Hello Jan, thanks for answering. The point was with booting without bsd.mp, now box rebooted and showing 4 procs =)
By now, all is working fine. Thank for all your support. I will keep you all informed how things are going. Best regards Saludos.- Leonardo Santagostini <http://ar.linkedin.com/in/santagostini> 2013/11/18 Jan Lambertz <jd.arb...@googlemail.com> > qemu-kvm ...-smp sockets=2 ... solved it for me. What qemu version an build > are you using ? > Am 14.11.2013 18:47 schrieb "Leonardo Santagostini" < > lsantagost...@gmail.com > >: > > > > Thanks a lot to all, i will give it a try and gives tou you feedback as > > soon as it get implemented. > > > > Saludos.- > > Leonardo Santagostini > > > > <http://ar.linkedin.com/in/santagostini> > > > > > > > > > > > > 2013/11/14 Andy <a...@brandwatch.com> > > > > > On 14/11/13 15:21, Leonardo Santagostini wrote: > > > > > > Hello misc, > > > > > > Im doing my final approach to put a production system with > > > carp+pfsync+relayd on production. > > > > > > The point is that im facing some trouble setting more than one ip alias > > > address with different vhid and different passwd. > > > > > > So, this is the scenario. > > > > > > Im trying to relayd more or less 15 sites so i have conceptual doubts. > > > > > > 1) is it nesessary to create one carp interface for each one of my > > > internals VIP address > > > 2) my understanding is that i have to work with pf on my carp > interfaces. > > > > > > I have tried to put two different VIP's on my carp, but whitout lucky. > > > > > > Here is the homework. > > > > > > [root@server ~]# uname -a > > > OpenBSD server.internaldomain.com 5.4 GENERIC#37 amd64 > > > [root@server ~]# > > > > > > [root@server ~]# cat /etc/hostname.em0 > > > inet 172.19.224.180 255.255.255.0 > > > > > > [root@server ~]# cat /etc/hostname.em1 > > > inet 172.19.226.231 255.255.255.0 172.19.226.255 > > > > > > [root@server ~]# cat /etc/hostname.carp0 > > > # inet alias 172.19.224.16 255.255.255.255 172.19.224.255 vhid 1 > advskew 10 > > > carpdev em0 pass Ahsooqu3 > > > inet alias 172.19.224.131 255.255.255.0 172.19.224.255 vhid 2 advskew > 10 > > > carpdev em0 pass Meixo9oe > > > # inet alias 172.19.224.41 255.255.255.255 172.19.224.255 vhid 3 > advskew 10 > > > carpdev em0 pass av5eG9Gi > > > # inet alias 172.19.224.40 255.255.255.255 172.19.224.255 vhid 4 > advskew 10 > > > carpdev em0 pass Rei6thai > > > # inet alias 172.19.224.181 255.255.255.0 172.19.224.255 vhid 5 advskew > 10 > > > carpdev em0 pass Toobohz3 > > > # inet alias 172.19.224.182 255.255.255.255 172.19.224.255 vhid 6 > adskew 10 > > > carpdev em0 pass Quahng6U > > > > > > CARP should look like this (master); > > > inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass > > > Ahsooqu3 advskew 0 > > > inet alias 172.19.224.131 255.255.255.255 > > > inet alias 172.19.224.41 255.255.255.255 > > > inet alias 172.19.224.40 255.255.255.255 > > > inet alias 172.19.224.181 255.255.255.255 > > > inet alias 172.19.224.182 255.255.255.255 > > > > > > And (backup); > > > inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass > > > Ahsooqu3 advskew 200 > > > inet alias 172.19.224.131 255.255.255.255 > > > inet alias 172.19.224.41 255.255.255.255 > > > inet alias 172.19.224.40 255.255.255.255 > > > inet alias 172.19.224.181 255.255.255.255 > > > inet alias 172.19.224.182 255.255.255.255 > > > > > > And yes the subnet masks for the alias' should be /32 and you will see > a > > > warning in the logs during fail-over. This is fine, the devs just > haven't > > > muted the check warning yet. > > > > > > You've done it right if 'netstat -rn' shows; > > > > > > 172.19.224.131 127.0.0.1 UGHS 0 0 33152 8 > > > lo0 > > > 172.19.224.131/32 172.19.224.131 U 0 0 - > 4 > > > carp0 > > > > > > > > > [root@server ~]# cat /etc/hostname.pfsync0 > > > up syncdev em1 > > > > > > [root@server ~]# cat /etc/pf.conf > > > ext_if="carp0" > > > > > > You don't refer to CARP as an interface, it is simply a VRRP watchdog > > > interface (for example you cannot set the MTU on a CARP interface as it > is > > > not really an interface. > > > Use the physical.. > > > > > > ext_if="em0" > > > > > > > > > > > > set fingerprints "/etc/pf.os" > > > set optimization aggressive > > > set limit states 90000 > > > > > > Definitely needs to be higher! try 1 million.. > > > > > > > > > set limit src-nodes 65000 > > > > > > table <bad_ip> persist > > > table <internat_net> persist file "/etc/internal_net" > > > table <admitted_net> persist file "/etc/admitted.txt" > > > > > > # vip1_address = "172.19.224.181" > > > # vip2_address = "172.19.224.16" > > > vip3_address = "172.19.224.131" > > > # vip4_address = "172.19.224.41" > > > # vip5_address = "172.19.224.40" > > > > > > Just to keep you sane remember these rules; > > > # (SNAT) NATing is done before filtering, 'pass out on $if_ext from > > > $external_carp_ip1' (public