Re: OpenBSD 6 + CARP + PFSYNC + vmware esxi 6 - stalled nat connections

Just a plus After performed a ton of test's I bring up debian linux freebsd and Windows . freebsd : with fetch tool no issue using ftp causes the stalled OpenBSD: wget and ftp tool causes connection stalled linux debian: wget works Windows: works I tested the retrieve with http://mirrors.

OpenBSD 6 + CARP + PFSYNC + vmware esxi 6 - stalled nat connections

Hello Misc, I kindly would like to ask if anyone already faced something like this: I have the follow setup VMware 6 ( one physical interface ) 2x OpenBSD 6 ( cloned machine) ( using E1000 ) ( was using vmxnet3 ) OpenBSD Router running 3 carps ( ext / dmz / lan ) Physical Carp interfaces has

Re: carp/pfsync-problem: carp states stuck in "INIT" on boot on both machines but work correctly if called manually via /etc/netstart

...I don't believe it... I ssh'd all the time to the gateways and never had a look to the bootmessages 2x "ifconfig invalid argument" was the hint at boot. The fault (syntax typo?) was included in hostname.carp[0,1] - "\" for a 2-liner didn't work... despite the usage of blanks only.

carp/pfsync-problem: carp states stuck in "INIT" on boot on both machines but work correctly if called manually via /etc/netstart

Hello @list, perhaps I'm stupid but I've got a problem with two CARPed gateways running 5.7-amd64 stable. Hardware: two supermicro-board machines with four network interfaces each (em0 .. em3). Networks: LAN A : 172.16.210/24 via em0 LAN B : 172.16.0/24 via em1 direct connect for pfsync:

Re: carp+pfsync+relayd question

sing ? >>> Am 14.11.2013 18:47 schrieb "Leonardo Santagostini" < >>> lsantagost...@gmail.com >>> >: >>> > >>> > Thanks a lot to all, i will give it a try and gives tou you feedback as >>> > soon as it get implemented. >

Re: carp+pfsync+relayd question

; > >> > Thanks a lot to all, i will give it a try and gives tou you feedback as >> > soon as it get implemented. >> > >> > Saludos.- >> > Leonardo Santagostini >> > >> > <http://ar.linkedin.com/in/santagostini> >> >

Re: carp+pfsync+relayd question

Andy > > > > > On 14/11/13 15:21, Leonardo Santagostini wrote: > > > > > > Hello misc, > > > > > > Im doing my final approach to put a production system with > > > carp+pfsync+relayd on production. > > > > > > The poin

carp+pfsync+relayd question

- > Leonardo Santagostini > > <http://ar.linkedin.com/in/santagostini> > > > > > > 2013/11/14 Andy > > > On 14/11/13 15:21, Leonardo Santagostini wrote: > > > > Hello misc, > > > > Im doing my final approach to put a production system

Re: carp+pfsync+relayd question

Hello list, i found something strange. By one side, cpu idle is at 0% [root@v-arcbabalancer01 ~]# vmstat 2 20 procsmemory pagediskstraps cpu r b wavm fre flt re pi po fr sr wd0 cd0 int sys cs us sy id 5 0 0 86576 1450072 845 0

Re: carp+pfsync+relayd question

Ok, thanks for all the replies. Im waiting to this situation appears to send to you the output of those commands. Thanks and regards Saludos.- Leonardo Santagostini 2013/11/18 mxb > > Output for > > 'pfctl -si', 'pfctl -sm' and 'sysctl -a|grep net.

