* Sebastian John [2013-11-19 19:00]:
> try to use the correct network mask in alias configuration:
> inet alias 200.200.200.163 255.255.255.240
try to not give wrong advice. all-ones netmask is EXACTLY the right
thing here.
probably even for the first ("main") address, unless carpdev is
unnumbere
Hello,
I'm having trouble returning a server to be master with trade in advskew via
ifstated.
The following scenario:
##
server1
##
carp0: flags=8843 mtu 1500
lladdr 00:00:5e:00:01:01
priority: 0
carp: MASTER carpdev vic0 vhid 1 advbase 1 advs
ems default route in between.
>
> Searching the internet, I found the post http://openbsd.7691.n7.nabble.com/=
> Carp-with-aliases-route-problem-td84179.html, Todd T. Fries-2, saying that =
> in /etc/netstart interface carp rises after the physical and do not know if=
> it is necessary to
55.255.255
> > inet alias 200.200.200.167 255.255.255.255
> >
> > After restart the fw, I can not access the router (gateway). I think it
> has=
> > problems default route in between.
> >
> > Searching the internet, I found the post
> http://openbsd.7691.
255.255
> inet alias 200.200.200.167 255.255.255.255
>
> After restart the fw, I can not access the router (gateway). I think it has=
> problems default route in between.
>
> Searching the internet, I found the post http://openbsd.7691.n7.nabble.com/=
> Carp-with-aliases-route-probl
alias 200.200.200.166 255.255.255.255
inet alias 200.200.200.167 255.255.255.255
After restart the fw, I can not access the router (gateway). I think it has=
problems default route in between.
Searching the internet, I found the post http://openbsd.7691.n7.nabble.com/=
Carp-with-aliases-route
On Wednesday, April 1, 2009 5:41:30 PM UTC+11, Sheldon Jones wrote:
> Hi all,
>=20
> I'm having trouble with carpnodes and nating outgoing traffic to the=20
> external
> carp interface. I'm trying to get traffic leaving my LAN thru the=20
> firewall to
> have the
also enables failing over a group
> of interfaces together in the event that
> one interface goes down. If one physical
> CARP-enabled interface goes down, CARP
> wi
console of a
> host while it was in this state, the interface would look perfectly normal,
> but it would not pass any traffic. I callously worked around this by
> administratively cycling each network interface on the affected machine(s)
> on a weekly basis.
>
> If we ran into this
Karl O. Pinc wrote:
> I didn't notice _any_ reference to pfsync in the original
> post. Perhaps this is part of the problem?
I originally wrote:
> I have a pair of OpenBSD firewall/routers in a reasonably vanilla
> pf + pfsync + CARP configuration...
It sounds like using &#x
Daniel Hartmeier wrote:
> Yes, it will:
>
> net.inet.carp.preempt Allow virtual hosts to preempt each other.
> It is also used to failover carp interfaces
> as a group. When the option
On 04/23/2012 03:19:44 PM, Stuart Henderson wrote:
> On 2012/04/23 11:49, Kyle Lanclos wrote:
> > In order for our firewall to operate effectively, we use 'keep
> state'
> > pf rules.
>
> pfsync(4)'s "defer" option might help. there is a penalty but it
> might
> be acceptable for your use case.
On 2012/04/23 11:49, Kyle Lanclos wrote:
> In order for our firewall to operate effectively, we use 'keep state'
> pf rules. We empirically determined that we must have CARP preemption
> enabled, otherwise pf cannot properly establish state for new TCP
> connections. If p
On Mon, Apr 23, 2012 at 11:49:14AM -0700, Kyle Lanclos wrote:
> Where this presents a problem is if the current CARP master loses a single
> network interface (cable unplugged, isolated hardware failure, sysadmin
> failure, etc.), as opposed to the CARP master failing entirely. The sla
I have a pair of OpenBSD firewall/routers in a reasonably vanilla
pf + pfsync + CARP configuration, each straddling two routed networks.
The CARP interface on the internal network is the default gateway for
that subnet. The CARP interface on the external network is the default
destination for
I'm having a hell of a time using Extreme Networks Summit 400-24t
switches with IP balancing of any type.
I've tried OpenBSD 5.0 and a -current snapshot from Feb 02. I've
tried all the modes, but none of them work. There's not a good way
I'm aware of to do port mirroring for ip-unicast, but I do
Hello everybody,
I need help regarding the following situation. I have four OpenBSD
firewalls configured to do load-balancing ( in and out) using
ip-stealth. I have two CARP interfaces (internal and external) on each
firewall. See the configuration below.
Load-balancing works perfectly for non
Hi list!
We're playing around with two 4.6 boxes, running carp and relayd. We
successfully got a basic DSR setup running, and it seems to be working
fine! However, when failing over to the secondary box, it fails.
