Carp Master / Backup

Hi, I am trying to set up my firewalls with carp. I thought everything was working fine, one was set as Master and one as Backup, I then rebooted the Master and the Backup changed to Master as expected, however when the one that was rebooted came back online, it set its self back to Master

Re: Carp Master / Backup

Le Fri, 15 Oct 2010 15:29:30 +0100, Harrower Gary (NHS National Services Scotland) gary.harro...@nhs.net a icrit : Hi, Any ideas why they were both trying to be master? did you set carp preemption on both machines?

Re: carp + client avahi-daemon = OpenBSD kernel hang

On 2010-10-03, Devin Reade g...@gno.org wrote: snip *excellent* write-up of the problem and network layout; if only all problem reports were this good! So basically there are untrusted machines on the interface on which you also run pfsync. This is an unsupported configuration, as per pfsync(4):

Re: carp + client avahi-daemon = OpenBSD kernel hang

--On Monday, October 04, 2010 12:11:01 PM + Stuart Henderson s...@spacehopper.org wrote: On 2010-10-03, Devin Reade g...@gno.org wrote: snip *excellent* write-up of the problem and network layout; if only all problem reports were this good! Thanks. I'm also a developer, just not in the

Re: carp + client avahi-daemon = OpenBSD kernel hang

On Sat, Oct 02, 2010 at 10:46:59PM -0600, Devin Reade wrote: I've got a problem where I have a couple of OpenBSD firewalls running in a redundant configuration using carp, and have found that CentOS 5.5 (Linux) boxes running on a protected network, if they have avahi-daemon running

Re: carp + client avahi-daemon = OpenBSD kernel hang

Kenneth R Westerback kwesterb...@rogers.com wrote: You seem to be using a custom compiled kernel. I didn't spot any explanation of that (-stable patches? changes to kernel config?). Non-GENERIC kernels make developers nervous. Nothing custom; it's 4.7 stable with patches 001 through 006

Re: Kernel Panic immediately after boot with CARP

On Wed, 29 Sep 2010 11:57:10 +0200, you wrote: sigh. use-after-free (most likely, at least) somewhere. unlikely to be carp itself. might be re (wild guess). I think your somewhere near re theory might have some merrit to it. :) I've had a number of crashes over the past couple days, but this one

Re: Kernel Panic immediately after boot with CARP

* Steve W st...@witucke.net [2010-10-03 22:16]: On Wed, 29 Sep 2010 11:57:10 +0200, you wrote: sigh. use-after-free (most likely, at least) somewhere. unlikely to be carp itself. might be re (wild guess). I think your somewhere near re theory might have some merrit to it. :) well

Re: Kernel Panic immediately after boot with CARP

* Henning Brauer lists-open...@bsws.de [2010-10-03 22:28]: * Steve W st...@witucke.net [2010-10-03 22:16]: On Wed, 29 Sep 2010 11:57:10 +0200, you wrote: sigh. use-after-free (most likely, at least) somewhere. unlikely to be carp itself. might be re (wild guess). I think your somewhere

Re: Kernel Panic immediately after boot with CARP

On Sun, 3 Oct 2010 22:41:50 +0200, you wrote: err... reading the trace first helps. this is actually pretty clearly a problem in re. I don't feel responsible for re tho :) Is there something else I should do before submitting something to bugs? Both of these source files haven't been modified

Re: Kernel Panic immediately after boot with CARP

On Sun, 3 Oct 2010 22:24:18 +0200, you wrote: well, it is easy enough to verify - use something else but re. if it's stable, we have the guilty party, at least. Yea, I'm sort of stuck with re. Here's a few quick images of these boxes. It's a Jetway NF76 board with a daughter card with 3

carp + client avahi-daemon = OpenBSD kernel hang

I've got a problem where I have a couple of OpenBSD firewalls running in a redundant configuration using carp, and have found that CentOS 5.5 (Linux) boxes running on a protected network, if they have avahi-daemon running, will cause the OpenBSD kernels to lock up hard. This is very

Re: Kernel Panic immediately after boot with CARP

* Steve W st...@witucke.net [2010-09-26 18:46]: login: panic: pool_do_get(mcl2k): free list modified: page 0xd68bc000;; item addr 0xd68bc800; offset 0x0=0x2d304436 sigh. use-after-free (most likely, at least) somewhere. unlikely to be carp itself. might be re (wild guess). -- Henning Brauer

Re: CARP-ed dns server ?