Re: carp+pfsync+relayd question

Output for 'pfctl -si', 'pfctl -sm' and 'sysctl -a|grep net.inet.ip.ifq’ would be hie to see. //mxb On 18 nov 2013, at 04:20, Leonardo Santagostini wrote: > Sorry, looking more detailed at the logs i found this: > > /var/log/daemon > Nov 17 18:36:12 v-arcbabalancer01 relayd[13984]: fatal: rel

Re: carp+pfsync+relayd question

Sorry, looking more detailed at the logs i found this: /var/log/daemon Nov 17 18:36:12 v-arcbabalancer01 relayd[13984]: fatal: relay_connect: no connection in flight Nov 17 18:36:12 v-arcbabalancer01 relayd[22615]: pfe exiting, pid 22615 Nov 17 18:36:12 v-arcbabalancer01 relayd[31674]: hce exiting

Re: carp+pfsync+relayd question

Hello everybody, i still having some issues whit relayd. Nov 17 21:01:56 v-arcbabalancer01 relayd[4252]: relay relay4, session 75 (1 active), 0, 190.51.90.22 -> :0, buffer event timeout Nov 17 21:01:57 v-arcbabalancer01 relayd[12715]: relay relay4, session 97 (4 active), 0, 190.49.60.30 -> :0, buf

Re: carp+pfsync+relayd question

Hello Andy. Actually i proved flushing pf rules, tables and counters with no luck. But after restart relayd things come to work as expected. Thanks, Leonardo El nov 14, 2013 8:15 p.m., "mxb" escribió: > No, > it is number of currently active sessions for this particular relay. > Eg. 502 “use

Re: carp+pfsync+relayd question

No, it is number of currently active sessions for this particular relay. Eg. 502 “users". On 14 nov 2013, at 21:59, Andy Lemin wrote: > Hi, as a complete guess (not used relayd yet let alone DSR) a 502 sounds like > an error return from nginx/apache etc. could be a direct server return issue > c

Re: carp+pfsync+relayd question

mplemented. >>> >>> Saludos.- >>> Leonardo Santagostini >>> >>> <http://ar.linkedin.com/in/santagostini> >>> >>> >>> >>> >>> >>> 2013/11/14 Andy >>> >>>> On 14/11/13 15:21, Leon

Re: carp+pfsync+relayd question

gt;> >>> Saludos.- >>> Leonardo Santagostini >>> >>> >>> >>> >>> >>> >>> >>> 2013/11/14 Andy >>>>> On 14/11/13 15:21, Leonardo Santagostini wrote: >>>>> Hello misc, >>

Re: carp+pfsync+relayd question

a lot to all, i will give it a try and gives tou you feedback as soon as it get implemented. >>> >>> Saludos.- >>> Leonardo Santagostini >>> >>> >>> >>> >>> >>> >>> >>> 2013/11/14 Andy >>&

Re: carp+pfsync+relayd question

tou you feedback as >> soon as it get implemented. >> >> Saludos.- >> Leonardo Santagostini >> >> <http://ar.linkedin.com/in/santagostini> >> >> >> >> >> >> 2013/11/14 Andy >> >>> On 14/11/13 15:21, Leonardo

Re: carp+pfsync+relayd question

:21, Leonardo Santagostini wrote: >> >> Hello misc, >> >> Im doing my final approach to put a production system with >> carp+pfsync+relayd on production. >> >> The point is that im facing some trouble setting more than one ip alias >> address with differen

Re: carp+pfsync+relayd question

my final approach to put a production system with > carp+pfsync+relayd on production. > > The point is that im facing some trouble setting more than one ip alias > address with different vhid and different passwd. > > So, this is the scenario. > > Im trying to relayd more

Re: carp+pfsync+relayd question

On 14/11/13 15:21, Leonardo Santagostini wrote: > Hello misc, > > Im doing my final approach to put a production system with > carp+pfsync+relayd on production. > > The point is that im facing some trouble setting more than one ip alias > address with different vhid and dif

Re: carp+pfsync+relayd question

Ok, i will modify the config. But i really want to know about the carp configuration. I forget to mention that im doing DSR. Saludos.- Leonardo Santagostini 2013/11/14 mxb > 15 sites and only 9? > I’d put around 50 (and have). You might n

Re: carp+pfsync+relayd question

Put all of those into the same "relay { }” as they are going to the same forward table. relay { listen on addr1 port 80 listen on addr2 port 80 etc…. } or you’ll end up doing “check http” several times. and I’d do just simple "check tcp” - faster. On 14 nov 2013, at 16

