxes running on a protected network, if
they have avahi-daemon running, will cause the OpenBSD kernels to lock
up hard. This is very
* Steve W st...@witucke.net [2010-09-26 18:46]:
login: panic: pool_do_get(mcl2k): free list modified: page 0xd68bc000;; item
addr 0xd68bc800; offset 0x0=0x2d304436
sigh. use-after-free (most likely, at least) somewhere. unlikely to be
carp itself. might be re (wild guess).
--
Henning Brauer
- Original Message
From: PP;QQ P(P8P?P8QP8P=
chipits...@gmail.com
To: James Peltier james_a_pelt...@yahoo.ca
Sent:
Mon, September 20, 2010 1:40:16 PM
Subject: Re: CARP-ed dns server ?
if
you have nothing to say except RTFM, can you do everybody a favour
and be
silent, please
Hello!
does anybody run dns server on CARP interface ?
Cheers,
Ilia Chipitsine
On Sun, Sep 19, 2010 at 11:29 PM, PP;QQ P(P8P?P8QP8P=
chipits...@gmail.com wrote:
Hello!
does anybody run dns server on CARP interface ?
Yes.
* ??? chipits...@gmail.com [2010-09-20 08:35]:
does anybody run dns server on CARP interface ?
yup.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application
hello!
can you provide more details ?
1. what is dns software ?
2. how two copies of dns server (on master and backup) are replicated ?
3. any carp hooks on switching ?
cheers,
Ilia Chipitsine
2010/9/20 Henning Brauer lists-open...@bsws.de:
* ??? chipits...@gmail.com [2010-09-20 08
- Original Message
From: PP;QQ P(P8P?P8QP8P=
chipits...@gmail.com
To: misc@openbsd.org
Sent: Mon, September 20, 2010
2:04:18 AM
Subject: Re: CARP-ed dns server ?
hello!
can you
provide more details ?
1. what is dns software ?
2. how two copies of
dns server (on master
isn't such a piece of shit
2. how two copies of dns server (on master and backup) are replicated ?
not at all
3. any carp hooks on switching ?
no
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
On Sat, Sep 11, 2010 at 09:27:51AM -0600, Andy Bradford wrote:
Thus said Claudio Jeker on Sat, 11 Sep 2010 11:28:31 +0200:
Wrong UDP is normaly not a fully defined 4 touple. Especially the
listening sockets (on port 53) can be slammed with packets. On the
other hand, if the
* Martin Pelikan martin.peli...@gmail.com [2010-09-09 12:24]:
It depends on what do you need. The defaults suffice for most cases,
but on our most loaded router we use tcp both 256k and udp send space
which is bullshit on a router, since rcv/send space is for sockets and
irrelevant for
On Fri, Sep 10, 2010 at 08:20:30PM -0600, Andy Bradford wrote:
Thus said Claudio Jeker on Fri, 10 Sep 2010 21:36:16 +0200:
Because on busy servers you need to queue quite a few packets to
handle bursts.
I was under the impression that UDP is connectionless and therefore
does
Thus said Claudio Jeker on Sat, 11 Sep 2010 11:28:31 +0200:
Wrong UDP is normaly not a fully defined 4 touple. Especially the
listening sockets (on port 53) can be slammed with packets. On the
other hand, if the recvbuffer overflows then packets just get dropped.
Thank you for the
2010/9/10, Stuart Henderson s...@spacehopper.org:
these affect traffic sourced from the box itself, *not* routed through it.
We had to do quite extensive link testing because of strange packet
loss on the SDH circuit. The buffer sizes really mattered :-) But
thanks to the information as the link
Thus said =?UTF-8?Q?Martin_Pelik=C3=A1n?= on Thu, 09 Sep 2010 12:21:17 +0200:
It depends on what do you need. The defaults suffice for most cases,
but on our most loaded router we use tcp both 256k and udp send space
65k (lots of dns). Just test it somewhere.
Why would you need 65k UDP
2010/9/10, Andy Bradford
amb-sendok-1286721307.iadidoklmfcciicnc...@bradfords.org:
Why would you need 65k UDP for DNS? Almost all UDP based DNS responses
are under 512 bytes, those that are larger are required to set the
truncated bit and the client restart the query using TCP.