- Original Message From: PP;QQ P(P8P?P8QP8P= chipits...@gmail.com To: James Peltier james_a_pelt...@yahoo.ca Sent: Mon, September 20, 2010 1:40:16 PM Subject: Re: CARP-ed dns server ? if you have nothing to say except RTFM, can you do everybody a favour and be silent, please

CARP-ed dns server ?

Hello! does anybody run dns server on CARP interface ? Cheers, Ilia Chipitsine

Re: CARP-ed dns server ?

On Sun, Sep 19, 2010 at 11:29 PM, PP;QQ P(P8P?P8QP8P= chipits...@gmail.com wrote: Hello! does anybody run dns server on CARP interface ? Yes.

Re: CARP-ed dns server ?

* ??? chipits...@gmail.com [2010-09-20 08:35]: does anybody run dns server on CARP interface ? yup. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application

Re: CARP-ed dns server ?

hello! can you provide more details ? 1. what is dns software ? 2. how two copies of dns server (on master and backup) are replicated ? 3. any carp hooks on switching ? cheers, Ilia Chipitsine 2010/9/20 Henning Brauer lists-open...@bsws.de: * ??? chipits...@gmail.com [2010-09-20 08

Re: CARP-ed dns server ?

- Original Message From: PP;QQ P(P8P?P8QP8P= chipits...@gmail.com To: misc@openbsd.org Sent: Mon, September 20, 2010 2:04:18 AM Subject: Re: CARP-ed dns server ? hello! can you provide more details ? 1. what is dns software ? 2. how two copies of dns server (on master

Re: CARP-ed dns server ?

isn't such a piece of shit 2. how two copies of dns server (on master and backup) are replicated ? not at all 3. any carp hooks on switching ? no -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services

Re: OpenBSD 4.6 + carp + pf + pfsync lockup

On Sat, Sep 11, 2010 at 09:27:51AM -0600, Andy Bradford wrote: Thus said Claudio Jeker on Sat, 11 Sep 2010 11:28:31 +0200: Wrong UDP is normaly not a fully defined 4 touple. Especially the listening sockets (on port 53) can be slammed with packets. On the other hand, if the

Re: OpenBSD 4.6 + carp + pf + pfsync lockup

* Martin Pelikan martin.peli...@gmail.com [2010-09-09 12:24]: It depends on what do you need. The defaults suffice for most cases, but on our most loaded router we use tcp both 256k and udp send space which is bullshit on a router, since rcv/send space is for sockets and irrelevant for

Re: OpenBSD 4.6 + carp + pf + pfsync lockup

On Fri, Sep 10, 2010 at 08:20:30PM -0600, Andy Bradford wrote: Thus said Claudio Jeker on Fri, 10 Sep 2010 21:36:16 +0200: Because on busy servers you need to queue quite a few packets to handle bursts. I was under the impression that UDP is connectionless and therefore does

Re: OpenBSD 4.6 + carp + pf + pfsync lockup

Thus said Claudio Jeker on Sat, 11 Sep 2010 11:28:31 +0200: Wrong UDP is normaly not a fully defined 4 touple. Especially the listening sockets (on port 53) can be slammed with packets. On the other hand, if the recvbuffer overflows then packets just get dropped. Thank you for the

Re: OpenBSD 4.6 + carp + pf + pfsync lockup

2010/9/10, Stuart Henderson s...@spacehopper.org: these affect traffic sourced from the box itself, *not* routed through it. We had to do quite extensive link testing because of strange packet loss on the SDH circuit. The buffer sizes really mattered :-) But thanks to the information as the link

Re: OpenBSD 4.6 + carp + pf + pfsync lockup

Thus said =?UTF-8?Q?Martin_Pelik=C3=A1n?= on Thu, 09 Sep 2010 12:21:17 +0200: It depends on what do you need. The defaults suffice for most cases, but on our most loaded router we use tcp both 256k and udp send space 65k (lots of dns). Just test it somewhere. Why would you need 65k UDP