Re: carp+pfsync+relayd question

15 sites and only 9? I’d put around 50 (and have). You might need even more. On 14 nov 2013, at 16:21, Leonardo Santagostini wrote: > set limit states 9

carp+pfsync+relayd question

Hello misc, Im doing my final approach to put a production system with carp+pfsync+relayd on production. The point is that im facing some trouble setting more than one ip alias address with different vhid and different passwd. So, this is the scenario. Im trying to relayd more or less 15 sites

altq on carp - pfsync - BGP

Hi Misc, I have two routers. On external interfaces I've eBGP session with ISPs. On internal interfaces, there is iBGP session, carp and pfsync. I'm trying to set traffic queuing, but I've problem, if packets leaves network by one router and replies returns by second router (there is state created

having tcp.established problem with carp + pfsync setup on 5.2

Hi! While switching two node carp + pfsync active/passive firewall nodes over like fw1# ifconfig -g carp carpdemote 50 i get idle tcp sessions hanging. I noticed that slave does not honour 'expires in' values of respective master's states and instead uses packet filter

Redundant Firewall problem with pf/carp/pfsync/ipsec

I've currently been running a redundant firewall solution in our Production environment using OpenBSD (version 4.5-stable) with CARP (4), PF (4), PFsync (4) and SAsyncd (8) which syncs the pf rules and IPSEC security associations via the cross-over cable method. We're also running an IPSEC (4)

Re: PF/Carp/Pfsync

On Thu, Jun 4, 2009 at 5:49 AM, Georg Kahest wrote: > I think i have figured it out, the pfctl -vsi checksums are identical, > everything works if I load filter rules via include(include > "/etc/pf.filter ) , but when filter rules are loaded into B anchor ( load > anchor shape from "/etc/pf.filter

Re: PF/Carp/Pfsync

I think i have figured it out, the pfctl -vsi checksums are identical, everything works if I load filter rules via include(include "/etc/pf.filter ) , but when filter rules are loaded into anchor ( load anchor shape from "/etc/pf.filter") ,then after sync the ongoing traffic wont hit right queue

Re: PF/Carp/Pfsync

* Georg Kahest [2009-06-02 10:01]: > The rules look identical to me at the moment, but i will doublecheck > them, one thing thou i dont have same interface names at both boxes, that is your problem. checksum in pfctl -vsi must be identical. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org B

Re: PF/Carp/Pfsync

Hello again I made identical configurations to both boxes pf wise only difference was the physical interface under the vlan interfaces on top of what carp was built, and i couldnot get carp/pfsync to work correctly, ongoing traffic at failover didnot hit right queue, only new traffic did. Note

Re: PF/Carp/Pfsync

A little update, the filter rules are these, except the interface name they are identical, and queue names are identical aswell, only difference is on what interface the queues are present. Node1 pass in log on vlan0 inet from zzz.xxx.yyy./30 to any flags S/SA keep state queue(zzz.xxx.yyy.

Re: PF/Carp/Pfsync

Hello The rules look identical to me at the moment, but i will doublecheck them, one thing thou i dont have same interface names at both boxes, thou the rules/queues are identical (they are built of out script for both boxes) only exception is that interface names are macros rather then static val

Re: PF/Carp/Pfsync

* Georg Kahest [2009-06-01 15:21]: > Yes the rulesets are identical, strange thing is from pftop it seems > that it hits default queue (25mbit queue) but somehow the client gets > 10~MB/s what seems more of interface root queue value rather then that > default queue. Thou the real queue it should

Re: PF/Carp/Pfsync

Yes the rulesets are identical, strange thing is from pftop it seems that it hits default queue (25mbit queue) but somehow the client gets 10~MB/s what seems more of interface root queue value rather then that default queue. Thou the real queue it should use is at 8mbit. On E, 2009-06-01 at 15:09

Re: PF/Carp/Pfsync

On 2009/06/01 15:57, Georg Kahest wrote: > Okey now that the failover seems to be work i have hit another problem, > the thing is when failover occurs and other node takes over, the client > connection wont hit right ALTQ queue anymore, rather it goes > unqueued(full speed) , and only the new conne