We have
On Fri, Sep 10, 2010 at 08:35:04AM -0600, Andy Bradford wrote:
Thus said =?UTF-8?Q?Martin_Pelik=C3=A1n?= on Thu, 09 Sep 2010 12:21:17 +0200:
It depends on what do you need. The defaults suffice for most cases,
but on our most loaded router we use tcp both 256k and udp send space
65k
Martin Pelik??n [martin.peli...@gmail.com] wrote:
2010/9/10, Andy Bradford
amb-sendok-1286721307.iadidoklmfcciicnc...@bradfords.org:
Why would you need 65k UDP for DNS? Almost all UDP based DNS responses
are under 512 bytes, those that are larger are required to set the
truncated
2010/9/10, Chris Cappuccio ch...@nmedia.net:
Stop using ALTQ on your DNS server, perhaps? That may be what is causing
the back-pressure that you're seeing.
Why do you think it would help? Those lots of packets would arrive
anyway, only the decent user will wait longer for his website to load.
Martin Pelik??n [martin.peli...@gmail.com] wrote:
2010/9/10, Chris Cappuccio ch...@nmedia.net:
Stop using ALTQ on your DNS server, perhaps? That may be what is causing
the back-pressure that you're seeing.
Why do you think it would help? Those lots of packets would arrive
anyway, only
Thus said Claudio Jeker on Fri, 10 Sep 2010 21:36:16 +0200:
Because on busy servers you need to queue quite a few packets to
handle bursts.
I was under the impression that UDP is connectionless and therefore
does not behave the same as a TCP connection. I would guess that
2010/9/8, Joe Warren-Meeks joe.warren.me...@gmail.com:
I've had a weird problem happen twice now. It seems after about 4 - 6
weeks of running very happily, both servers lock up completely at the
same time. Both consoles show no error messages, but the cursor is
blinking away happily. Neither
2010/9/9 Martin Pelikan martin.peli...@gmail.com:
Hello Martin,
I thought the same when I played with TCP buffers set to 1M and after
some heavy load tests I went out of RAM quite soon :-) The machine had
2G.
Well, the machine has 6Gb of RAM and is only pushing 10Mbit/s of
traffic at peak.
2010/9/9, Joe Warren-Meeks joe.warren.me...@gmail.com:
Well, the machine has 6Gb of RAM and is only pushing 10Mbit/s of
traffic at peak. It does need to maintain a largeish state table, as
it is predominatly web traffic, but I've run much much larger and
busier sites behind much smaller
Joe Warren-Meeks wrote:
Hey guys,
I'm running two HPDL360 G5 servers with OpenBSD 4.6+carp+pf+pfsync as
an active/passive firewall pair.
Both are running: (full dmesg at bottom, along with edited pf.conf, in
case it's relevant)
j...@f2:/home/joe uname -a
OpenBSD f2 4.6 GENERIC.MP#81 amd64
On 2010-09-09, Martin Pelik??n martin.peli...@gmail.com wrote:
2010/9/9, Joe Warren-Meeks joe.warren.me...@gmail.com:
recv/send:
net.inet.tcp.recvspace=16384
net.inet.udp.recvspace=41600
j...@f1:/home/joe sysctl -a |grep send
net.inet.tcp.sendspace=16384
net.inet.udp.sendspace=9216
Too
Hey guys,
I'm running two HPDL360 G5 servers with OpenBSD 4.6+carp+pf+pfsync as
an active/passive firewall pair.
Both are running: (full dmesg at bottom, along with edited pf.conf, in
case it's relevant)
j...@f2:/home/joe uname -a
OpenBSD f2 4.6 GENERIC.MP#81 amd64
I've had a weird problem
Dear list,
I found impossible to have a carp interface in rdomain environment on
both the stable and current distributions.
Inserting this configuration:
ifconfig em0 up
ifconfig vlan101 172.26.196.2 netmask 255.255.255.248 vlan 101 vlandev
em0 rdomain 101
ifconfig carp101 vhid 1 pass testpw
would much rather have VLANs functioning, and
that by the looks of it it should be, I thought I'd ask just one last
time in case someone else sees this and might have a hint.
Newsgroups: gmane.os.openbsd.misc
From: Stuart Hendersons...@spacehopper.org
Subject: Re: No VLAN Tag seen by switch on CARP
in case someone else sees this and might have a hint.