Re: OpenBSD 4.6 + carp + pf + pfsync lockup

2010/9/10, Andy Bradford amb-sendok-1286721307.iadidoklmfcciicnc...@bradfords.org: Why would you need 65k UDP for DNS? Almost all UDP based DNS responses are under 512 bytes, those that are larger are required to set the truncated bit and the client restart the query using TCP. We have

Re: OpenBSD 4.6 + carp + pf + pfsync lockup

On Fri, Sep 10, 2010 at 08:35:04AM -0600, Andy Bradford wrote: Thus said =?UTF-8?Q?Martin_Pelik=C3=A1n?= on Thu, 09 Sep 2010 12:21:17 +0200: It depends on what do you need. The defaults suffice for most cases, but on our most loaded router we use tcp both 256k and udp send space 65k

Re: OpenBSD 4.6 + carp + pf + pfsync lockup

Martin Pelik??n [martin.peli...@gmail.com] wrote: 2010/9/10, Andy Bradford amb-sendok-1286721307.iadidoklmfcciicnc...@bradfords.org: Why would you need 65k UDP for DNS? Almost all UDP based DNS responses are under 512 bytes, those that are larger are required to set the truncated

Re: OpenBSD 4.6 + carp + pf + pfsync lockup

2010/9/10, Chris Cappuccio ch...@nmedia.net: Stop using ALTQ on your DNS server, perhaps? That may be what is causing the back-pressure that you're seeing. Why do you think it would help? Those lots of packets would arrive anyway, only the decent user will wait longer for his website to load.

Re: OpenBSD 4.6 + carp + pf + pfsync lockup

Martin Pelik??n [martin.peli...@gmail.com] wrote: 2010/9/10, Chris Cappuccio ch...@nmedia.net: Stop using ALTQ on your DNS server, perhaps? That may be what is causing the back-pressure that you're seeing. Why do you think it would help? Those lots of packets would arrive anyway, only

Re: OpenBSD 4.6 + carp + pf + pfsync lockup

Thus said Claudio Jeker on Fri, 10 Sep 2010 21:36:16 +0200: Because on busy servers you need to queue quite a few packets to handle bursts. I was under the impression that UDP is connectionless and therefore does not behave the same as a TCP connection. I would guess that

Re: OpenBSD 4.6 + carp + pf + pfsync lockup

2010/9/8, Joe Warren-Meeks joe.warren.me...@gmail.com: I've had a weird problem happen twice now. It seems after about 4 - 6 weeks of running very happily, both servers lock up completely at the same time. Both consoles show no error messages, but the cursor is blinking away happily. Neither

Re: OpenBSD 4.6 + carp + pf + pfsync lockup

2010/9/9 Martin Pelikan martin.peli...@gmail.com: Hello Martin, I thought the same when I played with TCP buffers set to 1M and after some heavy load tests I went out of RAM quite soon :-) The machine had 2G. Well, the machine has 6Gb of RAM and is only pushing 10Mbit/s of traffic at peak.

Re: OpenBSD 4.6 + carp + pf + pfsync lockup

2010/9/9, Joe Warren-Meeks joe.warren.me...@gmail.com: Well, the machine has 6Gb of RAM and is only pushing 10Mbit/s of traffic at peak. It does need to maintain a largeish state table, as it is predominatly web traffic, but I've run much much larger and busier sites behind much smaller

Re: OpenBSD 4.6 + carp + pf + pfsync lockup

Joe Warren-Meeks wrote: Hey guys, I'm running two HPDL360 G5 servers with OpenBSD 4.6+carp+pf+pfsync as an active/passive firewall pair. Both are running: (full dmesg at bottom, along with edited pf.conf, in case it's relevant) j...@f2:/home/joe uname -a OpenBSD f2 4.6 GENERIC.MP#81 amd64

Re: OpenBSD 4.6 + carp + pf + pfsync lockup

On 2010-09-09, Martin Pelik??n martin.peli...@gmail.com wrote: 2010/9/9, Joe Warren-Meeks joe.warren.me...@gmail.com: recv/send: net.inet.tcp.recvspace=16384 net.inet.udp.recvspace=41600 j...@f1:/home/joe sysctl -a |grep send net.inet.tcp.sendspace=16384 net.inet.udp.sendspace=9216 Too