Re: PF/Carp/Pfsync

n relevant, but you already have that). > > > > I'm not sure what it might be then.. > > > > > > > > > On P, 2009-05-31 at 19:32 +0200, Stuart Henderson wrote: > > > > On 2009-05-28, Georg Kahest wrote: > > > > > Hello, i have s

Re: PF/Carp/Pfsync

of pfsync/pfctl in the startup scripts and I wondered > if it might have been relevant, but you already have that). > > I'm not sure what it might be then.. > > > > > On P, 2009-05-31 at 19:32 +0200, Stuart Henderson wrote: > > > On 2009-05-28, Geo

Re: PF/Carp/Pfsync

e that). > > I'm not sure what it might be then.. > > > > > On P, 2009-05-31 at 19:32 +0200, Stuart Henderson wrote: > > > On 2009-05-28, Georg Kahest wrote: > > > > Hello, i have strange problem with my Carp/Pfsync, when i manualy > > >

Re: PF/Carp/Pfsync

a change > to the order of pfsync/pfctl in the startup scripts and I wondered > if it might have been relevant, but you already have that). > > I'm not sure what it might be then.. > > > > > On P, 2009-05-31 at 19:32 +0200, Stuart Henderson wrote: > > >

Re: PF/Carp/Pfsync

: > > > Hello, i have strange problem with my Carp/Pfsync, when i manualy > > > failover via carpdemote or ifconfig carpX down, then the failover works > > > okey, it even works okey when one box goes down, but when the prefered > > > master comes up again and st

Re: PF/Carp/Pfsync

e strange problem with my Carp/Pfsync, when i manualy > > failover via carpdemote or ifconfig carpX down, then the failover works > > okey, it even works okey when one box goes down, but when the prefered > > master comes up again and starts to act as carp master, then client who

Re: PF/Carp/Pfsync

On 2009-05-28, Georg Kahest wrote: > Hello, i have strange problem with my Carp/Pfsync, when i manualy > failover via carpdemote or ifconfig carpX down, then the failover works > okey, it even works okey when one box goes down, but when the prefered > master comes up again and star

Re: PF/Carp/Pfsync

Hi Georg I think I remember something like this ... could it be that carp takes over the interface before pfsync has finished updating the booted machine's connection table? TCP (and many other protocols) takes care of such situations by simply retransmitting, so any TCP connections should rec

PF/Carp/Pfsync

Hello, i have strange problem with my Carp/Pfsync, when i manualy failover via carpdemote or ifconfig carpX down, then the failover works okey, it even works okey when one box goes down, but when the prefered master comes up again and starts to act as carp master, then client who has carp as its

Re: Usefull info for a bug report regarding carp/pfsync?

On Tue, Apr 1, 2008 at 12:12 PM, Preston Kutzner <[EMAIL PROTECTED]> wrote: > > On Mon, 31 Mar 2008 10:44:28 +0200 > Simon Kammerer <[EMAIL PROTECTED]> wrote: > > > Hi! > > > > after several years without any problems, we upgraded the hardware of &g

Re: Usefull info for a bug report regarding carp/pfsync?

On Tue, 1 Apr 2008 18:16:05 -0400 "Richard Daemon" <[EMAIL PROTECTED]> wrote: > On Tue, Apr 1, 2008 at 12:12 PM, Preston Kutzner > <[EMAIL PROTECTED]> wrote: > <---snip---> > It's not by chance your PF state table that may be maxed? > I'm not using PF on this box, so I wouldn't think it is. PF i

Re: Usefull info for a bug report regarding carp/pfsync?

On Mon, 31 Mar 2008 10:44:28 +0200 Simon Kammerer <[EMAIL PROTECTED]> wrote: > Hi! > > after several years without any problems, we upgraded the hardware of > our carp/pfsync gateway about four week ago. Two weeks ago, the gateway > crashed completely: Both nodes were unrea

Re: Usefull info for a bug report regarding carp/pfsync?

