Re: ospfd default route problem
Hi stuart, i agree, but that means i must use area 0 on LAN ifaces. And if i have another area on that iface (my extented LAN area), i can't use backbone area. Now, i have replaced area 12 with area 0, but the problem also persists. -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Networks http://www.unix-experience.fr Le lundi 25 mars 2013 à 22:52 +, Stuart Henderson a écrit : On 2013-03-25, Loïc BLOT loic.b...@unix-experience.fr wrote: Hi Robert and misc@openbsd, thanks for your reply, but if i don't want to connect area 12 on area 0 ? My area 12 is reserved for LAN to LAN only, i don't want to publish its routes on the backbone area and backbone area is not in stub mode. It sounds like you are trying to get a default route from area 3 into area 12 though, you would need to do that via the backbone (area 0). Le lundi 25 mars 2013 \xc3\xa0 14:23 +0100, Robert Blacquiere a \xc3\xa9crit : See also: http://www.netcraftsmen.net/resources/archived-articles/434-introducing-ospf.html yes, there are a bunch of pretty decent OSPF articles on that site.
ospfd default route problem
Hi all,
I update my last mail with OSPF to give you precisions.
I have 2 LAN OBSD routers, which are on a local VLAN, and 1 MAN OBSD
router, connected to local VLAN and has an interco with MAN Router
- my 3 OpenBSD routers use area 12 to exchange local routes
- my MAN router use area 12 over GRE+IPSec with a remote site
- my MAN router use area 3 to get routes from MAN (default route
especially)
A little scheme network scheme
Area 3Area 12
WAN --| MAN Router || My OBSD MAN Router || My OBSD LAN1
| ||| My OBSD LAN2
| |
| |
| Gre + IPSec | Area 12
| |
| |
| |
|--| Remote OBSD Router || Remote LAN
The problem is when my MAN router learn routes from area 12, the default
route, learnt from area 3, disapears (same problem if area 3 is loaded
after area 12).
I have tryied combinaison of stub/non stub areas, but in each case the
problem is present.
here is my configuration for the man router:
router-id A.B.C.D
auth-md 1 pwd1
auth-md 3 pwd2
area 12 {
auth-type crypt
auth-md-keyid 1
interface gre0
interface trunk1
}
area 3 {
auth-type crypt
auth-md-keyid 3
interface trunk0
}
and my configuration from one LAN router
router-id A.B.C.D
no redistribute default
auth-md 1 pwd1
area 12 {
auth-type crypt
auth-md-keyid 1
interface trunk0
interface trunk1 { passive }
interface vlan994 { passive }
}
Has anyone an idea ? i'm stucked :s.
Thanks for advance
--
Best regards,
Loïc BLOT, Engineering
UNIX Systems, Security and Networks
http://www.unix-experience.fr
Re: ospfd default route problem
Hi Robert and misc@openbsd, thanks for your reply, but if i don't want to connect area 12 on area 0 ? My area 12 is reserved for LAN to LAN only, i don't want to publish its routes on the backbone area and backbone area is not in stub mode. Also, I thought about stub areas to not publish routes. I think i must apply stub to area 3 but not under area 12, right ? Stub is on the area on which we don't want to obtain routes from other areas, don't we ? Thank you in advance, -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le lundi 25 mars 2013 à 14:23 +0100, Robert Blacquiere a écrit : On Mon, Mar 25, 2013 at 11:24:56AM +0100, Lo?c Blot wrote: Hi all, I update my last mail with OSPF to give you precisions. I have 2 LAN OBSD routers, which are on a local VLAN, and 1 MAN OBSD router, connected to local VLAN and has an interco with MAN Router - my 3 OpenBSD routers use area 12 to exchange local routes - my MAN router use area 12 over GRE+IPSec with a remote site - my MAN router use area 3 to get routes from MAN (default route especially) A little scheme network scheme Area 3Area 12 WAN --| MAN Router || My OBSD MAN Router || My OBSD LAN1 | ||| My OBSD LAN2 | | | | | Gre + IPSec | Area 12 | | | | | | |--| Remote OBSD Router || Remote LAN snip Every OSPF area needs to connect to area 0 (Backbone area). If you don't you need to use virtual interface tunnel (CISCO specific) to attach Area 12 to Area 0. It seems this can cause the issue you are seeing. See also: http://www.netcraftsmen.net/resources/archived-articles/434-introducing-ospf. html Regards Robert [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: ospfd default route problem
On 2013-03-25, Loïc BLOT loic.b...@unix-experience.fr wrote: Hi Robert and misc@openbsd, thanks for your reply, but if i don't want to connect area 12 on area 0 ? My area 12 is reserved for LAN to LAN only, i don't want to publish its routes on the backbone area and backbone area is not in stub mode. It sounds like you are trying to get a default route from area 3 into area 12 though, you would need to do that via the backbone (area 0). Le lundi 25 mars 2013 \xc3\xa0 14:23 +0100, Robert Blacquiere a \xc3\xa9crit : See also: http://www.netcraftsmen.net/resources/archived-articles/434-introducing-ospf.html yes, there are a bunch of pretty decent OSPF articles on that site.