OpenBSD 4.6 + carp + pf + pfsync lockup

Hey guys, I'm running two HPDL360 G5 servers with OpenBSD 4.6+carp+pf+pfsync as an active/passive firewall pair. Both are running: (full dmesg at bottom, along with edited pf.conf, in case it's relevant) j...@f2:/home/joe uname -a OpenBSD f2 4.6 GENERIC.MP#81 amd64 I've had a weird problem

Carp trying to send packet on wrong domain

Dear list, I found impossible to have a carp interface in rdomain environment on both the stable and current distributions. Inserting this configuration: ifconfig em0 up ifconfig vlan101 172.26.196.2 netmask 255.255.255.248 vlan 101 vlandev em0 rdomain 101 ifconfig carp101 vhid 1 pass testpw

Re: No VLAN Tag seen by switch on CARP interface on VLAN interface

would much rather have VLANs functioning, and that by the looks of it it should be, I thought I'd ask just one last time in case someone else sees this and might have a hint. Newsgroups: gmane.os.openbsd.misc From: Stuart Hendersons...@spacehopper.org Subject: Re: No VLAN Tag seen by switch on CARP

Re: No VLAN Tag seen by switch on CARP interface on VLAN interface

in case someone else sees this and might have a hint. Newsgroups: gmane.os.openbsd.misc From: Stuart Hendersons...@spacehopper.org Subject: Re: No VLAN Tag seen by switch on CARP interface on VLAN interface References:4c584a70.2030...@sjohnson.info 4c5affb1.3080...@sjohnson.info 4c5ffa50.1020

Re: No VLAN Tag seen by switch on CARP interface on VLAN interface

shows that ARP replies include 802.1Q traffic for ARP replies of both the real VLAN interface IP address, as well as the CARP interface on that VLAN interface. However, the port monitor of the switch only shows the ARP reply from the real interface as having the 802.1Q information

Re: No VLAN Tag seen by switch on CARP interface on VLAN interface

by switch on CARP interface on VLAN interface References: 4c584a70.2030...@sjohnson.info 4c5affb1.3080...@sjohnson.info 4c5ffa50.1020...@sjohnson.info Date: Tue, 10 Aug 2010 10:35:55 +0100 User-Agent: slrn/0.9.9p1 (OpenBSD) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer

Re: No VLAN Tag seen by switch on CARP interface on VLAN interface

On 2010-08-09, Steve Johnson maill...@sjohnson.info wrote: Sorry about forgetting dmesg, thanks for the info about inline/pastebin. Since this was very long information, I really wasn't sure. Here are all the details inline: Thanks, you will need to apply this patch (from r1.242 of

Re: No VLAN Tag seen by switch on CARP interface on VLAN interface

, as well as some TCP dumps on the OBSD box. The dump on the OBSD box shows that ARP replies include 802.1Q traffic for ARP replies of both the real VLAN interface IP address, as well as the CARP interface on that VLAN interface. However, the port monitor of the switch only shows the ARP reply from

Re: No VLAN Tag seen by switch on CARP interface on VLAN interface

a port monitor on our switches on the OBSD relative interface, as well as some TCP dumps on the OBSD box. The dump on the OBSD box shows that ARP replies include 802.1Q traffic for ARP replies of both the real VLAN interface IP address, as well as the CARP interface on that VLAN interface

Re: No VLAN Tag seen by switch on CARP interface on VLAN interface

) === TCPDUMP ARP TO CARP VLAN INTERFACE IP === No. TimeSourceDestination Protocol Info 190 15.415747 IETF-VRRP-virtual-router-VRID_28 Ibm_c4:3c:5a ARP

Re: CARP + PF

Oh I see, so carp_up would be when its acting as master and carp_down for when its acting as a backup? Stu --- On Thu, 5/8/10, Claer cl...@claer.hammock.fr wrote: From: Claer cl...@claer.hammock.fr Subject: Re: CARP + PF To: misc@openbsd.org Date: Thursday, 5 August, 2010, 16:59 On Thu, Aug 05

Re: No VLAN Tag seen by switch on CARP interface on VLAN interface

more investigating and did a port monitor on our switches on the OBSD relative interface, as well as some TCP dumps on the OBSD box. The dump on the OBSD box shows that ARP replies include 802.1Q traffic for ARP replies of both the real VLAN interface IP address, as well as the CARP