Newsgroups: gmane.os.openbsd.misc
From: Stuart Hendersons...@spacehopper.org
Subject: Re: No VLAN Tag seen by switch on CARP interface on VLAN interface
References:4c584a70.2030...@sjohnson.info
4c5affb1.3080...@sjohnson.info 4c5ffa50.1020
shows that ARP replies include 802.1Q traffic
for ARP replies of both the real VLAN interface IP address, as well as
the CARP interface on that VLAN interface.
However, the port monitor of the switch only shows the ARP reply from
the real interface as having the 802.1Q information
by switch on CARP interface on VLAN interface
References: 4c584a70.2030...@sjohnson.info
4c5affb1.3080...@sjohnson.info 4c5ffa50.1020...@sjohnson.info
Date: Tue, 10 Aug 2010 10:35:55 +0100
User-Agent: slrn/0.9.9p1 (OpenBSD)
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer
On 2010-08-09, Steve Johnson maill...@sjohnson.info wrote:
Sorry about forgetting dmesg, thanks for the info about inline/pastebin.
Since this was very long information, I really wasn't sure. Here are all
the details inline:
Thanks, you will need to apply this patch (from r1.242 of
, as well as some TCP dumps on
the OBSD box.
The dump on the OBSD box shows that ARP replies include 802.1Q traffic
for ARP replies of both the real VLAN interface IP address, as well as
the CARP interface on that VLAN interface.
However, the port monitor of the switch only shows the ARP reply from
a port monitor on our
switches on the OBSD relative interface, as well as some TCP dumps on
the OBSD box.
The dump on the OBSD box shows that ARP replies include 802.1Q traffic
for ARP replies of both the real VLAN interface IP address, as well as
the CARP interface on that VLAN interface
)
===
TCPDUMP ARP TO CARP VLAN INTERFACE IP
===
No. TimeSourceDestination Protocol
Info
190 15.415747 IETF-VRRP-virtual-router-VRID_28 Ibm_c4:3c:5a
ARP
Oh I see, so carp_up would be when its acting as master and carp_down for when
its acting as a backup?
Stu
--- On Thu, 5/8/10, Claer cl...@claer.hammock.fr wrote:
From: Claer cl...@claer.hammock.fr
Subject: Re: CARP + PF
To: misc@openbsd.org
Date: Thursday, 5 August, 2010, 16:59
On Thu, Aug 05
more investigating and did a port monitor on our
switches on the OBSD relative interface, as well as some TCP dumps on
the OBSD box.
The dump on the OBSD box shows that ARP replies include 802.1Q traffic
for ARP replies of both the real VLAN interface IP address, as well as
the CARP
Hi all,
I have a cable modem and an ADSL line at home; the DSL line gives me a static
ip but the cable modem gives me a dynamic one. My plan was to use 2 openbsd
boxes as network routers with CARP for failover, the idea being that I would
plug the cable modem into a switch and plug both boxes
On Thu, Aug 05 2010 at 50:12, Z Wing wrote:
[...]
The question I have is how do I get dhclient working with the cable modem,
given that the IP address is dynamic? dhclient doesn't work when the carp
interface is in INIT mode and I'm not sure how to get carp to share the IP
address between
traffic
for ARP replies of both the real VLAN interface IP address, as well as
the CARP interface on that VLAN interface.
However, the port monitor of the switch only shows the ARP reply from
the real interface as having the 802.1Q information, and is not seeing
any 802.1Q information
Hi,
I have an issue with setting up CARP interfaces for VLAN system
interfaces. For some reason, the CARP interface is unreachable from any
host except the MASTER node, and it seems like the ARP requests are not
reaching the destination hosts, yet they are sent by the OBSD systems,
on both
Hi OpenBSD Team,
My request goes for a tech paper with specifications for the CARP protocol,
just like a RFC. I Google 'd quite a long time with no luck. Wish you could
help with this.
Greetings,
Steven Moncayo.
* Steven Moncayo ste...@infoquality.com.ec [2010-07-29 08:30]:
My request goes for a tech paper with specifications for the CARP protocol,
just like a RFC. I Google 'd quite a long time with no luck. Wish you could
help with this.
