Re: IPv6 and CARP crashes boxes
Meant to reply to this at the time, but have been away... Has anyone else run into problems when using IPv6 + CARP ? I ran into some - aliases on a CARP integface did not seem to work proprly - but if you workaround that then it appears to work fine. We are using it in production with no problems. I plan to hold a presentation at work on IP6 and why we should start using it, however I cannot promote the use of IP6 without redundancy between firewalls like we currently do with CARP + pfsync. The redundancy with pfsync works properly - an ssh session is maintained through the firewalls when they failover. I configure my machines to use a paiur of carp interfaces on each physical port, so I am not mixing IPv4 and IPv6 on the same interface. I onyl did that as an experiment when I was trying to work around the aliases problem, but have kept it for tidnyess Basically our experience of the setup has been very positive - our main connectivity issues have come from the HE/Cogent peering squabble rather than any FreeBSD/Carp/PF failing. cheers, -pete. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: IPv6 and CARP crashes boxes
On 6/12/12 2:48 PM, Pete French wrote: Meant to reply to this at the time, but have been away... Has anyone else run into problems when using IPv6 + CARP ? I ran into some - aliases on a CARP integface did not seem to work proprly - but if you workaround that then it appears to work fine. We are using it in production with no problems. I plan to hold a presentation at work on IP6 and why we should start using it, however I cannot promote the use of IP6 without redundancy between firewalls like we currently do with CARP + pfsync. The redundancy with pfsync works properly - an ssh session is maintained through the firewalls when they failover. I configure my machines to use a paiur of carp interfaces on each physical port, so I am not mixing IPv4 and IPv6 on the same interface. I onyl did that as an experiment when I was trying to work around the aliases problem, but have kept it for tidnyess Basically our experience of the setup has been very positive - our main connectivity issues have come from the HE/Cogent peering squabble rather than any FreeBSD/Carp/PF failing. cheers, -pete. Thanks for the feedback Pete, what are you running ? We're on 8-STABLE here. I've got some spare time on my hands actually, I'm gonna try some more today, both on an ipv6-only carp, then on a v4+v6. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: IPv6 and CARP crashes boxes
Thanks for the feedback Pete, what are you running ? We're on 8-STABLE here. Yup, same here - aactually running a very recent STABLE now, but for most of this year it's been on one from January. The one running on the firewalls is from May 7th, and that works beautifully. I've got some spare time on my hands actually, I'm gonna try some more today, both on an ipv6-only carp, then on a v4+v6. Ok, let us know how you get on - the config here is very simple, reproduced below for your viewing pleasure ;) This is from the 'active' firewall: ifconfig_em0=inet 10.32.10.1/16 ipv6_ifconfig_em0=2a02:1658:1:2:a32f::1/64 ifconfig_em1=inet 178.250.73.196/27 ipv6_ifconfig_em1=2a02:1658:1:1::1:2/64 ifconfig_carp0=vhid 10 pass 10.32.10.6/16 ifconfig_carp1=vhid 20 pass 178.250.73.198/27 ipv6_ifconfig_carp2=vhid 30 pass 2a02:1658:1:2:a32f::6/64 ipv6_ifconfig_carp3=vhid 40 pass 2a02:1658:1:1::1:1/64 -pete. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: IPv6 and CARP crashes boxes
On 6/12/2012 19:48, Pete French wrote: I ran into some - aliases on a CARP integface did not seem to work proprly - but if you workaround that then it appears to work fine. We are using it in production with no problems. I have noticed this issue (CARP + IPv4 aliases) with older (pre 9.x) versions of FreeBSD. I maintain some legacy 6.2 servers and had to eventually add ifconfig statements inside rc.local to get the links to coalesce. 6.2 appears to ignore _aliasn directives entirely inside rc.conf, and has real issues if you add/delete aliases to a CARP interface while its up (both peers end up thinking they're MASTER). In 9.x it all works as expected at least for IPv4 (rc.conf carpn_aliasn entries, aliases, on the fly reconfiguring). -- Adam Strohl http://www.ateamsystems.com/ ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: IPv6 and CARP crashes boxes
I have noticed this issue (CARP + IPv4 aliases) with older (pre 9.x) versions of FreeBSD. Ah, just to be clear, the only problems I had with aliases weher IPv6 - it always worked properly with IPv4. But I didnt try on anything pre 8.1! -pete. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: IPv6 and CARP crashes boxes
On 6/12/2012 20:08, Pete French wrote: I have noticed this issue (CARP + IPv4 aliases) with older (pre 9.x) versions of FreeBSD. Ah, just to be clear, the only problems I had with aliases weher IPv6 - it always worked properly with IPv4. But I didnt try on anything pre 8.1! -pete. Doh, I caught this just as I hit send :P -- Adam Strohl http://www.ateamsystems.com/ ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: IPv6 and CARP crashes boxes