CARP + PF

Hi all, I have a cable modem and an ADSL line at home; the DSL line gives me a static ip but the cable modem gives me a dynamic one. My plan was to use 2 openbsd boxes as network routers with CARP for failover, the idea being that I would plug the cable modem into a switch and plug both boxes

Re: CARP + PF

On Thu, Aug 05 2010 at 50:12, Z Wing wrote: [...] The question I have is how do I get dhclient working with the cable modem, given that the IP address is dynamic? dhclient doesn't work when the carp interface is in INIT mode and I'm not sure how to get carp to share the IP address between

No VLAN Tag seen by switch on CARP interface on VLAN interface

traffic for ARP replies of both the real VLAN interface IP address, as well as the CARP interface on that VLAN interface. However, the port monitor of the switch only shows the ARP reply from the real interface as having the 802.1Q information, and is not seeing any 802.1Q information

CARP issue on VLAN interfaces

Hi, I have an issue with setting up CARP interfaces for VLAN system interfaces. For some reason, the CARP interface is unreachable from any host except the MASTER node, and it seems like the ARP requests are not reaching the destination hosts, yet they are sent by the OBSD systems, on both

CARP technical paper

Hi OpenBSD Team, My request goes for a tech paper with specifications for the CARP protocol, just like a RFC. I Google 'd quite a long time with no luck. Wish you could help with this. Greetings, Steven Moncayo.

Re: CARP technical paper

* Steven Moncayo ste...@infoquality.com.ec [2010-07-29 08:30]: My request goes for a tech paper with specifications for the CARP protocol, just like a RFC. I Google 'd quite a long time with no luck. Wish you could help with this. /usr/src/sys/netinet/ip_carp.c /usr/src/sys/netinet/ip_carp.h

Re: CARP technical paper

- Original Message From: Henning Brauer lists-open...@bsws.de To: misc@openbsd.org Sent: Thu, July 29, 2010 3:32:01 AM Subject: Re: CARP technical paper * Steven Moncayo ste...@infoquality.com.ec [2010-07-29 08:30]: My request goes for a tech paper with specifications

Re: Carp interface group failover issue

On 16/07/2010 8:08 PM, Keith wrote: We have setup carp on a pair of firewalls and are a bit confused with how both LAN/WAN interfaces are meant to fail-over simultaneous (group?). We are still in the process of getting the firewall rules setup correctly for our environment and occasionally

Carp interface group failover issue

We have setup carp on a pair of firewalls and are a bit confused with how both LAN/WAN interfaces are meant to fail-over simultaneous (group?). We are still in the process of getting the firewall rules setup correctly for our environment and occasionally when we make changes to (fw1) we mess

Re: Filter on a CARP (active/passive) firewall

* Massimo Lusetti mass...@cedoc.mo.it [2010-07-05 11:49]: Hi guys, I read on the OpenBSD PF's FAQ this statement: Ruleset Tips Filter the physical interface. As far as PF is concerned, network traffic comes from the physical interface, not the CARP virtual interface (i.e., carp0). So

Filter on a CARP (active/passive) firewall

Hi guys, I read on the OpenBSD PF's FAQ this statement: Ruleset Tips Filter the physical interface. As far as PF is concerned, network traffic comes from the physical interface, not the CARP virtual interface (i.e., carp0). So, write your rule sets accordingly. Don't forget that an interface

CARP + ARP proxy problem

Hello everyone, I am experiencing difficulties in setting up a firewall using OpenBSD 4.6 w/ CARP interfaces (for future redundancy). We are running OpenBSD 4.6/i386. Brief description of the problem: we have a carp interface on the Internet side. Our ISP provides us with a /25 network

Re: carp and OS upgrades

* LeviaComm Networks NOC n...@leviacomm.net [2010-06-02 05:59]: You do not want the systems seeing each other before they are both upgraded. I learned this after seeing the havoc that can be wrecked with Cisco Firewalls when they are not the same version, but sharing the same config. It

Re: carp and OS upgrades

On Wed, Jun 02, 2010 at 09:47:36AM +0200, Henning Brauer wrote: OpenBSD isn't as stupid and bad as cisco. I upgrade all my carped firewall pairs without downtime. yes, 4.6 and 4.7 require you to adopt your pf config. 4.5-4.6 is trivial. 4.6-4.7 isn't black magic either but admittedly not