OSPF and default route problem
Hello misc, i am installing a WAN router under openbsd but i have a strange problem with OSPF and OpenBSD. I use two OSPF areas. One area is stub and the other isn't (and i have tryied to stub it too). We can say area 1 is stub area and area 5 is LAN area. When the router learn routes from area 1 it learns the link route and the default route, that's good BUT when it learns routes from area 5 (or if area 5 is loaded before area 1) default route disapears from routing table (and also FIB RIB). I have tryied stub and stub redistribute default for area 1. Here is a little draft WAN -- (BGP) MAN Router (OSPF 1) -- (OSPF 1) My border Router (OSPF 5) -- LAN Has anyone ideas ? -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
RES: Route problem
Wrong. I AM Just able to ping it. Clients Who have openBSD as default gateway cannot Access network 10.100.0.0/24 ( like HTTP and other services ). Can anyone help me? _ De: Ricardo Augusto de Souza Enviada em: terga-feira, 7 de julho de 2009 10:45 Para: misc@openbsd.org Assunto: Route problem HI, I use na OpenBSD 4.3 as gw + firewall. I also have a Mikrotik as a backup gateway. Now I lost the connectivity of one of my links . ( router 10.100.0.1 is down ) From mikrotik i AM able to reach the target network ( 10.100.0.0/24 ) So I removed this route from OpenBSD and added new route to mikrotik . At OpenBSD: route add 10.100.0.0/24 10.10.0.1 # ping 10.100.0.8 PING 10.100.0.8 (10.100.0.8): 56 data bytes ping: sendto: Host is down ping: wrote 10.100.0.8 64 chars, ret=-1 ping: sendto: Host is down ping: wrote 10.100.0.8 64 chars, ret=-1 --- 10.100.0.8 ping statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss After around 5 min i was able to ping 10.100.0.0/24. What I AM missing? Thanks
Route problem
HI, I use na OpenBSD 4.3 as gw + firewall. I also have a Mikrotik as a backup gateway. Now I lost the connectivity of one of my links . ( router 10.100.0.1 is down ) From mikrotik i AM able to reach the target network ( 10.100.0.0/24 ) So I removed this route from OpenBSD and added new route to mikrotik . At OpenBSD: route add 10.100.0.0/24 10.10.0.1 # ping 10.100.0.8 PING 10.100.0.8 (10.100.0.8): 56 data bytes ping: sendto: Host is down ping: wrote 10.100.0.8 64 chars, ret=-1 ping: sendto: Host is down ping: wrote 10.100.0.8 64 chars, ret=-1 --- 10.100.0.8 ping statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss After around 5 min i was able to ping 10.100.0.0/24. What I AM missing? Thanks
Re: RES: Route problem
I don't think it is possible to help you with limited information you have provided. Lets see some sort of description of your network topology, and the out put of netstat -rn and and an ifconfig -A of your OBSD router. My initial guess on why adding the route to the OBSD router failed to help is that the mikrotik does not know how to get back to your clients, are you natting or not natting? Ricardo Augusto de Souza wrote: Wrong. I AM Just able to ping it. Clients Who have openBSD as default gateway cannot Access network 10.100.0.0/24 ( like HTTP and other services ). Can anyone help me? _ De: Ricardo Augusto de Souza Enviada em: terga-feira, 7 de julho de 2009 10:45 Para: misc@openbsd.org Assunto: Route problem HI, I use na OpenBSD 4.3 as gw + firewall. I also have a Mikrotik as a backup gateway. Now I lost the connectivity of one of my links . ( router 10.100.0.1 is down ) From mikrotik i AM able to reach the target network ( 10.100.0.0/24 ) So I removed this route from OpenBSD and added new route to mikrotik . At OpenBSD: route add 10.100.0.0/24 10.10.0.1 # ping 10.100.0.8 PING 10.100.0.8 (10.100.0.8): 56 data bytes ping: sendto: Host is down ping: wrote 10.100.0.8 64 chars, ret=-1 ping: sendto: Host is down ping: wrote 10.100.0.8 64 chars, ret=-1 --- 10.100.0.8 ping statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss After around 5 min i was able to ping 10.100.0.0/24. What I AM missing? Thanks
