Re: FreeBSD 10-STABLE and CARP states
Moving this to freebsd-pf. On 31 mar 2014, at 22:21, mxb wrote: > > Manually setting net.inet.carp.demotion brought BOTH VHIDs in desired state. > pfsync bulk update seems to not put everything back as it should. > > lagg0: flags=8943 metric 0 > mtu 9000 > > options=8407bb > ether 00:25:90:e3:71:f2 > inet 172.16.0.234 netmask 0xf800 broadcast 172.16.7.255 > inet6 fe80::225:90ff:fee3:71f2%lagg0 prefixlen 64 scopeid 0x5 > inet 172.16.0.231 netmask 0xf800 broadcast 172.16.7.255 vhid 201 > inet 172.16.0.233 netmask 0xf800 broadcast 172.16.7.255 vhid 202 > nd6 options=29 > media: Ethernet autoselect > status: active > carp: MASTER vhid 201 advbase 1 advskew 1 > carp: BACKUP vhid 202 advbase 5 advskew 100 > laggproto lacp lagghash l2,l3,l4 > laggport: ix1 flags=1c > laggport: ix0 flags=1c > > > On 31 mar 2014, at 20:42, mxb wrote: > >> >> Hi list, >> >> hopefully this is the right place to have my question regarding CARP on >> 10-STABLE. >> >> I have two nodes with following setup(node1): >> >> lagg0: flags=8943 metric 0 >> mtu 9000 >> >> options=8407bb >> ether 00:25:90:e3:71:f2 >> inet 172.16.0.234 netmask 0xf800 broadcast 172.16.7.255 >> inet6 fe80::225:90ff:fee3:71f2%lagg0 prefixlen 64 scopeid 0x5 >> inet 172.16.0.231 netmask 0xf800 broadcast 172.16.7.255 vhid 201 >> inet 172.16.0.233 netmask 0xf800 broadcast 172.16.7.255 vhid 202 >> nd6 options=29 >> media: Ethernet autoselect >> status: active >> carp: BACKUP vhid 201 advbase 1 advskew 1 >> carp: BACKUP vhid 202 advbase 5 advskew 100 >> laggproto lacp lagghash l2,l3,l4 >> laggport: ix1 flags=1c >> laggport: ix0 flags=1c >> >> net.inet.carp.preempt=1 on both nodes. as well as PSYNC as this: >> >> pfsync0: flags=41 metric 0 mtu 1500 >> pfsync: syncdev: vlan22 syncpeer: 10.22.22.2 maxupd: 128 defer: off >> >> The problem is (if it is not clear from the ifconfig-output for the lagg0) >> the state of VHID 201. >> Node2 with advskew of 100 is currently MASTER, but it SHOULD NOT as of setup. >> >> Am I hitting a bug or doing something wrong? >> >> I also have noted that after the pfsync bulk update the demotion counter >> never setts to 0, but stays on 480, >> thus preventing node1 become a MASTER 201(?). Or is this a normal behavior? >> >> Regards, >> mxb >> >> > ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Re: FreeBSD 10-STABLE and CARP states
OK, thanks everyone whom replayed. E.g. NONE. The problem seems to be related to LACP trunking. Disabling LACP and configuring trunk in ‘loadbalance’ mode puts all in desired state (even after reboot). lagg0: flags=8943 metric 0 mtu 9000 options=8407bb ether 00:25:90:e3:71:f2 inet 172.16.0.234 netmask 0xf800 broadcast 172.16.7.255 inet6 fe80::225:90ff:fee3:71f2%lagg0 prefixlen 64 scopeid 0x5 inet 172.16.0.231 netmask 0xf800 broadcast 172.16.7.255 vhid 201 inet 172.16.0.233 netmask 0xf800 broadcast 172.16.7.255 vhid 202 nd6 options=29 media: Ethernet autoselect status: active carp: MASTER vhid 201 advbase 1 advskew 1 carp: BACKUP vhid 202 advbase 5 advskew 100 laggproto loadbalance lagghash l2,l3,l4 laggport: ix1 flags=4 laggport: ix0 flags=4 vlan2: flags=8943 metric 0 mtu 9000 options=303 ether 00:25:90:e3:71:f2 inet 10.11.11.201 netmask 0xff00 broadcast 10.11.11.255 inet6 fe80::225:90ff:fee3:71f2%vlan2 prefixlen 64 scopeid 0x6 inet 10.11.12.203 netmask 0xff00 broadcast 10.11.12.255 vhid 12 nd6 options=29 media: Ethernet autoselect status: active vlan: 2 parent interface: lagg0 carp: BACKUP vhid 12 advbase 1 advskew 100 //mxb On 2 apr 2014, at 09:35, mxb wrote: > > Moving this to freebsd-pf. > > On 31 mar 2014, at 22:21, mxb wrote: > >> >> Manually setting