Re: carp and OS upgrades

* Reyk Floeter r...@openbsd.org [2010-06-02 11:16]: also, due to pfsync changes, the failover isn't perfect (pfsync is out of the equation), so you'll lose your sessions. given how often I lose perfectly valid tcp sessions that just idle a bit when I am at foreign networks (conferences,

carp and OS upgrades

Ignoring aspects common to all OpenBSD upgrades, and the ideosyncracies that get mentioned in the release notes for specific upgrades, does anyone have general comments, suggestions, warnings, etc regarding upgrading a pair of firewalls that are running in a typical redundant config using carp

Re: carp and OS upgrades

in a typical redundant config using carp, pfsync, et al? It is not the case that I'm part way through an upgrade and have a problem. It's more that I'm interested in what I can expect when I run into this situation. Devin The first obstacle you'll encounter is the changes in pf between 4.6

Re: DHCP on a CARP Interface

For now I am going to go with a different design with a separate box to take the Internet handoff, but I would still be interested to see if anyone has successfully used CARP with dhclient. On May 23, 2010, at 12:55 AM, Patrick O'Sullivan ir...@insaneirish.com wrote: For the sake of both

problems with CARP

Hi all, I have some problems with CARP (I can't get it working). this is my current configuration: # sysctl net.inet.ip.forwarding net.inet.ip.forwarding=1 # sysctl net.inet.carp net.inet.carp.allow=1 net.inet.carp.preempt=1 net.inet.carp.log=2 # cat /etc/hostname.carp1 inet 172.16.0.1

DHCP on a CARP Interface

For the sake of both redundancy and tinkering, I'd like to get a CARP setup running at home. I have two firewalls yet only one Internet source. All my local subnets will have statically configured IPs on both the CARP interface and the underlying interfaces. I briefly tried to get CARP running

CARP master not falling back (ignoring advskew)

inet 10.0.0.5 255.0.0.0 NONE vhid 2 advskew 100 On both hosts: # sysctl |grep carp net.inet.carp.allow=1 net.inet.carp.preempt=1 net.inet.carp.log=2 # dmesg |head OpenBSD 4.6

Re: CARP master not falling back (ignoring advskew)

2010/4/23 silvershadow...@gmx.de Hi list, I found some traces of this 'issue' (if it actually is one, no idea), e.g. here: http://www.pubbs.net/openbsd/200911/51706/ # sysctl |grep carp net.inet.carp.allow=1 net.inet.carp.preempt=1 I seem to recall that the above sysctl is creating

Re: CARP master not falling back (ignoring advskew)

inet 10.0.0.5 255.0.0.0 NONE vhid 2 host B: # cat /etc/hostname.carp1 inet 10.0.0.5 255.0.0.0 NONE vhid 2 advskew 100 On both hosts: # sysctl |grep carp

Re: CARP master not falling back (ignoring advskew)

: # cat /etc/hostname.carp1 inet 10.0.0.5 255.0.0.0 NONE vhid 2 advskew 100 On both hosts: # sysctl |grep carp net.inet.carp.allow=1 net.inet.carp.preempt=1

Re: carp(4) on top of trunk(4) with IP balancing causes MASTER-MASTER

On Tue, Apr 20, 2010 at 8:17 AM, Tomoyuki Sakurai tomoyu...@reallyenglish.com wrote: Failover works, IP balancing doesn't. Trying to make it work, tweaking every possible options. Then, you set wrong advskew in the process... #fail Failover works. IP balancing DOES work. Sorry for the noise

Re: carp(4) on top of trunk(4) with IP balancing causes MASTER-MASTER

On Tue, Mar 9, 2010 at 4:10 PM, Tomoyuki Sakurai tomoyu...@reallyenglish.com wrote: The other node is still BACKUP (vhid 72) and MASTER (vhid 172). Now vhid 172 is MASTER-MASTER state. Am I mssing something? Maybe fixed in -current? As I saw a commit to trunk(4), upgraded to the latest

problems with carp based firewall - all connections are suspended after falling back from failover

net.inet.carp.log=7 pf.conf # allow pfsync pass quick on em1 proto pfsync # allow carp pass quick on { em0, em2, em3 } proto carp keep state Standby setup: /etc/hostname.carp0: inet 10.1.1.1 255.255.255.0 10.100.255.255 vhid 1 advskew 100 pass bbb /etc/hostname.carp1: inet 10.1.2.1 255.255.255.0