On 6/12/12 3:03 PM, Pete French wrote: Thanks for the feedback Pete, what are you running ? We're on 8-STABLE here. Yup, same here - aactually running a very recent STABLE now, but for most of this year it's been on one from January. The one running on the firewalls is from May 7th, and that works beautifully. Hmmm you might want to update again then, 2 SAs published late in may: http://security.freebsd.org/advisories/FreeBSD-SA-12:01.openssl.asc http://security.freebsd.org/advisories/FreeBSD-SA-12:02.crypt.asc I've got some spare time on my hands actually, I'm gonna try some more today, both on an ipv6-only carp, then on a v4+v6. Ok, let us know how you get on - the config here is very simple, reproduced below for your viewing pleasure ;) This is from the 'active' firewall: ifconfig_em0=inet 10.32.10.1/16 ipv6_ifconfig_em0=2a02:1658:1:2:a32f::1/64 ifconfig_em1=inet 178.250.73.196/27 ipv6_ifconfig_em1=2a02:1658:1:1::1:2/64 ifconfig_carp0=vhid 10 pass 10.32.10.6/16 ifconfig_carp1=vhid 20 pass 178.250.73.198/27 ipv6_ifconfig_carp2=vhid 30 pass 2a02:1658:1:2:a32f::6/64 ipv6_ifconfig_carp3=vhid 40 pass 2a02:1658:1:1::1:1/64 -pete. Thanks, will keep the thread updated ;) ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: IPv6 and CARP crashes boxes
On 6/12/12 3:05 PM, Adam Strohl wrote: On 6/12/2012 19:48, Pete French wrote: I ran into some - aliases on a CARP integface did not seem to work proprly - but if you workaround that then it appears to work fine. We are using it in production with no problems. I have noticed this issue (CARP + IPv4 aliases) with older (pre 9.x) versions of FreeBSD. I maintain some legacy 6.2 servers and had to eventually add ifconfig statements inside rc.local to get the links to coalesce. 6.2 appears to ignore _aliasn directives entirely inside rc.conf, and has real issues if you add/delete aliases to a CARP interface while its up (both peers end up thinking they're MASTER). In 9.x it all works as expected at least for IPv4 (rc.conf carpn_aliasn entries, aliases, on the fly reconfiguring). Like Pete, we haven't experienced problems related to aliases either here. Running on a variety of 8.1-RELEASE , 8.2-PRERELEASE, 8.2-RELEASE, and now thankfully 8.3-STABLE ;) ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: IPv6 and CARP crashes boxes
On 5/31/2012 5:31 PM, Damien Fleuriot wrote: On 31 May 2012, at 22:31, Adrian Chadd adr...@freebsd.org wrote: On 31 May 2012 06:42, Damien Fleuriot m...@my.gd wrote: Hey list, The thread about Why Are You Using FreeBSD, listing the pros and cons of FBSD, has brought back a topic to mind. Recently (read, 3 months ago) I was experimenting with IPv6 and CARP on 8.x boxes and that crashed them both. I posted a thread on -net and, sadly, never got a single reply. Did you file a PR? Chances are bz (IPv6 maintainer) has just been very busy. :-) I was actually trying to get some feedback on -net and see if anyone had encountered the problem before filling a PR. I guess I'll reproduce the problem, fill a PR, then post here so we can discuss it and make things move forward. We (pfSense) patch things here and there, especially when it comes to CARP, but we haven't seen any crashes with CARP+IPv6 on pfSense 2.1-DEVELOPMENT (now BETA0) since we moved to a base OS of FreeBSD 8.3-RELEASE. It was fairly trivial to crash/hang 8.1 with v6 in general even without CARP. There are several CARP+IPv6 clusters running pfSense 2.1 in the wild handling production traffic like champs.[1] You might have a look at this IPv6 status sheet we try to keep updated: https://docs.google.com/spreadsheet/ccc?key=0AojFUXcbH0ROdHlKV2F5SENULWk2NTVvQTBtQ2M0dEE Our patches might also be of interest: https://github.com/bsdperimeter/pfsense-tools/blob/master/builder_scripts/patches.RELENG_8_3 https://github.com/bsdperimeter/pfsense-tools/tree/master/patches/RELENG_8_3 Jim [1] With a static setup, some work is still happening to make CARP RA work for automatic configuration. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
IPv6 and CARP crashes boxes
Hey list, The thread about Why Are You Using FreeBSD, listing the pros and cons of FBSD, has brought back a topic to mind. Recently (read, 3 months ago) I was experimenting with IPv6 and CARP on 8.x boxes and that crashed them both. I posted a thread on -net and, sadly, never got a single reply. Has anyone else run into problems when using IPv6 + CARP ? I plan to hold a presentation at work on IP6 and why we should start using it, however I cannot promote the use of IP6 without redundancy between firewalls like we currently do with CARP + pfsync. I can, of course, post additional information as required. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: IPv6 and CARP crashes boxes
On 31 May 2012 06:42, Damien Fleuriot m...@my.gd wrote: Hey list, The thread about Why Are You Using FreeBSD, listing the pros and cons of FBSD, has brought back a topic to mind. Recently (read, 3 months ago) I was experimenting with IPv6 and CARP on 8.x boxes and that crashed them both. I posted a thread on -net and, sadly, never got a single reply. Did you file a PR? Chances are bz (IPv6 maintainer) has just been very busy. :-) Adrian ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: IPv6 and CARP crashes boxes
On 31 May 2012, at 22:31, Adrian Chadd adr...@freebsd.org wrote: On 31 May 2012 06:42, Damien Fleuriot m...@my.gd wrote: Hey list, The thread about Why Are You Using FreeBSD, listing the pros and cons of FBSD, has brought back a topic to mind. Recently (read, 3 months ago) I was experimenting with IPv6 and CARP on 8.x boxes and that crashed them both. I posted a thread on -net and, sadly, never got a single reply. Did you file a PR? Chances are bz (IPv6 maintainer) has just been very busy. :-) Adrian I was actually trying to get some feedback on -net and see if anyone had encountered the problem before filling a PR. I guess I'll reproduce the problem, fill a PR, then post here so we can discuss it and make things move forward. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