/usr/src/sys/netinet/ip_carp.c
/usr/src/sys/netinet/ip_carp.h
- Original Message
From: Henning Brauer lists-open...@bsws.de
To: misc@openbsd.org
Sent: Thu, July 29, 2010 3:32:01 AM
Subject: Re: CARP technical paper
* Steven Moncayo ste...@infoquality.com.ec [2010-07-29 08:30]:
My request goes for a tech paper with specifications
On 16/07/2010 8:08 PM, Keith wrote:
We have setup carp on a pair of firewalls and are a bit confused with
how both LAN/WAN interfaces are meant to fail-over simultaneous
(group?). We are still in the process of getting the firewall rules
setup correctly for our environment and occasionally
We have setup carp on a pair of firewalls and are a bit confused with
how both LAN/WAN interfaces are meant to fail-over simultaneous
(group?). We are still in the process of getting the firewall rules
setup correctly for our environment and occasionally when we make
changes to (fw1) we mess
* Massimo Lusetti mass...@cedoc.mo.it [2010-07-05 11:49]:
Hi guys,
I read on the OpenBSD PF's FAQ this statement:
Ruleset Tips
Filter the physical interface. As far as PF is concerned, network
traffic comes from the physical interface, not the CARP virtual
interface (i.e., carp0). So
Hi guys,
I read on the OpenBSD PF's FAQ this statement:
Ruleset Tips
Filter the physical interface. As far as PF is concerned, network
traffic comes from the physical interface, not the CARP virtual
interface (i.e., carp0). So, write your rule sets accordingly. Don't
forget that an interface
Hello everyone,
I am experiencing difficulties in setting up a firewall using OpenBSD
4.6
w/ CARP interfaces (for future redundancy).
We are running OpenBSD 4.6/i386.
Brief description of the problem: we have a carp interface on the
Internet
side. Our ISP provides us with a /25 network
* LeviaComm Networks NOC n...@leviacomm.net [2010-06-02 05:59]:
You do not want the systems seeing each other before they are both
upgraded. I learned this after seeing the havoc that can be wrecked
with Cisco Firewalls when they are not the same version, but sharing
the same config. It
On Wed, Jun 02, 2010 at 09:47:36AM +0200, Henning Brauer wrote:
OpenBSD isn't as stupid and bad as cisco.
I upgrade all my carped firewall pairs without downtime.
yes, 4.6 and 4.7 require you to adopt your pf config. 4.5-4.6 is
trivial. 4.6-4.7 isn't black magic either but admittedly not
* Reyk Floeter r...@openbsd.org [2010-06-02 11:16]:
also, due to pfsync changes, the failover isn't perfect (pfsync is out
of the equation), so you'll lose your sessions. given how often I lose
perfectly valid tcp sessions that just idle a bit when I am at foreign
networks (conferences,
Ignoring aspects common to all OpenBSD upgrades, and the ideosyncracies
that get mentioned in the release notes for specific upgrades, does anyone
have general comments, suggestions, warnings, etc regarding upgrading
a pair of firewalls that are running in a typical redundant config
using carp
in a typical redundant config
using carp, pfsync, et al?
It is not the case that I'm part way through an upgrade and have a
problem. It's more that I'm interested in what I can expect when
I run into this situation.
Devin
The first obstacle you'll encounter is the changes in pf between 4.6
For now I am going to go with a different design with a separate box
to take the Internet handoff, but I would still be interested to see
if anyone has successfully used CARP with dhclient.
On May 23, 2010, at 12:55 AM, Patrick O'Sullivan ir...@insaneirish.com wrote:
For the sake of both
Hi all,
I have some problems with CARP (I can't get it working).
this is my current configuration:
# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding=1
# sysctl net.inet.carp
net.inet.carp.allow=1
net.inet.carp.preempt=1
net.inet.carp.log=2
# cat /etc/hostname.carp1
inet 172.16.0.1
For the sake of both redundancy and tinkering, I'd like to get a CARP
setup running at home. I have two firewalls yet only one Internet
source. All my local subnets will have statically configured IPs on
both the CARP interface and the underlying interfaces. I briefly tried
to get CARP running
inet 10.0.0.5 255.0.0.0 NONE vhid 2 advskew 100
On both hosts:
# sysctl |grep carp
net.inet.carp.allow=1
net.inet.carp.preempt=1
net.inet.carp.log=2
# dmesg |head
OpenBSD 4.6
2010/4/23 silvershadow...@gmx.de
Hi list,
I found some traces of this 'issue' (if it actually is one, no idea), e.g.
