Hello, no carp is used at this time. My configuration on each router is simple:
em0 + em3 = trunk0 em1 + em2 = trunk1 4 interco vlan (at this time, only 2 are active, 1 for a BGP neighbor IPv4, 1 for a BGP neighbor IPv6) on trunk0 vlan 50 + vlan 90 + vlan995 on trunk1 pfsync on vlan 995 -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Networks http://www.unix-experience.fr Le mercredi 03 juillet 2013 à 12:47 +0200, mxb a écrit : > How does your CARP setup looks like. On both machines? > Can you send your ifconfig output? > > What is your environment/setup for this 2-node CARP? > How interfaces (ext/int) are connected? What switches do you use? > > > On 3 jul 2013, at 10:23, Loïc Blot <loic.b...@unix-experience.fr> wrote: > > > Okay, defer is now enabled on pfsync interface (sorry for my last idea, > > i haven't the man on me :) ). > > It seems the problem isn't resolved. > > The transfer starts but blocked at random time. > > -- > > Best regards, > > > > Loïc BLOT, Engineering > > UNIX Systems, Security and Networks > > http://www.unix-experience.fr > > > > > > Le mercredi 03 juillet 2013 à 08:12 +0200, Loïc BLOT a écrit : > >> Hi, > >> Thanks for your reply. I wasn't careful about this section. > >> If i understand i must add defer option to my WAN iface (or i'm wrong i > >> must add it to my vlan995 iface ?) ? > >> > >> I will test it this morning, and i return back to misc :) > >> -- > >> Best regards, > >> Loc BLOT, > >> UNIX systems, security and network expert > >> http://www.unix-experience.fr > >> > >> > >> Le mercredi 03 juillet 2013 02:02 +0200, mxb a crit : > >>> pfsync(4) explains this: > >>> > >>> " The pfsync interface will attempt to collapse multiple state updates > >> into > >>> a single packet where possible. The maximum number of times a single > >>> state can be updated before a pfsync packet will be sent out is > >>> controlled by the maxupd parameter > >>> " > >>> > >>> > >>> and > >>> > >>> " Where more than one firewall might actively handle packets, e.g. with > >>> certain ospfd(8), bgpd(8) or carp(4) configurations, it is beneficial > >> to > >>> defer transmission of the initial packet of a connection. The pfsync > >>> state insert message is sent immediately; the packet is queued until > >>> either this message is acknowledged by another system, or a timeout > >> has > >>> expired. This behaviour is enabled with the defer parameter to > >>> ifconfig(8). > >>> " > >>> > >>> > >>> Eg. "defer: on", yours is "off". > >>> > >>> //mxb > >>> > >>> > >>> On 2 jul 2013, at 21:54, Loc BLOT <loic.b...@unix-experience.fr> wrote: > >>> > >>>> Hi all > >>>> I have a strange issue (or i haven't read pfsync correctly but i don't > >>>> think this is the problem :D) > >>>> > >>>> I'm using 2 OpenBSD as BGP+OSPF routers at the border of one site. > >>>> > >>>> Those BGP routers are secure with strong PF in stateful mode, and the > >>>> stateful is working very well on each router. Because of my full mesh > >>>> BGP configuration, the outgoing layer 7 sessions can leave my network by > >>>> one router and responses can income by the other. > >>>> > >>>> To resolve this issue, i have created a dedidated VLAN for the pfsync > >>>> traffic and attached pfsync to this VLAN. > >>>> > >>>> Here is a sample output of ifconfig on my first router: > >>>> > >>>> vlan995: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > >>>> lladdr a0:36:9f:10:4a:a6 > >>>> priority: 0 > >>>> vlan: 995 parent