Re: Carp with aliases route problem
On 2009-02-24, Rod Whitworth glis...@witworx.com wrote: On Mon, 23 Feb 2009 17:52:33 -0600, Todd T. Fries wrote: As a corrilary, for those ISP's who think there is only need for a single /30 for a client's router, the concept of failover routers means 1 physical IP per router, and 1 IP for the failover IP, aka 3 IP's for the client side, dictating a /29. (sorry for this paragraph, but I am not happy with a particular upstream which thinks otherwise and is not willing to change). As a lab exercise, conducted because an upstream provider would only provide one router IP, I set up two Soekris 4801s with their external interfaces just up -ed and used the exclusive global IP for carp. It worked like a charm. The internal interfaces could have had whatever addresses I wanted but, just for fun, I made them work the same way as the externals. If the upstream connection is a /30 via something like PPP and you don't care about being able to contact the immediately adjacent addresses, there is the possible hack of setting the netmask a bit shorter than it really is, so you can use the network and broadcast addresses, giving you the two extra addresses you need for this.
Re: Carp with aliases route problem
I suspect you might want /32 on the carp interfaces (255.255.255.255 rather than your 255.255.255.224). What are the exact symptoms of not being able to reach .197 when HostB is in backup state? It may be stating the obvious but check there's no PF rule that might be blocking it. You don't mention the OS version (this is one of the reasons dmesg is helpful to include even when it seems irrelevant), but there have been various routing-related changes recently which may change things. On 2009-02-21, Michiel van Baak mich...@vanbaak.info wrote: Hi all, I'm having some trouble with a two-node CARP setup. Configuration: HostA /etc/hostname.em0 inet XXX.XXX.XXX.196 255.255.255.244 XXX.XXX.XXX.223 \ media 100baseTX mediaopt full-duplex description External /etc/hostname.em1 inet 192.168.10.2 255.255.255.0 192.168.10.255 \ media 100baseTX mediaopt full-duplex description Internal /etc/hostname.em2 inet 10.10.10.1 255.255.255.0 10.10.10.255 \ media 100baseTX mediaopt full-duplex description pfsync /etc/hostname.pfsync0 up syncdev em2 /etc/hostname.carp0 inet XXX.XXX.XXX.198 255.255.255.224 XXX.XXX.XXX.223 vhid 1 pass foo inet alias XXX.XXX.XXX.199 255.255.255.224 NONE inet alias XXX.XXX.XXX.200 255.255.255.224 NONE inet alias XXX.XXX.XXX.201 255.255.255.224 NONE inet alias XXX.XXX.XXX.202 255.255.255.224 NONE inet alias XXX.XXX.XXX.203 255.255.255.224 NONE /etc/hostname.carp1 inet 192.168.10.1 255.255.255.0 192.168.10.255 vhid 2 pass bar $ cat /etc/sysctl.conf | grep -v '^#' net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets net.inet.carp.preempt=1 # 1=Enable carp(4) preemption HostB Almost the same, but using XXX.XXX.XXX.197 on em0 and 192.168.10.3 on em1 and 10.10.10.2 on em2 and the carp interfaces have advskew 100 configured so the box is BACKUP Now the problem: I can reach XXX.XXX.XXX.196 and all configured aliases without trouble. I can ssh in, relayd relays are working fine and all. If the box goes down or looses connection the second box takes over and everyone is happy. BUT, I cannot reach XXX.XXX.XXX.197 when HostB is in backup state. My suspicion is that this is a routing issue. Looking at the output of route -n show: HostA: $ route -n show -inet Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface defaultXXX.XXX.XXX.193 UGS9 53475499 -48 carp0 10.10.10/24link#3 UC 10 -48 em2 10.10.10.2 00:15:17:95:c4:43 UHLc 0 1207 -48 em2 XXX.XXX.XXX.192/27 link#6 UC210 -48 carp0 XXX.XXX.XXX.193 00:00:5e:00:01:0c UHLc 10 -48 carp0 XXX.XXX.XXX.194 00:17:cb:ab:81:fe UHLc 00 -48 carp0 XXX.XXX.XXX.195 00:19:e2:0c:31:fe UHLc 00 -48 carp0 XXX.XXX.XXX.196 00:15:17:9f:3d:88 UHLc 03 -48 lo0 XXX.XXX.XXX.196/30 link#1 UC 10 -48 em0 XXX.XXX.XXX.198 XXX.XXX.XXX.198 UH 05 -48 carp0 XXX.XXX.XXX.199 XXX.XXX.XXX.199 UH 03 -48 carp0 XXX.XXX.XXX.200 00:00:5e:00:01:01 UHLc 06 -48 lo0 XXX.XXX.XXX.201 00:00:5e:00:01:01 UHLc 05 -48 lo0 XXX.XXX.XXX.202 00:00:5e:00:01:01 UHLc 08 -48 lo0 HostB: $ route -n show -inet Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface defaultXXX.XXX.XXX.193 UGS0 190387 -48 carp0 10.10.10/24link#3 UC 10 -48 em2 10.10.10.1 00:15:17:95:c2:b6 UHLc 0 565 -48 em2 XXX.XXX.XXX.192/27 link#6 UC 10 -48 carp0 XXX.XXX.XXX.193 link#6 UHLc 10 -48 carp0 XXX.XXX.XXX.196/30 link#1 UC 00 -48 em0 Any pointers to get this setup correctly so I can reach the addresses on the physical interfaces of both boxen, no matter in what CARP state they are ?
Re: Carp with aliases route problem
On 21:31, Mon 23 Feb 09, Stuart Henderson wrote: I suspect you might want /32 on the carp interfaces (255.255.255.255 rather than your 255.255.255.224). I'll try that in the next week. Thanks for the pointer. What are the exact symptoms of not being able to reach .197 when HostB is in backup state? It may be stating the obvious but check there's no PF rule that might be blocking it. There's no pf rule blocking it. I know this because if I 'unplug' HostA I can reach HostB without problem. In the info I gave in the mail you can see both hosts decided the default route is over the carp0 interface. Your suggestion to change the subnet to /32 on the carp interface ip addresses might be where the problem is now I reread all the info etc. The exact symptoms are that the host that's in BACKUP mode cannot route any traffic out to the internet. This must be because the default route is going over the carp0 interface instead of the em0 interface. You don't mention the OS version (this is one of the reasons dmesg is helpful to include even when it seems irrelevant), but there have been various routing-related changes recently which may change things. Both firewalls are running OpenBSD 4.4. both firewalls are exactly the same when it comes to hardware and software setup. only the /etc/hostname.* files differ because of the ip addresses and the advskew on the carp interfaces. dmesg at the bottom of this mail... I tried but running a not-released version is not accepted by the company :( On 2009-02-21, Michiel van Baak mich...@vanbaak.info wrote: Hi all, I'm having some trouble with a two-node CARP setup. Configuration: HostA /etc/hostname.em0 inet XXX.XXX.XXX.196 255.255.255.244 XXX.XXX.XXX.223 \ media 100baseTX mediaopt full-duplex description External /etc/hostname.em1 inet 192.168.10.2 255.255.255.0 192.168.10.255 \ media 100baseTX mediaopt full-duplex description Internal /etc/hostname.em2 inet 10.10.10.1 255.255.255.0 10.10.10.255 \ media 100baseTX mediaopt full-duplex description pfsync /etc/hostname.pfsync0 up syncdev em2 /etc/hostname.carp0 inet XXX.XXX.XXX.198 255.255.255.224 XXX.XXX.XXX.223 vhid 1 pass foo inet alias XXX.XXX.XXX.199 255.255.255.224 NONE inet alias XXX.XXX.XXX.200 255.255.255.224 NONE inet alias XXX.XXX.XXX.201 255.255.255.224 NONE inet alias XXX.XXX.XXX.202 255.255.255.224 NONE inet alias XXX.XXX.XXX.203 255.255.255.224 NONE /etc/hostname.carp1 inet 192.168.10.1 255.255.255.0 192.168.10.255 vhid 2 pass bar $ cat /etc/sysctl.conf | grep -v '^#' net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets net.inet.carp.preempt=1 # 1=Enable carp(4) preemption HostB Almost the same, but using XXX.XXX.XXX.197 on em0 and 192.168.10.3 on em1 and 10.10.10.2 on em2 and the carp interfaces have advskew 100 configured so the box is BACKUP Now the problem: I can reach XXX.XXX.XXX.196 and all configured aliases without trouble. I can ssh in, relayd relays are working fine and all. If the box goes down or looses connection the second box takes over and everyone is happy. BUT, I cannot reach XXX.XXX.XXX.197 when HostB is in backup state. My suspicion is that this is a routing issue. Looking at the output of route -n show: HostA: $ route -n show -inet Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface defaultXXX.XXX.XXX.193 UGS9 53475499 -48 carp0 10.10.10/24link#3 UC 10 -48 em2 10.10.10.2 00:15:17:95:c4:43 UHLc 0 1207 -48 em2 XXX.XXX.XXX.192/27 link#6 UC210 -48 carp0 XXX.XXX.XXX.193 00:00:5e:00:01:0c UHLc 10 -48 carp0 XXX.XXX.XXX.194 00:17:cb:ab:81:fe UHLc 00 -48 carp0 XXX.XXX.XXX.195 00:19:e2:0c:31:fe UHLc 00 -48 carp0 XXX.XXX.XXX.196 00:15:17:9f:3d:88 UHLc 03 -48 lo0 XXX.XXX.XXX.196/30 link#1 UC 10 -48 em0 XXX.XXX.XXX.198 XXX.XXX.XXX.198 UH 05 -48 carp0 XXX.XXX.XXX.199 XXX.XXX.XXX.199 UH 03 -48 carp0 XXX.XXX.XXX.200 00:00:5e:00:01:01 UHLc 06 -48 lo0 XXX.XXX.XXX.201 00:00:5e:00:01:01 UHLc 05 -48 lo0 XXX.XXX.XXX.202 00:00:5e:00:01:01 UHLc 08 -48 lo0 HostB: $ route -n show -inet Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface defaultXXX.XXX.XXX.193 UGS0 190387
Re: Carp with aliases route problem
You cannot get internet access on a backup carp interface, period. I have seen what you see before, and it comes from not starting things up in proper order manually, i.e. configuring a system, and not rebooting it after it was configured so that boot time configs get processed in proper order. The only way you are going to get a default route going out a carp interface is if you have the carp interface configured first prior to a physical interface for a given network that the default route's gateway is on. Please note that /etc/netstart via the 'ifmstart' function starts trunk/vlan/carp interfaces after normal interfaces, so you should have gotten the first route in your routing table mentioned below to go out the physical interface not the carp interface. Your best bet is to reboot and let the scripts that are designed to do this in the proper order for you do so, as you not only have the default route but the route to the network your default gateway is on going through the carp interface. As a corrilary, for those ISP's who think there is only need for a single /30 for a client's router, the concept of failover routers means 1 physical IP per router, and 1 IP for the failover IP, aka 3 IP's for the client side, dictating a /29. (sorry for this paragraph, but I am not happy with a particular upstream which thinks otherwise and is not willing to change). Thanks, -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | ..in support of free software solutions. \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt Penned by Michiel van Baak on 20090221 12:24.02, we have: | Hi all, | | I'm having some trouble with a two-node CARP setup. | | Configuration: | | HostA | /etc/hostname.em0 | inet XXX.XXX.XXX.196 255.255.255.244 XXX.XXX.XXX.223 \ | media 100baseTX mediaopt full-duplex description External | | /etc/hostname.em1 | inet 192.168.10.2 255.255.255.0 192.168.10.255 \ | media 100baseTX mediaopt full-duplex description Internal | | /etc/hostname.em2 | inet 10.10.10.1 255.255.255.0 10.10.10.255 \ | media 100baseTX mediaopt full-duplex description pfsync | | /etc/hostname.pfsync0 | up syncdev em2 | | /etc/hostname.carp0 | inet XXX.XXX.XXX.198 255.255.255.224 XXX.XXX.XXX.223 vhid 1 pass foo | inet alias XXX.XXX.XXX.199 255.255.255.224 NONE | inet alias XXX.XXX.XXX.200 255.255.255.224 NONE | inet alias XXX.XXX.XXX.201 255.255.255.224 NONE | inet alias XXX.XXX.XXX.202 255.255.255.224 NONE | inet alias XXX.XXX.XXX.203 255.255.255.224 NONE | | /etc/hostname.carp1 | inet 192.168.10.1 255.255.255.0 192.168.10.255 vhid 2 pass bar | | $ cat /etc/sysctl.conf | grep -v '^#' | net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets | net.inet.carp.preempt=1 # 1=Enable carp(4) preemption | | HostB | Almost the same, but using XXX.XXX.XXX.197 on em0 and 192.168.10.3 on | em1 and 10.10.10.2 on em2 and the carp interfaces have advskew 100 | configured so the box is BACKUP | | Now the problem: | I can reach XXX.XXX.XXX.196 and all configured aliases without trouble. | I can ssh in, relayd relays are working fine and all. If the box goes | down or looses connection the second box takes over and everyone is | happy. | BUT, I cannot reach XXX.XXX.XXX.197 when HostB is in backup state. | My suspicion is that this is a routing issue. Looking at the output of | route -n show: | | HostA: | $ route -n show -inet | Routing tables | | Internet: | DestinationGatewayFlags Refs Use Mtu Prio | Iface | defaultXXX.XXX.XXX.193 UGS9 53475499 -48 | carp0 | 10.10.10/24link#3 UC 10 -48 | em2 | 10.10.10.2 00:15:17:95:c4:43 UHLc 0 1207 -48 | em2 | XXX.XXX.XXX.192/27 link#6 UC210 -48 | carp0 | XXX.XXX.XXX.193 00:00:5e:00:01:0c UHLc 10 -48 | carp0 | XXX.XXX.XXX.194 00:17:cb:ab:81:fe UHLc 00 -48 | carp0 | XXX.XXX.XXX.195 00:19:e2:0c:31:fe UHLc 00 -48 | carp0 | XXX.XXX.XXX.196 00:15:17:9f:3d:88 UHLc 03 -48 | lo0 | XXX.XXX.XXX.196/30 link#1 UC 10 -48 | em0 | XXX.XXX.XXX.198 XXX.XXX.XXX.198 UH 05 -48 | carp0 | XXX.XXX.XXX.199
Re: Carp with aliases route problem
On Mon, 23 Feb 2009 17:52:33 -0600, Todd T. Fries wrote: As a corrilary, for those ISP's who think there is only need for a single /30 for a client's router, the concept of failover routers means 1 physical IP per router, and 1 IP for the failover IP, aka 3 IP's for the client side, dictating a /29. (sorry for this paragraph, but I am not happy with a particular upstream which thinks otherwise and is not willing to change). As a lab exercise, conducted because an upstream provider would only provide one router IP, I set up two Soekris 4801s with their external interfaces just up -ed and used the exclusive global IP for carp. It worked like a charm. The internal interfaces could have had whatever addresses I wanted but, just for fun, I made them work the same way as the externals. I could have left selective accesses to the 4801s as an exercise for the reader but just think of the 172.20.30/24 I assigned for the link between the two *** NOTE *** Please DO NOT CC me. I am subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ /earth: write failed, file system is full cp: /earth/creatures: No space left on device
Carp with aliases route problem
Hi all, I'm having some trouble with a two-node CARP setup. Configuration: HostA /etc/hostname.em0 inet XXX.XXX.XXX.196 255.255.255.244 XXX.XXX.XXX.223 \ media 100baseTX mediaopt full-duplex description External /etc/hostname.em1 inet 192.168.10.2 255.255.255.0 192.168.10.255 \ media 100baseTX mediaopt full-duplex description Internal /etc/hostname.em2 inet 10.10.10.1 255.255.255.0 10.10.10.255 \ media 100baseTX mediaopt full-duplex description pfsync /etc/hostname.pfsync0 up syncdev em2 /etc/hostname.carp0 inet XXX.XXX.XXX.198 255.255.255.224 XXX.XXX.XXX.223 vhid 1 pass foo inet alias XXX.XXX.XXX.199 255.255.255.224 NONE inet alias XXX.XXX.XXX.200 