here:
http://www.pubbs.net/openbsd/200911/51706/
# sysctl |grep carp
net.inet.carp.allow=1
net.inet.carp.preempt=1
I seem to recall that the above sysctl is creating
inet 10.0.0.5 255.0.0.0 NONE vhid 2
host B:
# cat /etc/hostname.carp1
inet 10.0.0.5 255.0.0.0 NONE vhid 2 advskew 100
On both hosts:
# sysctl |grep carp
:
# cat /etc/hostname.carp1
inet 10.0.0.5 255.0.0.0 NONE vhid 2 advskew 100
On both hosts:
# sysctl |grep carp
net.inet.carp.allow=1
net.inet.carp.preempt=1
On Tue, Apr 20, 2010 at 8:17 AM, Tomoyuki Sakurai
tomoyu...@reallyenglish.com wrote:
Failover works, IP balancing doesn't.
Trying to make it work, tweaking every possible options.
Then, you set wrong advskew in the process... #fail
Failover works.
IP balancing DOES work.
Sorry for the noise
On Tue, Mar 9, 2010 at 4:10 PM, Tomoyuki Sakurai
tomoyu...@reallyenglish.com wrote:
The other node is still BACKUP (vhid 72) and MASTER (vhid 172). Now vhid 172
is
MASTER-MASTER state.
Am I mssing something? Maybe fixed in -current?
As I saw a commit to trunk(4), upgraded to the latest
net.inet.carp.log=7
pf.conf
# allow pfsync
pass quick on em1 proto pfsync
# allow carp
pass quick on { em0, em2, em3 } proto carp keep state
Standby setup:
/etc/hostname.carp0:
inet 10.1.1.1 255.255.255.0 10.100.255.255 vhid 1 advskew 100 pass bbb
/etc/hostname.carp1:
inet 10.1.2.1 255.255.255.0
/etc/hostname.pfsync0
up syncdev em1
net.inet.carp.preempt=1
net.inet.ip.forwarding=1
net.inet.carp.log=7
pf.conf
# allow pfsync
pass quick on em1 proto pfsync
# allow carp
pass quick on { em0, em2, em3 } proto carp keep state
Standby setup:
/etc/hostname.carp0:
inet 10.1.1.1
net.inet.carp.preempt Allow virtual hosts to preempt each other.
Set it to 0 and give it a try.
I try it, and after the primary comes up again - the established
connections stay active - great!
But 1 of 3 carp interfaces dont fall back to the Master mode at the Primary:
carp
On Sat, Apr 10, 2010 at 11:10:42AM +0200, tom baecker wrote:
net.inet.carp.preempt Allow virtual hosts to preempt each other.
Set it to 0 and give it a try.
I try it, and after the primary comes up again - the established
connections stay active - great!
But 1 of 3 carp
This can happen if the list of addresses, netmasks vhid and password
of an carp interface is not exactly the same on the two hosts.
-Otto
I'm confused, because if I reboot in this case the Secondary, all carp
interfaces swiched to Master state on primary, without any packet
loss.
I
net.inet.carp.log=7
pf.conf
# allow pfsync
pass quick on em1 proto pfsync
# allow carp
pass quick on { em0, em2, em3 } proto carp keep state
Standby setup:
/etc/hostname.carp0:
inet 10.1.1.1 255.255.255.0 10.100.255.255 vhid 1 advskew 100 pass bbb
/etc/hostname.carp1:
inet 10.1.2.1 255.255.255.0
Hello,
Where is the web server?
Is it internal or is it an external web server?
It was all `external servers.
What does telnet web_server 443 and
openssl s_client -connect web_server:443
gives you?
Have you tried sniffing the traffic to see what goes wrong?
I can't test right now
have two CARP interfaces (internal and external) on each
firewall. See the configuration below.
Load-balancing works perfectly for non-SSL websites but I am unable to
connect to secure websites (https). When forcing a connection to go
directly through one of the four OpenBSD server or when using only
the following situation. I have four OpenBSD
firewalls configured to do load-balancing ( in and out) using
ip-stealth. I have two CARP interfaces (internal and external) on each
firewall. See the configuration below.
Load-balancing works perfectly for non-SSL websites but I am unable to
connect
I've currently been running a redundant firewall solution in our
Production environment using OpenBSD (version 4.5-stable) with CARP (4),
PF (4), PFsync (4) and SAsyncd (8) which syncs the pf rules and IPSEC
security associations via the cross-over cable method. We're also
running an IPSEC (4
Hi,
Firstly, I think the ospfd man page should mention that it will do the
right thing when carp interfaces are added as passive. Currently the
only way to find out about this seems to be to search the archives.