On 08-03-31 10.44, Simon Kammerer wrote: Hi! after several years without any problems, we upgraded the hardware of our carp/pfsync gateway about four week ago. Two weeks ago, the gateway crashed completely: Both nodes were unreachable on all network interfaces, we had to reset both machines

Usefull info for a bug report regarding carp/pfsync?

Hi! after several years without any problems, we upgraded the hardware of our carp/pfsync gateway about four week ago. Two weeks ago, the gateway crashed completely: Both nodes were unreachable on all network interfaces, we had to reset both machines. Same problem last night. I can't

Re: pf, carp, pfsync, maybe without bridging

On Monday 04 June 2007 17:19:10 David Newman wrote: > OK, but how then to get redundancy across the firewalls? STP - see brconfig(8). -- Antoine

Re: pf, carp, pfsync, maybe without bridging

On 2007/06/04 08:19, David Newman wrote: > Stuart Henderson wrote: > > On 2007/06/04 07:11, David Newman wrote: > >> I could divide the /26 into smaller netblocks and configure pf to route > >> between them but I'm reluctant to do that given that I'd burn a network > >> and broadcast address for ea

Re: pf, carp, pfsync, maybe without bridging

* David Newman <[EMAIL PROTECTED]> [2007-06-04 16:27]: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Henning Brauer wrote: > > * David Newman <[EMAIL PROTECTED]> [2007-06-04 03:59]: > >> but it says carp doesn't work with bridging > > > > carp alows two hosts to share an IP. > > now expla

Re: pf, carp, pfsync, maybe without bridging

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Stuart Henderson wrote: > On 2007/06/04 07:11, David Newman wrote: >> I could divide the /26 into smaller netblocks and configure pf to route >> between them but I'm reluctant to do that given that I'd burn a network >> and broadcast address for each n

Re: pf, carp, pfsync, maybe without bridging

On 2007/06/04 07:11, David Newman wrote: > I could divide the /26 into smaller netblocks and configure pf to route > between them but I'm reluctant to do that given that I'd burn a network > and broadcast address for each netblock, and a /26 is small enough as it is. > > Is there a better way? Tha

Re: pf, carp, pfsync, maybe without bridging

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Henning Brauer wrote: > * David Newman <[EMAIL PROTECTED]> [2007-06-04 03:59]: >> but it says carp doesn't work with bridging > > carp alows two hosts to share an IP. > now explain me how that is supposed to work with bridges, where the > forwarding

Re: pf, carp, pfsync, and bridging

* David Newman <[EMAIL PROTECTED]> [2007-06-04 03:59]: > but it says carp doesn't work with bridging carp alows two hosts to share an IP. now explain me how that is supposed to work with bridges, where the forwarding does not happen at the IP layer. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL

pf, carp, pfsync, and bridging

tree instead. That was on OBSD 3.5 and I don't see anything about bridging in more recent manpages for carp. Has anything changed? As for why I'm bridging: I have an application that NAT breaks. Currently I have another pair of pf boxes running carp/pfsync and routing to NAT'd space.

Re: PF+VLAN+CARP+PFSYNC

On Tue, 29 May 2007 13:07:12 +0100, [EMAIL PROTECTED] wrote: > Good Morning, > > I'm currently in the process of configuring a new firewall for my company > and would like to know the following: > > 1. Is it possible to configure OpenBSD firewall interface as follows: > > carp10 - int/ext virtua

Re: PF+VLAN+CARP+PFSYNC

[EMAIL PROTECTED] wrote: Good Morning, I'm currently in the process of configuring a new firewall for my company and would like to know the following: 1. Is it possible to configure OpenBSD firewall interface as follows: carp10 - int/ext virtual eth dev (ip of CVI - shared between fw's) | vla

PF+VLAN+CARP+PFSYNC

Good Morning, I'm currently in the process of configuring a new firewall for my company and would like to know the following: 1. Is it possible to configure OpenBSD firewall interface as follows: carp10 - int/ext virtual eth dev (ip of CVI - shared between fw's) | vlan10 - int/ext virtual eth d

Re: PF, CARP, PFsync and multiple default routes

--- Quoting Gilles Chehade on 2007/04/18 at 22:23 +0200: > Hi misc@, > > I am trying to setup a set of "carp"-ed firewalls as follow: > > > > ISP 1 ISP 2 > | | >\ / > _ SWITCH # 1 _ >

PF, CARP, PFsync and multiple default routes

Hi misc@, I am trying to setup a set of "carp"-ed firewalls as follow: ISP 1 ISP 2 | | \ / _ SWITCH # 1 _ / || \ / || \ bge

redundant firewalls with carp/pfsync single dsl connection? possible?

