Re: OpenOSPFd and CARP Masters
I'm not sure because at that point I gave up on CARP completely and just let OSPF failover to the secondary firewall if the first stops working. -brian On Oct 1, 2013, at 10:01, Andy a...@brandwatch.com wrote: On 01/10/13 14:32, Brian Hechinger wrote: On Tue, Oct 01, 2013 at 09:19:20AM +0100, Andy wrote: Also is there no way to have the CARP IP be the IP which is advertised as the neighbor ensuring that traffic is always sent to the CARP IP instead (I would MUCH prefer this!). I spent an enormous amount of time trying to answer this same question. What I ended up coming up with was that the answer was definitely not. It's unfortunate and I no longer remember the exact reason why. I wish I were wrong. Using the CARP interface for OSPF would be wonderful. -brian I couldn't agree more! Is there a way of ensuring that the CARP master is the one which is FULL/DR, and the CARP backup is FULL/BDR? At the moment I seem to have some of my CARP backup firewalls being the Designated Router Cheers, Andy.
Re: CARP + OSPF help needed
On 8/21/2012 4:38 AM, Tobias Crefeld wrote:
We have another setup, especially without Cisco but with CARP and OSPF
as well.
Very generally speaking: real interfaces should get configured if
they connect OSPF-enabled routers. And CARP interfaces should only get
configured with the option { passive } .
If they belong to the same network it might be necessary to play with
metrics. In that case it's often better to leave out the CARP
interfaces because the Ciscos don't need them - they have OSPF to
handle load balancing or failover of the OpenBSD boxes. But ok., I
understand that you prefer CARP in order to make pf keeping track of
open connections during failover.
Well, it seems that carp isn't actually needed for pfsync (at least not
in this setup so far that I've found) to work correctly and just relying
on OSPF seems to do the trick.
There is a short delay of a couple seconds while the routes update, but
it's not terribly annoying (and obviously won't happen often).
Thanks!
BTW: Using ospfctl reload after a change in configuration or network
topology sometimes has no effect. It might be necessary to kill and
restart ospfd.
Interesting and good to know.
-brian
CARP + OSPF help needed
Hello misc, I'm trying to replace my single OpenBSD firewall with a pair of redundant firewalls. I've been testing this (thanks to the power of VMware) and so far haven't gotten it to work the way I want/need. My current setup is: (Cisco router) - (OpenBSD) - (Cisco switch running layer 3 routing) There are a variety of 10.x.x.x subnets floating around so OSPF was implemented to manage that. All three devices run OSPF. In its current setup it all works very well. In my testing of using a pair of boxes with carp/pfsync I've run into a bit of a snag. I've read every google result I can in an attempt to figure this out but have come up empty. Everything I've found is either too vague or isn't offering the solution to the same scenario I'm attempting to setup. I'd like OSPF to hand out the carp addresses to the routing tables so that pfsync can work its magic when a firewall goes down. What I've manage to accomplish is one of two things. 1) OSPF doesn't work at all and never peers up with its neighbor 2) OSPF works, but hands out both IPs from the physical interfaces and not the carp interface Does anyone have any experience with getting this setup working? I can provide configurations done on the openbsd boxes but really it's nothing special that I've done. -brian
Re: OpenBSD forked
On 6/21/2012 9:56 AM, Jan Stary wrote: On Jun 21 16:35:16, Paul Irofti wrote: On Thu, Jun 21, 2012 at 08:26:31AM -0400, Kenneth R Westerback wrote: On Wed, Jun 20, 2012 at 09:16:24PM +0200, Otto Moerbeek wrote: On Wed, Jun 20, 2012 at 11:39:44AM -0500, John wrote: On Wed, Jun 20, 2012 at 08:28:22AM +0530, Jay Patel wrote: Hi all users, I am users too. Thanks cody. I am learning C too. from C primus plus any thoughts from devs. which we should read? You may want to give this a try: http://c.learncodethehardway.org/book/learn-c-the-hard-way.html John IMO tHe most valuable book is Kernighan Ritchie The C Programming Language. -Otto +1 Pff... that's so 80's... Cool kids these days want ``C in 21 days'' or some crap like that. Learn C in 21 years! Read APUE. If you can't program C after that you are broken. That may just take 21 years though. :) -brian
Re: OpenBSD is just an OS, not a firewall...
On 6/8/2012 1:55 PM, Chris Smith wrote: ... if you really want a firewall you need pfSense. Also if you walk into any security experts convention and claim that raw OpenBSD is a firewall, you will get laughed out of the room for lack of clue. Guess I've been wrong all these years: see the comments to https://plus.google.com/u/0/104027218792812194992/posts/K3NsGE2UrCe I cannot press the +1 button on your response hard enough. And there is no +5 button. If I could be bothered to setup a G+ account I would be right there with him. -brian
Bridging and ESXi
I'm attempting to setup a transparent bridge on an OpenBSD 5.0 VM running under ESXi 5.0. There is one vmnic with two Virtual Machine Port Groups one for each side of the bridge set to a different VLAN ID. The port groups are set to accept promiscuous traffic. Under OpenBSD the interfaces are em1 and em2. If I put IPs on them I can ping the devices that are supposed to talk through this bridge. If I put them into a bridge I get nothing. Anyone know where I should be looking here to figure out why this isn't working? -brian
Re: Bridging and ESXi
On Nov 23, 2011, at 19:45, Josh Grosse j...@jggimi.homeip.net wrote: On Wed, Nov 23, 2011 at 04:41:09PM -0500, Brian Hechinger wrote: Anyone know where I should be looking here to figure out why this isn't working? Brian, I don't know if you've received other advice yet, but the key here is to -post- configuration information. For example, your dmesg and your hostname.bridge0 config file. That way, people can look at your configuration rather than guessing. You are correct. I was rushing out the door and in turn rushed my email. That was wrong of me. I'll guess your configuration is missing an up ifconfig setting, which I recall is explictly required for the bridge to forward packets. See the BRIDGE section in the ifconfig(8) man page. Unfortunately you would be wrong. I should have prefaced my email at the very least with the fact that I have setup bridging openbsd boxes before and do know how to do it as well as the fact that we beat all the basics to death in #openbsd on FreeNode. hostname.em1: up hostname.em2: up hostname.bridge0: add em1 add em2 up Stock pf.conf. I can copy and paste the output of ifconfig tomorrow but you won't see anything unusual there. Playing around a bit more by putting logging on pf it looks like the packets aren't making it to the openbsd box so this could very well be a VMware issue. Unless openbsd is dropping them before pf gets them but that strikes me as rather unlikely. -brian