Secondly, I have a test environment with a pair of boxes with a
large-ish number
Stuart Henderson schrieb:
you're probably looking for reply-to, something along these lines:
pass in quick on gif1 inet to (gif1) reply-to 10.33@gif1
pass in quick on pppoe0 inet to (pppoe0) reply-to 0.0@pppoe0
Yes I was.
Except that the syntax was not exactly clear to me if
* ??? chipits...@gmail.com [2010-03-07 06:12]:
from the network point of view, packets will come from the same MAC an
IP address (because of CARP), so ... if BACKUP will just continue to
maintain a session, established by MASTER, nobody will even know, 1
sec is nothing in terms
* Eugene Yunak e.yu...@gmail.com [2010-03-07 17:58]:
Time for the bgpdsync (as in pfsync)? Sounds like a nice idea to me.
please. think it through. it's not like we would not like that.
you had to:
-have a way to migrate the tcp session with all its state over
this is actually the hard part. a
Hello all,
How do I configure a pf in a way that traffic that comes in one one
CARP-Interface goes out to the same CARP-Interface? The syntax in
-current has changed from the FAQ (which assumes OpenBSD-4.6).
http://www.openbsd.org/faq/pf/pools.html#outgoing
On a HP ProLiant
Marcus M|lb|sch schrieb:
How do I configure a pf in a way that traffic that comes in one one
CARP-Interface goes out to the same CARP-Interface? The syntax in
-current has changed from the FAQ (which assumes OpenBSD-4.6).
After some help from a friendly soul, and reducinge my pf.conf
On 2010-03-11, Marcus M?lb?sch muelbue...@as-infodienste.de wrote:
Hello all,
How do I configure a pf in a way that traffic that comes in one one
CARP-Interface goes out to the same CARP-Interface?
you're probably looking for reply-to, something along these lines:
pass in quick on gif1
On 7. mars 2010, at 00.07, Claudio Jeker wrote:
On Sat, Mar 06, 2010 at 06:52:24PM +0100, Rogier Krieger wrote:
On Sat, Mar 6, 2010 at 17:26, PP;QQ P(P8P?P8QP8P=
chipits...@gmail.com
wrote:
no, I want routes exactly to carp.
That sounds odd. Routes are something different than what
I'm working on CARP with IP balancing on 4.6R. With trunk(4) failover
setting, it
doesn't work.
# cat hostname.em0
up
# cat hostname.em1
up
# cat hostname.trunk1
trunkport em0 trunkport em1
trunkproto failover
up
# cat hostname.carp0
carpdev trunk1
carpnodes 72:0,172:100 balancing ip-stealth
On Sun, Mar 7, 2010 at 06:00, PP;QQ P(P8P?P8QP8P= chipits...@gmail.com
wrote:
from the network point of view, packets will come from the same MAC an
IP address (because of CARP), so ... if BACKUP will just continue to
maintain a session, established by MASTER, nobody will even know, 1
sec
to carp.
That sounds odd. Routes are something different than what particular
host responds to frames directed to a specific hardware address.
If I understand the rest of your description correctly, you want only
the master bgpd to have sessions and to somehow distribute its routes
with redundant pathes.
from the network point of view, packets will come from the same MAC an
IP address (because of CARP), so ... if BACKUP will just continue to
maintain a session, established by MASTER, B nobody will even know, 1
sec is nothing in terms of BGP
You can not just continue to maintain
you have multiple bgpd routers with redundant pathes.
from the network point of view, packets will come from the same MAC an
IP address (because of CARP), so ... if BACKUP will just continue to
maintain a session, established by MASTER, nobody will even know, 1
sec is nothing in terms of BGP
Hello!
we are running two OpenBSD routers organized by CARP and I'd like
OpenBGPd (running on those routers) to switch as fast as CARP itself,
so, I've written the following config:
carp4 - uplink ethernet (currently just one uplink)
MASTER, /etc/bgpd.conf:
AS x
router-id 10.0.0.1
network
of course there are (many) working bgpd + carp setups.
* ??? chipits...@gmail.com [2010-03-06 15:14]:
second router learns routes from carp master (since it has no direct
connection while it is BACKUP), but I only see routes using bgpctl
show rib, not using netstat -rn. also, there's
901 - 1000 of 2091 matches
Mail list logo