I have been wondering this for some time now and haven't seen anyone pose the question so i figured it's time. I have a single dsl connection coming in _not_ terminating on the normal cpe but going directly to my firewall (OBSD 4.0) via sangoma s518 dsl card. I then have a few nics for routin

Re: NFS over 2 PF firewalls with CARP/pfsync

Spruell, Darren-Perot [EMAIL PROTECTED] wrote: > > > Unfortunately we only have one netapp and its live so > > experimenting is awkward. I was hoping I wasnt the > > first to try and do NFS across a redundant OpenBSD > > firewall. This is an internal firewall between > > departments not across th

Re: NFS over 2 PF firewalls with CARP/pfsync

Kian Mohageri wrote: On 8/17/06, Alastair Johnson <[EMAIL PROTECTED]> wrote: I have 2 OpenBSD 4.0beta firewalls arranged in a CARP failover configuration with PFsync. It seems to work very well for everything except NFS. My ssh, remote desktop and telnet connections seem to survive a failover v

Re: NFS over 2 PF firewalls with CARP/pfsync

From: Alastair Johnson > I have 2 OpenBSD 4.0beta firewalls arranged in a CARP > failover configuration with PFsync. > > It seems to work very well for everything except NFS. > My ssh, remote desktop and telnet connections seem to > survive a failover very nicely. [snip] > Unfortunately we only

Re: NFS over 2 PF firewalls with CARP/pfsync

On 8/17/06, Alastair Johnson <[EMAIL PROTECTED]> wrote: > > I have 2 OpenBSD 4.0beta firewalls arranged in a CARP > failover configuration with PFsync. > > It seems to work very well for everything except NFS. > My ssh, remote desktop and telnet connections seem to > survive a failover very nicely.

NFS over 2 PF firewalls with CARP/pfsync

I have 2 OpenBSD 4.0beta firewalls arranged in a CARP failover configuration with PFsync. It seems to work very well for everything except NFS. My ssh, remote desktop and telnet connections seem to survive a failover very nicely. Unfortunately we do a little NFS and have linux clients on one sid

Re: Carp/Pfsync problem

Kian Mohageri wrote: On 7/31/06, Tim Pushor <[EMAIL PROTECTED]> wrote: Sorry to bump this thread, but I'd really like to know how to troubleshoot something like this. I'd suggest tcpdump'ing at the point when the connection fails, on the pflog(4) interface of both machines, especially

Re: Carp/Pfsync problem

On 7/31/06, Tim Pushor <[EMAIL PROTECTED]> wrote: > > Sorry to bump this thread, but I'd really like to know how to > troubleshoot something like this. I'd suggest tcpdump'ing at the point when the connection fails, on the pflog(4) interface of both machines, especially the backup which is appar

Re: Carp/Pfsync problem

not when I pull the plug on one. Thanks again, Tim Tim Pushor wrote: Hi friends, I am trying to setup my first firewall w/failover via carp & pfsync. I have it almost working, but am having a couple issues. I am hoping someone will be able to help :) First, before I enabled preemption I

Re: Carp/Pfsync problem

On 2006/07/20 20:32, Ashley Moran wrote: > You don't need a new carp interface for every IP if they use the same > carpdev, you can add the others as aliases (that definitely works for > IPs in the same subnet, and I'm pretty sure it will work for IPs in > different subnets too). It makes th