Re: problems with carp based firewall - all connections are suspended after falling back from failover

/etc/hostname.pfsync0 up syncdev em1 net.inet.carp.preempt=1 net.inet.ip.forwarding=1 net.inet.carp.log=7 pf.conf # allow pfsync pass quick on em1 proto pfsync # allow carp pass quick on { em0, em2, em3 } proto carp keep state Standby setup: /etc/hostname.carp0: inet 10.1.1.1

Re: problems with carp based firewall - all connections are suspended after falling back from failover

net.inet.carp.preempt Allow virtual hosts to preempt each other. Set it to 0 and give it a try. I try it, and after the primary comes up again - the established connections stay active - great! But 1 of 3 carp interfaces dont fall back to the Master mode at the Primary: carp

Re: problems with carp based firewall - all connections are suspended after falling back from failover

On Sat, Apr 10, 2010 at 11:10:42AM +0200, tom baecker wrote: net.inet.carp.preempt Allow virtual hosts to preempt each other. Set it to 0 and give it a try. I try it, and after the primary comes up again - the established connections stay active - great! But 1 of 3 carp

Re: problems with carp based firewall - all connections are suspended after falling back from failover

This can happen if the list of addresses, netmasks vhid and password of an carp interface is not exactly the same on the two hosts. -Otto I'm confused, because if I reboot in this case the Secondary, all carp interfaces swiched to Master state on primary, without any packet loss. I

problems with carp based firewall - all connections are suspended after falling back from failover

net.inet.carp.log=7 pf.conf # allow pfsync pass quick on em1 proto pfsync # allow carp pass quick on { em0, em2, em3 } proto carp keep state Standby setup: /etc/hostname.carp0: inet 10.1.1.1 255.255.255.0 10.100.255.255 vhid 1 advskew 100 pass bbb /etc/hostname.carp1: inet 10.1.2.1 255.255.255.0

Re: External CARP + SSL issues

Hello, Where is the web server? Is it internal or is it an external web server? It was all `external servers. What does telnet web_server 443 and openssl s_client -connect web_server:443 gives you? Have you tried sniffing the traffic to see what goes wrong? I can't test right now

External CARP + SSL issues

have two CARP interfaces (internal and external) on each firewall. See the configuration below. Load-balancing works perfectly for non-SSL websites but I am unable to connect to secure websites (https). When forcing a connection to go directly through one of the four OpenBSD server or when using only

Re: External CARP + SSL issues

the following situation. I have four OpenBSD firewalls configured to do load-balancing ( in and out) using ip-stealth. I have two CARP interfaces (internal and external) on each firewall. See the configuration below. Load-balancing works perfectly for non-SSL websites but I am unable to connect

Redundant Firewall problem with pf/carp/pfsync/ipsec

I've currently been running a redundant firewall solution in our Production environment using OpenBSD (version 4.5-stable) with CARP (4), PF (4), PFsync (4) and SAsyncd (8) which syncs the pf rules and IPSEC security associations via the cross-over cable method. We're also running an IPSEC (4

ospfd and carp

Hi, Firstly, I think the ospfd man page should mention that it will do the right thing when carp interfaces are added as passive. Currently the only way to find out about this seems to be to search the archives. Secondly, I have a test environment with a pair of boxes with a large-ish number

Re: Problems with Carp, Multi-WAN and pf syntax.

Stuart Henderson schrieb: you're probably looking for reply-to, something along these lines: pass in quick on gif1 inet to (gif1) reply-to 10.33@gif1 pass in quick on pppoe0 inet to (pppoe0) reply-to 0.0@pppoe0 Yes I was. Except that the syntax was not exactly clear to me if

Re: any known working configuration of OpenBGPd and CARP ?

* ??? chipits...@gmail.com [2010-03-07 06:12]: from the network point of view, packets will come from the same MAC an IP address (because of CARP), so ... if BACKUP will just continue to maintain a session, established by MASTER, nobody will even know, 1 sec is nothing in terms

Re: any known working configuration of OpenBGPd and CARP ?