net.inet.carp.demotion brought BOTH VHIDs in desired state. >> pfsync bulk update seems to not put everything back as it should. >> >> lagg0: flags=8943 metric 0 >> mtu 9000 >> >> options=8407bb >> ether 00:25:90:e3:71:f2 >> inet 172.16.0.234 netmask 0xf800 broadcast 172.16.7.255 >> inet6 fe80::225:90ff:fee3:71f2%lagg0 prefixlen 64 scopeid 0x5 >> inet 172.16.0.231 netmask 0xf800 broadcast 172.16.7.255 vhid 201 >> inet 172.16.0.233 netmask 0xf800 broadcast 172.16.7.255 vhid 202 >> nd6 options=29 >> media: Ethernet autoselect >> status: active >> carp: MASTER vhid 201 advbase 1 advskew 1 >> carp: BACKUP vhid 202 advbase 5 advskew 100 >> laggproto lacp lagghash l2,l3,l4 >> laggport: ix1 flags=1c >> laggport: ix0 flags=1c >> >> >> On 31 mar 2014, at 20:42, mxb wrote: >> >>> >>> Hi list, >>> >>> hopefully this is the right place to have my question regarding CARP on >>> 10-STABLE. >>> >>> I have two nodes with following setup(node1): >>> >>> lagg0: flags=8943 metric 0 >>> mtu 9000 >>> >>> options=8407bb >>> ether 00:25:90:e3:71:f2 >>> inet 172.16.0.234 netmask 0xf800 broadcast 172.16.7.255 >>> inet6 fe80::225:90ff:fee3:71f2%lagg0 prefixlen 64 scopeid 0x5 >>> inet 172.16.0.231 netmask 0xf800 broadcast 172.16.7.255 vhid 201 >>> inet 172.16.0.233 netmask 0xf800 broadcast 172.16.7.255 vhid 202 >>> nd6 options=29 >>> media: Ethernet autoselect >>> status: active >>> carp: BACKUP vhid 201 advbase 1 advskew 1 >>> carp: BACKUP vhid 202 advbase 5 advskew 100 >>> laggproto lacp lagghash l2,l3,l4 >>> laggport: ix1 flags=1c >>> laggport: ix0 flags=1c >>> >>> net.inet.carp.preempt=1 on both nodes. as well as PSYNC as this: >>> >>> pfsync0: flags=41 metric 0 mtu 1500 >>> pfsync: syncdev: vlan22 syncpeer: 10.22.22.2 maxupd: 128 defer: off >>> >>> The problem is (if it is not clear from the ifconfig-output for the lagg0) >>> the state of VHID 201. >>> Node2 with advskew of 100 is currently MASTER, but it SHOULD NOT as of >>> setup. >>> >>> Am I hitting a bug or doing something wrong? >>> >>> I also have noted that after the pfsync bulk update the demotion counter >>> never setts to 0, but stays on 480, >>> thus preventing node1 become a MASTER 201(?). Or is this a normal behavior? >>> >>> Regards, >>> mxb >>> >>> >> > ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Re: LACP lagg and CARP - ENETDOWN (was: FreeBSD 10-STABLE and CARP states)
According my own research around this problem ip_output() at line 839 of ip_carp.c returns ENETDOWN then lagg is configured in LACP mode. On 2 apr 2014, at 15:13, mxb wrote: > > OK, thanks everyone whom replayed. E.g. NONE. > > The problem seems to be related to LACP trunking. > Disabling LACP and configuring trunk in ‘loadbalance’ mode puts all in > desired state (even after reboot). > > lagg0: flags=8943 metric 0 > mtu 9000 > > options=8407bb > ether 00:25:90:e3:71:f2 > inet 172.16.0.234 netmask 0xf800 broadcast 172.16.7.255 > inet6 fe80::225:90ff:fee3:71f2%lagg0 prefixlen 64 scopeid 0x5 > inet 172.16.0.231 netmask 0xf800 broadcast 172.16.7.255 vhid 201 > inet 172.16.0.233 netmask 0xf800 broadcast 172.16.7.255 vhid 202 > nd6 options=29 > media: Ethernet autoselect > status: active > carp: MASTER vhid 201 advbase 1 advskew 1 > carp: BACKUP vhid 202 advbase 5 advskew 100 > laggproto loadbalance lagghash l2,l3,l4 > laggport: ix1 flags=4 > laggport: ix0 flags=4 > vlan2: flags=8943 metric 0 > mtu 9000 > options=303 > ether 00:25:90:e3:71:f2 > inet 10.11.11.201 netmask 0xff00 broadcast 10.11.11.255 > inet6 fe80::225:90ff:fee3:71f2%vlan2 prefixlen 64 scopeid 0x6 > inet 10.11.12.203 netmask 0xff00 broadcast 10.11.12.255 vhid 12 > nd6 options=29 > media: Ethernet autoselect > status: active > vlan: 2 parent interface: lagg0 > carp: BACKUP vhid 12 advbase 1 advskew 100 > > //mxb > > On 2 apr 2014, at 09:35, mxb wrote: > >> >> Moving this to freebsd-pf. >> >> On 31 mar 2014, at 22:21, mxb wrote: >> >>> >>> Manually setting net.inet.carp.demotion brought BOTH VHIDs in desired state. >>> pfsync bulk update seems to not put everything back as it should. >>> >>> lagg0: flags=8943 metric 0 >>> mtu 9000 >>> >>> options=8407bb >>> ether 00:25:90:e3:71:f2 >>> inet 172.16.0.234 netmask 0xf800 broadcast 172.16.7.255 >>> inet6 fe80::225:90ff:fee3:71f2%lagg0 prefixlen 64 scopeid 0x5 >>> inet 172.16.0.231 netmask 0xf800 broadcast 172.16.7.255 vhid 201 >>> inet 172.16.0.233 netmask 0xf800 broadcast 172.16.7.255 vhid 202 >>> nd6 options=29 >>> media: Ethernet autoselect >>> status: active >>> carp: MASTER vhid 201 advbase 1 advskew 1 >>> carp: BACKUP vhid 202 advbase 5 advskew 100 >>> laggproto lacp lagghash l2,l3,l4 >>> laggport: ix1 flags=1c >>> laggport: ix0 flags=1c >>> >>> >>> On 31 mar 2014, at 20:42, mxb wrote: >>> >>>> >>>> Hi list, >>>> >>>> hopefully this is the right place to have my question regarding CARP on >>>> 10-STABLE. >>>> >>>> I have two nodes with following setup(node1): >>>> >>>> lagg0: flags=8943 metric 0 >>>> mtu 9000 >>>> >>>> options=8407bb >>>>ether 00:25:90:e3:71:f2 >>>>inet 172.16.0.234 netmask 0xf800 broadcast 172.16.7.255 >>>>inet6 fe80::225:90ff:fee3:71f2%lagg0 prefixlen 64 scopeid 0x5 >>>>inet 172.16.0.231 netmask 0xf800 broadcast 172.16.7.255 vhid 201 >>>>inet 172.16.0.233 netmask 0xf800 broadcast 172.16.7.255 vhid 202 >>>>nd6 options=29 >>>>media: Ethernet autoselect >>>>status: active >>>>carp: BACKUP vhid 201 advbase 1 advskew 1 >>>>carp: BACKUP vhid 202 advbase 5 advskew 100 >>>>laggproto lacp lagghash l2,l3,l4 >>>>laggport: ix1 flags=1c >>>>laggport: ix0 flags=1c >>>> >>>> net.inet.carp.preempt=1 on both nodes. as well as PSYNC as this: >>>> >>>> pfsync0: flags=41 metric 0 mtu 1500 >>>>pfsync: syncdev: vlan22 syncpeer: 10.22.22.2 maxupd: 128 defer: off >>>> >>>> The problem is (if it is not clear from the ifconfig-output for the lagg0) >>>> the state of VHID 201. >>>> Node2 with advskew of 100 is currently MASTER, but it SHOULD NOT as of >>>> setup. >>>> >>>> Am I hitting a bug or doing something wrong? >>>> >>>> I also have noted that after the pfsync bulk update the demotion counter >>>> never setts to 0, but stays on 480, >>>> thus preventing node1 become a MASTER 201(?). Or is this a normal behavior? >>>> >>>> Regards, >>>> mxb >>>> >>>> >>> >> > ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Re: psync for sshguard table sync on several hosts
Use BGP to distribute list of IP addresses. Like it is done at http://bgp-spamd.net/ <http://bgp-spamd.net/> //mxb > On 11 okt. 2016, at 19:59, Zeus Panchenko wrote: > > Signed PGP part > hi, > > please advise > > I think of pfsync-ing sshguard table content among several hosts to get > one big table on each host, since IP blocked on one host I want to be > blocked on all others automatically (all hosts are terminated in one > VPN) ... > > am I correct to consider psync as right way to get that? > > -- > Zeus V. Panchenko jid:z...@im.ibs.dn.ua > IT Dpt., I.B.S. LLC GMT+2 (EET) > > ___ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org" ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Re: pfsync for sshguard table sync on several hosts
> On 12 okt. 2016, at 09:05, Zeus Panchenko wrote: > > isn't psync aimed for the tasks like this one? No, it is not. PFSync is for replicating states between two or more nodes(firewalls). ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