Re: Carp/Pfsync problem

On Sep 20, 2006, at 7:18 pm, Tim Pushor wrote: As for the multiple carp addresses - This is in a lab environment but will end up protecting a rack of machines in a colo. I'm planning on having a carp address for each external address that's required (not many - maybe 4-5 eventually). Tim

Re: Carp/Pfsync problem

iosity, why are there two CARP addresses between the workstation and firewalls? Kian On 9/20/06, Tim Pushor <[EMAIL PROTECTED]> wrote: Hi friends, I am trying to setup my first firewall w/failover via carp & pfsync. I have it almost working, but am having a couple issues. I am hopin

Re: Carp/Pfsync problem

Change 'syncif' to 'syncdev' in your hostname.pfsync files. Also, out of curiosity, why are there two CARP addresses between the workstation and firewalls? Kian On 9/20/06, Tim Pushor <[EMAIL PROTECTED]> wrote: > > Hi friends, > > I am trying to setup

Carp/Pfsync problem

Hi friends, I am trying to setup my first firewall w/failover via carp & pfsync. I have it almost working, but am having a couple issues. I am hoping someone will be able to help :) First, before I enabled preemption I almost always had one machine being master for one of the

Carp+pfsync

Hello I am using carp, pfsync with options preempt=1 and arpbalance=1. I have problems with states synchronization beetwen hosts. Can someone answer me: in /var/log/messages /bsd: duplicate IP address 192.168.1.21 sent from ethernet address 00:00:5e:00:01:01 ... etc 192.168.1.21 - my private

speed of failover CARP & pfsync

hello: i'm going to trayl a fw system with failover using CARP and pfsync, the technical requirements like bit rate are to high and i would like to know where i can find statics about how fast this solution can works thanks beforehand vegons

CARP + pfsync firewall rejects ARP updates

I am setting up a redundant OpenBSD firewall using CARP and pfsync. I am using an OpenBSD 3.8 install from the CDs. As part of the work being done, I am also configuring Solaris multipathing on some servers inside the firewall. The way Solaris switches to a redundant interface in case of fai

Re: CARP+Pfsync+Bind

Then, you can forget about DNSSEC for example ... Lio -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de ed Envoyi : vendredi 7 octobre 2005 19:25 Cc : misc@openbsd.org Objet : Re: CARP+Pfsync+Bind On Thu, 6 Oct 2005 19:52:31 -0400 "Dave Anderso

Re: CARP+Pfsync+Bind

On Thu, 6 Oct 2005 19:52:31 -0400 "Dave Anderson" <[EMAIL PROTECTED]> wrote: > Responses long enough so that required information is truncated should > be rare, so perhaps you've been lucky and not encountered any yet. I understand fully what you are saying, but I just don't want to serve DNS via

Re: CARP+Pfsync+Bind

Quoting ed <[EMAIL PROTECTED]>: Zone transfers are on tcp/53, DNS lookups are 53/udp, so: pass in on $ext_if proto udp from any to $DNS port 53 keep state and if required: pass in on $ext_if proto tcp from $ext_net to $DNS port 53 keep state I use TinyDNS here, so we don't really need to tra

Re: CARP+Pfsync+Bind

On Thu, 6 Oct 2005 22:15:25 +0100 ed <[EMAIL PROTECTED]> wrote: > Works fine on on the 2 domains where it's been implemented, of which > I handled the conversion from BIND style to djbdns. No problems on UDP > lookups alone, including some deep CNAMEs, which are just not required, > but I'll de

Re: CARP+Pfsync+Bind

On Thu, 2005-10-06 at 22:15:52 +0100, ed proclaimed... > TCP for for DNS lookups are probably going to incur latency. I'd rather > just block that off and ensure that the DNS being provided does not leak > excess > 512 bytes. This might cause some problems with huge round robin > lists, but we can

Re: CARP+Pfsync+Bind

On Thu, 6 Oct 2005 15:07:23 -0500 eric <[EMAIL PROTECTED]> wrote: > On Thu, 2005-10-06 at 14:04:20 +0100, ed proclaimed... > > > I use TinyDNS here, so we don't really need to transfer zones as its > > handled with a single data file. CARP can be good with DNS. > > 53/tcp *is* required to answer