255.255.255.224 NONE inet alias XXX.XXX.XXX.201 255.255.255.224 NONE inet alias XXX.XXX.XXX.202 255.255.255.224 NONE inet alias XXX.XXX.XXX.203 255.255.255.224 NONE /etc/hostname.carp1 inet 192.168.10.1 255.255.255.0 192.168.10.255 vhid 2 pass bar $ cat /etc/sysctl.conf | grep -v '^#' net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets net.inet.carp.preempt=1 # 1=Enable carp(4) preemption HostB Almost the same, but using XXX.XXX.XXX.197 on em0 and 192.168.10.3 on em1 and 10.10.10.2 on em2 and the carp interfaces have advskew 100 configured so the box is BACKUP Now the problem: I can reach XXX.XXX.XXX.196 and all configured aliases without trouble. I can ssh in, relayd relays are working fine and all. If the box goes down or looses connection the second box takes over and everyone is happy. BUT, I cannot reach XXX.XXX.XXX.197 when HostB is in backup state. My suspicion is that this is a routing issue. Looking at the output of route -n show: HostA: $ route -n show -inet Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface defaultXXX.XXX.XXX.193 UGS9 53475499 -48 carp0 10.10.10/24link#3 UC 10 -48 em2 10.10.10.2 00:15:17:95:c4:43 UHLc 0 1207 -48 em2 XXX.XXX.XXX.192/27 link#6 UC210 -48 carp0 XXX.XXX.XXX.193 00:00:5e:00:01:0c UHLc 10 -48 carp0 XXX.XXX.XXX.194 00:17:cb:ab:81:fe UHLc 00 -48 carp0 XXX.XXX.XXX.195 00:19:e2:0c:31:fe UHLc 00 -48 carp0 XXX.XXX.XXX.196 00:15:17:9f:3d:88 UHLc 03 -48 lo0 XXX.XXX.XXX.196/30 link#1 UC 10 -48 em0 XXX.XXX.XXX.198 XXX.XXX.XXX.198 UH 05 -48 carp0 XXX.XXX.XXX.199 XXX.XXX.XXX.199 UH 03 -48 carp0 XXX.XXX.XXX.200 00:00:5e:00:01:01 UHLc 06 -48 lo0 XXX.XXX.XXX.201 00:00:5e:00:01:01 UHLc 05 -48 lo0 XXX.XXX.XXX.202 00:00:5e:00:01:01 UHLc 08 -48 lo0 HostB: $ route -n show -inet Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface defaultXXX.XXX.XXX.193 UGS0 190387 -48 carp0 10.10.10/24link#3 UC 10 -48 em2 10.10.10.1 00:15:17:95:c2:b6 UHLc 0 565 -48 em2 XXX.XXX.XXX.192/27 link#6 UC 10 -48 carp0 XXX.XXX.XXX.193 link#6 UHLc 10 -48 carp0 XXX.XXX.XXX.196/30 link#1 UC 00 -48 em0 Any pointers to get this setup correctly so I can reach the addresses on the physical interfaces of both boxen, no matter in what CARP state they are ? -- Michiel van Baak mich...@vanbaak.eu http://michiel.vanbaak.eu GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x71C946BD Why is it drug addicts and computer aficionados are both called users?
route problem
Hello, I have a route problem in setting up my home network. Here is the layout of it: internet | obsd3.6 (fw) | 192.168.1.254 | switch (wired) | | 192.168.1.230 (vr0 wired) | obsd-3.8 | | 192.168.2.1 (ral0 wireless) | clients (Xp) My problem is: the XP can ssh to the obsd-3.8 through wirelss. However it cannot access the internet. Thanks clarence ifconfig at 192.168.1.230 = lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 ral0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:12:17:68:80:74 media: IEEE802.11 autoselect hostap status: active ieee80211: nwid obsd-group chan 6 bssid 00:12:17:68:80:74 100dBm inet 192.168.2.1 netmask 0xff00 broadcast 192.168.2.255 inet6 fe80::212:17ff:fe68:8074%ral0 prefixlen 64 scopeid 0x1 vr0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0d:87:b4:63:8f groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.1.230 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::20d:87ff:feb4:638f%vr0 prefixlen 64 scopeid 0x2 pflog0: flags=0 mtu 33224 pfsync0: flags=0 mtu 1348 enc0: flags=0 mtu 1536 bridge0: flags=41UP,RUNNING mtu 1500 groups: bridge ___ 7Q'Y.I,(l7s email 3q*!H $U8| Yahoo! Messenger http://messenger.yahoo.com.hk
Re: route problem