* Eugene Yunak e.yu...@gmail.com [2010-03-07 17:58]: Time for the bgpdsync (as in pfsync)? Sounds like a nice idea to me. please. think it through. it's not like we would not like that. you had to: -have a way to migrate the tcp session with all its state over this is actually the hard part. a

Problems with Carp, Multi-WAN and pf syntax.

Hello all, How do I configure a pf in a way that traffic that comes in one one CARP-Interface goes out to the same CARP-Interface? The syntax in -current has changed from the FAQ (which assumes OpenBSD-4.6). http://www.openbsd.org/faq/pf/pools.html#outgoing On a HP ProLiant

Re: Problems with Carp, Multi-WAN and pf syntax.

Marcus M|lb|sch schrieb: How do I configure a pf in a way that traffic that comes in one one CARP-Interface goes out to the same CARP-Interface? The syntax in -current has changed from the FAQ (which assumes OpenBSD-4.6). After some help from a friendly soul, and reducinge my pf.conf

Re: Problems with Carp, Multi-WAN and pf syntax.

On 2010-03-11, Marcus M?lb?sch muelbue...@as-infodienste.de wrote: Hello all, How do I configure a pf in a way that traffic that comes in one one CARP-Interface goes out to the same CARP-Interface? you're probably looking for reply-to, something along these lines: pass in quick on gif1

Re: any known working configuration of OpenBGPd and CARP ?

On 7. mars 2010, at 00.07, Claudio Jeker wrote: On Sat, Mar 06, 2010 at 06:52:24PM +0100, Rogier Krieger wrote: On Sat, Mar 6, 2010 at 17:26, PP;QQ P(P8P?P8QP8P= chipits...@gmail.com wrote: no, I want routes exactly to carp. That sounds odd. Routes are something different than what

carp(4) on top of trunk(4) with IP balancing causes MASTER-MASTER

I'm working on CARP with IP balancing on 4.6R. With trunk(4) failover setting, it doesn't work. # cat hostname.em0 up # cat hostname.em1 up # cat hostname.trunk1 trunkport em0 trunkport em1 trunkproto failover up # cat hostname.carp0 carpdev trunk1 carpnodes 72:0,172:100 balancing ip-stealth

Re: any known working configuration of OpenBGPd and CARP ?

On Sun, Mar 7, 2010 at 06:00, PP;QQ P(P8P?P8QP8P= chipits...@gmail.com wrote: from the network point of view, packets will come from the same MAC an IP address (because of CARP), so ... if BACKUP will just continue to maintain a session, established by MASTER, nobody will even know, 1 sec

Re: any known working configuration of OpenBGPd and CARP ?

to carp. That sounds odd. Routes are something different than what particular host responds to frames directed to a specific hardware address. If I understand the rest of your description correctly, you want only the master bgpd to have sessions and to somehow distribute its routes

Re: any known working configuration of OpenBGPd and CARP ?

with redundant pathes. from the network point of view, packets will come from the same MAC an IP address (because of CARP), so ... if BACKUP will just continue to maintain a session, established by MASTER, B nobody will even know, 1 sec is nothing in terms of BGP You can not just continue to maintain

Re: any known working configuration of OpenBGPd and CARP ?

you have multiple bgpd routers with redundant pathes. from the network point of view, packets will come from the same MAC an IP address (because of CARP), so ... if BACKUP will just continue to maintain a session, established by MASTER, nobody will even know, 1 sec is nothing in terms of BGP

any known working configuration of OpenBGPd and CARP ?

Hello! we are running two OpenBSD routers organized by CARP and I'd like OpenBGPd (running on those routers) to switch as fast as CARP itself, so, I've written the following config: carp4 - uplink ethernet (currently just one uplink) MASTER, /etc/bgpd.conf: AS x router-id 10.0.0.1 network

Re: any known working configuration of OpenBGPd and CARP ?

of course there are (many) working bgpd + carp setups. * ??? chipits...@gmail.com [2010-03-06 15:14]: second router learns routes from carp master (since it has no direct connection while it is BACKUP), but I only see routes using bgpctl show rib, not using netstat -rn. also, there's

<    5   6   7   8   9   10   11   12   13   14   >