Re: CARP+Pfsync+Bind

** Reply to message from ed <[EMAIL PROTECTED]> on Thu, 6 Oct 2005 22:15:25 +0100 >On Thu, 6 Oct 2005 15:49:02 -0400 >"Dave Anderson" <[EMAIL PROTECTED]> wrote: > >> That's not quite the whole story: 53/tcp is also used when the >> response to a query is too big for a single UDP packet (the resolv

Re: CARP+Pfsync+Bind

On Thu, 6 Oct 2005 15:49:02 -0400 "Dave Anderson" <[EMAIL PROTECTED]> wrote: > That's not quite the whole story: 53/tcp is also used when the > response to a query is too big for a single UDP packet (the resolver > sends a UDP query and gets a 'truncated' UDP reply, so the resolver > retries the q

Re: CARP+Pfsync+Bind

On Thu, 2005-10-06 at 14:04:20 +0100, ed proclaimed... > I use TinyDNS here, so we don't really need to transfer zones as its > handled with a single data file. CARP can be good with DNS. 53/tcp *is* required to answer normal queries. Since you're drinking djb's koolaid, see

Re: CARP+Pfsync+Bind

** Reply to message from ed <[EMAIL PROTECTED]> on Thu, 6 Oct 2005 14:04:20 +0100 >Zone transfers are on tcp/53, DNS lookups are 53/udp, so: That's not quite the whole story: 53/tcp is also used when the response to a query is too big for a single UDP packet (the resolver sends a UDP query and ge

Re: CARP+Pfsync+Bind

On Thu, 6 Oct 2005 16:55:05 +0400 Vladimir Potapov <[EMAIL PROTECTED]> wrote: > We have 1 server on which running firewall and DNS master service. And > we planned to install another server for load balancing and redudancy. > 2 servers(each have running PF and BIND) will balancing load (or one >

CARP+Pfsync+Bind

Hello everyone! We have 1 server on which running firewall and DNS master service. And we planned to install another server for load balancing and redudancy. 2 servers(each have running PF and BIND) will balancing load (or one will master and other slave) for DNS and PF. Does anyone protect DNS se

Re: CARP/PFSYNC over USB is possible?

On Mon, 29 Aug 2005, Vinicius Pavanelli Vianna wrote: I'm currently using an OpenBSD 3.7 as a firewall for my network, since this machines is a 1U rack I can't add an extra ethernet card to it, so I was looking for an alternative solution to use redundancy, since there are plenty of usb ports fr

Re: CARP/PFSYNC

MAIL PROTECTED]** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christian Gut Sent: den 31 augusti 2005 14:47 To: [EMAIL PROTECTED] Cc: misc@openbsd.org Subject: Re: CARP/PFSYNC [EMAIL PROTECTED] wrote: > If the > machine fails all is

Re: CARP/PFSYNC

[EMAIL PROTECTED] wrote: > If the machine fails all is well [ ;) ] and the traffic is routed over the other machine, however if only one interface fails, CARP notices this and the interface is moved to the otehr machien, however this still means that either ext_if or int_if is still leftt on the

Re: CARP/PFSYNC

[EMAIL PROTECTED] schrieb: automatically should one fail but is there a better way? Can I somehow link the two CARP groups so that they are aware of each other adn should one group fail teh other downs as well? I have probably missed something very simple. Thanks for any tips. Shouldn't 'sysctl

CARP/PFSYNC

Hello, I have a question reagarding CARP on OpeNSBD. I have setup a lab environment consisting of two machines with three interfaces each (ext_if, int_if, pfsync_if). Now I ahve two CARP groups; on for failover of ext_if and one for int_if. The problem is this. If the machine fails all is well

CARP/PFSYNC over USB is possible?

nBSD to do the carp/pfsync? i would think the cdcd(4) is what i'm lookin for, but i don't have physical access to the machine now to try and don't have yet the usb cables, so before i buy this, am I missing something? :) I read the usb 2.0 have 480mbit/s so it would be far enought for

  1   2   >