interface: trunk1 > >>>> groups: vlan > >>>> status: active > >>>> inet6 fe80::a236:9fff:fe10:4aa6%vlan995 prefixlen 64 scopeid > >>>> 0x10 > >>>> inet 10.117.1.129 netmask 0xfffffff8 broadcast 10.117.1.135 > >>>> pfsync0: flags=41<UP,RUNNING> mtu 1500 > >>>> priority: 0 > >>>> pfsync: syncdev: vlan995 maxupd: 255 defer: off > >>>> groups: carp pfsync > >>>> > >>>> And here on my second router: > >>>> > >>>> vlan995: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > >>>> lladdr a0:36:9f:17:e2:1e > >>>> priority: 0 > >>>> vlan: 995 parent interface: trunk1 > >>>> groups: vlan > >>>> status: active > >>>> inet6 fe80::a236:9fff:fe17:e21e%vlan995 prefixlen 64 scopeid > >>>> 0x10 > >>>> inet 10.117.1.130 netmask 0xfffffff8 broadcast 10.117.1.135 > >>>> pfsync0: flags=41<UP,RUNNING> mtu 1500 > >>>> priority: 0 > >>>> pfsync: syncdev: vlan995 maxupd: 255 defer: off > >>>> groups: carp pfsync > >>>> > >>>> As you see in next tcpdump capture, there is some discussions between > >>>> the two routers: > >>>> > >>>> # tcpdump -nni vlan995 > >>>> tcpdump: listening on vlan995, link-type EN10MB > >>>> tcpdump: WARNING: compensating for unaligned libpcap packets > >>>> 23:41:13.699617 10.117.1.130: PFSYNCv6 len 108 > >>>> act UPD ST COMP count 1 > >>>> ... > >>>> (DF) [tos 0x10] > >>>> 23:41:14.158500 10.117.1.129: PFSYNCv6 len 108 > >>>> act UPD ST COMP count 1 > >>>> ... > >>>> (DF) [tos 0x10] > >>>> 23:41:14.941396 SSTP STP config root=83e3.0:a:b8:7b:27:80 rootcost=3 > >>>> bridge=c3e3.0:17:e:2e:f:80 port=142 ifcost=130 age=1/0 max=20/0 > >>>> hello=2/0 fwdelay=15/0 pvid=995 > >>>> 23:41:14.949617 10.117.1.130: PFSYNCv6 len 108 > >>>> act UPD ST COMP count 1 > >>>> ... > >>>> (DF) [tos 0x10] > >>>> 23:41:15.237655 10.117.1.129: PFSYNCv6 len 640 > >>>> act UPD ST COMP count 1 > >>>> ... > >>>> (DF) [tos 0x10] > >>>> 23:41:15.949617 10.117.1.130: PFSYNCv6 len 124 > >>>> act UPD ST COMP count 1 > >>>> ... > >>>> (DF) [tos 0x10] > >>>> 23:41:16.255230 10.117.1.129: PFSYNCv6 len 36 > >>>> act DEL ST COMP count 1 > >>>> id: 51d16a3500006c33 creatorid: a10bbd21 > >>>> (DF) [tos 0x10] > >>>> 23:41:16.946454 SSTP STP config root=83e3.0:a:b8:7b:27:80 rootcost=3 > >>>> bridge=c3e3.0:17:e:2e:f:80 port=142 ifcost=130 age=1/0 max=20/0 > >>>> hello=2/0 fwdelay=15/0 pvid=995 > >>>> 23:41:16.949619 10.117.1.130: PFSYNCv6 len 1116 > >>>> act UPD ST COMP count 13 > >>>> ... > >>>> (DF) [tos 0x10] > >>>> > >>>> > >>>> The problem is simple, when i initiate a stateful connection from one > >>>> server, the return (by second router) is blocked by PF (i see the return > >>>> with pflog0) > >>>> > >>>> To be precise here is an example (and tested path): > >>>> > >>>> OBSD NTP -> OBSD router 1 -> WAN...ftp.fr.openbsd.org...WAN -> OBSD > >>>> router 2 || blocked > >>>> > >>>> PF allow in/out routing traffic from this server but incoming from WAN > >>>> is blocked by default > >>>> > >>>> Can you confirm to me that pfsync may add a state for outgoing tcp > >>>> connection in the second router when the first router add it ? > >>>> Have you got any idea on this issue ? > >>>> > >>>> -- > >>>> Best regards, > >>>> Loc BLOT, > >>>> UNIX systems, security and network expert > >>>> http://www.unix-experience.fr > >>>> > >>>> [demime 1.01d removed an attachment of type application/pgp-signature > >> which had a name of signature.asc] > >> > >> [demime 1.01d removed an attachment of type application/pgp-signature > >> which had a name of signature.asc]