address as src for outbound). > > > # (DNAT) RDRing is done before filtering, 'pass in on $if_ext from any > to > > > $internal_ip1' (private address as dst for inbound). > > > > > > [image: OpenBSD_PF_flow] > > > > > > > > > > > > # Dejo de procesar cuando se trata de las redes internas > > > pass in quick from <internat_net> to any > > > > > > # Dejo pasar las ips desde las redes permitidas > > > # pass in quick from <admitted_net> to $vip1_address > > > pass in quick from <admitted_net> to $vip3_address > > > > > > # Genero el block > > > block in quick from <bad_ip> > > > > > > Your 'block in quick's should be above your 'pass in quick's! > > > quick means stop evaluating and do this action now.. > > > > > > > > > block in log quick on $ext_if proto tcp from any os "NMAP" to any > label > > > ExtNMAPScan > > > > > > # Proteccion contra nmap y herramientas similares > > > # block in quick on $ext_if proto tcp flags FUP/WEUAPRSF > > > block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF > > > block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF > > > block in quick on $ext_if proto tcp flags /WEUAPRSF > > > block in quick on $ext_if proto tcp flags SR/SR > > > block in quick on $ext_if proto tcp flags SF/SF > > > block in quick from urpf-failed > > > > > > > > > # Aplico reglas de DoS y Syn Flood en site1 > > > # pass in log on $mob_if proto tcp to $vip1_address port www keep state > > > (sloppy, max 10000, max-src-nodes 5000, max-src-conn 100, > max-src-conn-rate > > > 95/2, adaptive .start 6000, adaptive.end 12000, > tcp.first > > > 15, tcp.opening 5, tcp.established 3600, tcp.closing 5, tcp.finwait 15, > > > tcp.closed 15, tcp.tsdiff 5) > > > > > > Be careful, Direct Server Return does require sloppy states but be > aware > > > that this totally undermines state security! > > > You still need a firewall on the outside of the load balancer to > sanitize > > > the flows.. Catch 22 as you cannot have the load balancer (with DSR) on > the > > > same box as your PF filtering if you want load balancing (with DSR) and > > > full security.. > > > I.e. DSR and full state modulation/security are mutually exclusive.. > > > > > > > > > # Aplico reglas de DoS y Syn Flood en site2 > > > # pass in on $ext_if proto tcp to $vip2_address port www keep state > > > (sloppy, max 10000, max-src-nodes 5000, max-src-conn 150, > max-src-conn-rate > > > 150/3) > > > > > > # Aplico reglas para site3 > > > pass in on $ext_if proto tcp to $vip3_address port www keep state > (sloppy, > > > max 10000, max-src-nodes 5000, max-src-conn 150, max-src-conn-rate > 100/3) > > > > > > # Aplico reglas de DoS y Syn Flood en site4 > > > # pass in on $ext_if proto tcp to $vip4_address port www keep state > > > (sloppy, max 10000, max-src-nodes 5000, max-src-conn 150, > max-src-conn-rate > > > 100/3) > > > > > > # Aplico reglas de DoS y Syn Flood en site5 > > > # pass in on $ext_if proto tcp to $vip5_address port www keep state > > > (sloppy, max 10000, max-src-nodes 5000, max-src-conn 150, > max-src-conn-rate > > > 100/3) > > > > > > # Anchor Para relayd > > > anchor "relayd/*" > > > > > > > > > [root@server ~]# cat /etc/relayd.conf > > > # Archivo de configuracion de balanceo > > > > > > ## Opciones globales > > > interval 5 > > > timeout 500 > > > prefork 15 > > > log all > > > > > > ## Direcciones de las vip > > > # address1="172.19.224.16" > > > # address2="172.19.224.181" > > > address3="172.19.224.131" > > > # address4="172.19.224.41" > > > # address5="172.19.224.40" > > > > > > ## Direcciones de los servidores > > > wsapp1="172.19.224.200" > > > wsapp2="172.19.224.201" > > > webcache01="172.19.224.70" > > > webcache02="172.19.224.71" > > > webcache03="172.19.224.72" > > > webcache04="172.19.224.73" > > > > > > ## Definicion de Tablas > > > table <mobileweb> { $wsapp1 $wsapp2 } > > > table <webcaches> { $webcache01 $webcache02 $webcache03 $webcache04 } > > > table <webcaches1> { $webcache01 } > > > > > > ## Definicion de protocolos (Filtros) > > > > > > http protocol "httpSite1" { > > > > > > header change "Connection" to "close" > > > header append "$REMOTE_ADDR" to "X-Forwarded-For" > > > cookie hash "sessid" > > > > > > } > > > > > > http protocol "httpSite2" { > > > > > > header change "Connection" to "close" > > > header append "$REMOTE_ADDR" to "X-Forwarded-For" > > > cookie hash "sessid" > > > > > > } > > > > > > http protocol "httpSite3" { > > > > > > header change "Connection" to "close" > > > header append "$REMOTE_ADDR" to "X-Forwarded-For" > > > } > > > > > > http protocol "httpSite4" { > > > > > > header append "$REMOTE_ADDR" to "X-Forwarded-For" > > > > > > } > > > > > > http protocol "httpSite5" { > > > > > > header append "$REMOTE_ADDR" to "X-Forwarded-For" > > > > > > } > > > > > > ## Definicion de los relays > > > > > > #relay site1 { > > > # listen on $address2 port 80 > > > # protoc