man Chan wrote: Hello, I have a route problem in setting up my home network. Here is the layout of it: internet | obsd3.6 (fw) | 192.168.1.254 | switch (wired) | | 192.168.1.230 (vr0 wired) | obsd-3.8 | | 192.168.2.1 (ral0 wireless) | clients (Xp) My problem is: the XP can ssh to the obsd-3.8 through wirelss. However it cannot access the internet. Thanks clarence ifconfig at 192.168.1.230 = lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 ral0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:12:17:68:80:74 media: IEEE802.11 autoselect hostap status: active ieee80211: nwid obsd-group chan 6 bssid 00:12:17:68:80:74 100dBm inet 192.168.2.1 netmask 0xff00 broadcast 192.168.2.255 inet6 fe80::212:17ff:fe68:8074%ral0 prefixlen 64 scopeid 0x1 vr0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0d:87:b4:63:8f groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.1.230 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::20d:87ff:feb4:638f%vr0 prefixlen 64 scopeid 0x2 pflog0: flags=0 mtu 33224 pfsync0: flags=0 mtu 1348 enc0: flags=0 mtu 1536 bridge0: flags=41UP,RUNNING mtu 1500 groups: bridge ___ 7Q'Y.I,(l7s email 3q*!H $U8| Yahoo! Messenger http://messenger.yahoo.com.hk Hi, do you have ip forwarding enabled? See man afterboot(8) Check routing table section for how to do it. BR Marcus
Re: route problem
On 10/15/05, man Chan [EMAIL PROTECTED] wrote: Hello, I have a route problem in setting up my home network. Here is the layout of it: internet | obsd3.6 (fw) | 192.168.1.254 http://192.168.1.254 | switch (wired) | | 192.168.1.230 http://192.168.1.230 (vr0 wired) | obsd-3.8 | | 192.168.2.1 http://192.168.2.1 (ral0 wireless) | clients (Xp) My problem is: the XP can ssh to the obsd-3.8 through wirelss. However it cannot access the internet. As I mentioned before you probably don't have a route on your 3.6 box to your 192.168.2.0 http://192.168.2.0 network. And do your pf rules on the 3.6 box allow the 192.168.2.0 http://192.168.2.0 network to reach the internet? Greg
Re: route problem
On 10/15/05, Marcus Lindemann [EMAIL PROTECTED] wrote: man Chan wrote: Hello, I have a route problem in setting up my home network. Here is the layout of it: internet | obsd3.6 (fw) | 192.168.1.254 http://192.168.1.254 | switch (wired) | | 192.168.1.230 http://192.168.1.230 (vr0 wired) | obsd-3.8 | | 192.168.2.1 http://192.168.2.1 (ral0 wireless) | clients (Xp) My problem is: the XP can ssh to the obsd-3.8 through wirelss. However it cannot access the internet. Thanks clarence Hi, do you have ip forwarding enabled? See man afterboot(8) Check routing table section for how to do it. As per a previous message of his ip forwarding is enabled. Greg
回覆: Re: route problem
--- Greg Thomas [EMAIL PROTECTED] ;!!G On 10/15/05, man Chan [EMAIL PROTECTED] wrote: Hello, I have a route problem in setting up my home network. Here is the layout of it: internet | obsd3.6 (fw) | 192.168.1.254 http://192.168.1.254 | switch (wired) | | 192.168.1.230 http://192.168.1.230 (vr0 wired) | obsd-3.8 | | 192.168.2.1 http://192.168.2.1 (ral0 wireless) | clients (Xp) My problem is: the XP can ssh to the obsd-3.8 through wirelss. However it cannot access the internet. As I mentioned before you probably don't have a route on your 3.6 box to your 192.168.2.0 http://192.168.2.0 network. And do your pf rules on the 3.6 box allow the 192.168.2.0 http://192.168.2.0 network to reach the internet? Greg Thanks Greg. I finally fixed all the problems. Since I added another AP machine (192.168.3.1) for testing purpose, I may mesh up something. The next step for my case is to make the wireless channel excrypted. Any pointers ? Thanks. Clarence ___ 7Q'Y.I,(l7s email 3q*!H $U8| Yahoo! Messenger http://messenger.yahoo.com.hk ___ 7Q'Y.I,(l7s email 3q*!H $U8| Yahoo! Messenger http://messenger.yahoo.com.hk
