I've been running 3.9 in a CARP pair for my firewalls.
So I upgrade the box(well, rebuild it from scratch using the new CD),
and things seem fine on the first log in. I fix up all the config
files, so that all the 3.9 settings are in place, and make sure to pay
attention to the settings that are new (like ipsec=NO in rc.conf).
I test a failover and find that the interfaces are failing over
individually. So I check the sysctl.conf setting for carp preempt and
it is set to 1, which is good. But also a bit confusing.
A little more investigation and I find the system isn't forwarding
packets at all. Despite the setting in sysctl.conf, and also in the
kernel according to the sysctl command. Check the
following console output:
# uname -a
OpenBSD nuffi.nough.com 4.0 GENERIC#1107 i386
# date
Tue Nov 14 02:01:52 EST 2006
# tcpdump -nettt -i pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0, link-type PFLOG
^C
0 packets received by filter
0 packets dropped by kernel
# date
Tue Nov 14 02:03:29 EST 2006
# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding=1
# sysctl net.inet.ip.forwarding=1
net.inet.ip.forwarding: 1 -> 1
# sysctl net.inet.ip.forwarding=0
net.inet.ip.forwarding: 1 -> 0
# sysctl net.inet.ip.forwarding=1
net.inet.ip.forwarding: 0 -> 1
# cat /etc/sysctl.conf | grep forward | grep -v 6
net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of IPv4
packets
#net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of IPv4
multicast packets
# sysctl net.inet.carp.preempt
net.inet.carp.preempt=1
tcpdump shows the phase 2 vpn traffic coming back into the box from the
peers on the external interface, but none are properly established.
I thought that the only thing that I needed to turn on for packet
forwarding was that setting in sysctl.conf... Is there something that
I am missing?
If a system you'd built was doing this, what would you do next?
TIA
Nuffnough