All inbound packets goes nicely through the box, and return packets
fro
Hi all,
I'm having trouble with carpnodes and nating outgoing traffic to the
external
carp interface. I'm trying to get traffic leaving my LAN thru the
firewall to
have the external carp1 address xxx.yyy.60.21 instead of the $ext_if
60.18 or
60.19 depending on which firewall c
Hi,
Thanks for your replies.
carp.preempt is enabled on both firewalls. See this
# sysctl -a | grep carp
net.inet.carp.allow=1
net.inet.carp.preempt=1
net.inet.carp.log=1
net.inet.carp.arpbalance=0
Here is also the configuration of the carp interfaces
FW1
/etc/hostname.carp1
inet 10.10.1.1
On Thu, Aug 07, 2008 at 12:40:37PM -0700, Wadner Cadet wrote:
> Hi,
> I am experiencing an issue with my two OpenBSD firewalls. I have two carp
> interfaces (carp1 and carp2). On carp2, there are 6 ip aliases (external ip
> addresses). The two carp interfaces belong to the same carp
Hi,
Thanks for your replies.
carp.preempt is enabled on both firewalls. See this
# sysctl -a | grep carp
net.inet.carp.allow=1
net.inet.carp.preempt=1
net.inet.carp.log=1
net.inet.carp.arpbalance=0
Here is also the configuration of the carp interfaces
FW1
/etc/hostname.carp1
inet 10.10.1.1
Hello Wadner:
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> Wadner Cadet
> Sent: Thursday, August 07, 2008 12:41 PM
> To: pf@benzedrine.cx
> Subject: Problem with carp group failover
>
> Hi,
> I am experiencing a
Hi,
I am experiencing an issue with my two OpenBSD firewalls. I have two carp
interfaces (carp1 and carp2). On carp2, there are 6 ip aliases (external ip
addresses). The two carp interfaces belong to the same carp group. When one
carp interface fails, the other carp interface is not shifted to
Hi,
OpenBSD 4.2 stable patched to Feb 27, 2008
I've two firewalls with carp failover between them.
One is configured with the carp interfaces having an
advskew of 100, so that machine is normally the backup.
Something happened and the backup has become the master,
and the master has a dem
Thanks for all the help.
On 07/14/2008 12:52:16 AM, Ryan McBride wrote:
The carp demotion twiddling in RC isn't disabled until after rc.local
is
run, so this shouldn't be a problem (but in general it's safe to turn
on
forwarding during boot, because the boot-time pf.conf won&#
tarted in rc.local so that it starts after
>> the (secondary, local ,caching) nameserver so that I can
>> use the dns names of my domain in pf.conf.
>
> This is clearly going to cause a problem because
> I also don't allow forwarding until after pf is up,
> so as soon
, because
> Knowing would help prevent shutting down the master when the standby
> is not yet synchronized.
Don't shut your "master" down until all it's carp interfaces are in
the
MASTER state.
The case I'm now concerned about is shutting down the active
firewall before th
; the (secondary, local ,caching) nameserver so that I can
>> use the dns names of my domain in pf.conf.
>
> This is clearly going to cause a problem because
> I also don't allow forwarding until after pf is up,
> so as soon as the carp interfaces become master
> the c
On 2008/07/14 10:14, Ryan McBride wrote:
> > I see this in the 4.2->4.3 changelogs:
> > Changed rc(8) and netstart(8) so pfsync(4) is not brought up before the
> > working ruleset has been loaded
>
> I don't believe this is critical, but it means that if your rulesets are
> identical across fire
bulk update of all
states from the other firewall(s). Until this update is complete, it
increases the carp demotion counter, preventing carp from taking over
the virtual IP address. When the bulk update completes or times out, the
demotion counter is decreased again. (The demotion counter is also
on't allow forwarding until after pf is up,
so as soon as the carp interfaces become master
the clients will start receiving icmp unreachable messages
in response to traffic.
Which brings me back to the question of how the demotion
counter works, so I can do something to use it to keep
the carp in
Fred,
Each ip address you have is assigned to a carp virtual interface. If you
have 10 ips then you could have 10 carp interfaces. Lets say we have an
external ip 33.33.33.33 assigned to carp1 ...
cat /etc/hostname.carp1
inet 33.33.33.33 255.255.255.0 33.33.33.255 vhid 1 advskew 1 carpdev em0
need to pass specific carp interfaces to specific
internal addresses.
Thanks,
Fred
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fred Newtz
Sent: Thursday, April 03, 2008 5:08 PM
To: 'Calomel'
Cc: pf@benzedrine.cx
Subject: RE: CARP f
Calomel,
Wow. Lots of stuff to look at!
1. state information is being transferred between machines.
2. A Thanks! I was just going through step three when I noticed
something that I never thought to look at. For some
reason I had bound all of the ips to one of my carp
Fred,
If you use "pftop" on both machines do you see the states from the MASTER
firewall being transfered to the BACKUP?
Are you binding all of your ip addresses to your physical interfaces?
What do your carp hostname files contain?
cat /etc/hostname.carp0
cat /etc/hostname.c
Sorry I forgot to do reply to all!
-Original Message-
From: Fred Newtz [mailto:[EMAIL PROTECTED]
Sent: Thursday, April 03, 2008 11:10 AM
To: 'Calomel'
Cc: 'pf@benzedrine.cx'
Subject: RE: CARP failover problem
Calomel,
Thanks for the response. Here is
# 1=Enable carp(4) preemption
net.inet.carp.log=1 # 1=Enable logging of carp(4) packets
I have just double checked and both machines are setup with the same
four entries.
The interfaces fail over properly. The problem is on the second
machine the traffic gets
. If one physical CARP-enabled interface goes
down, CARP will change advskew to 240 on all other CARP-enabled interfaces,
in essence, failing itself over.
CARP Firewall Failover for OpenBSD
http://calomel.org/pf_carp.html
--
Calomel @ http://calomel.org
Open Source Research and Reference
I have two machines configured with OpenBSD carp pf and pfsync. The state
table is syncing properly. I have one webserver behind
the two firewall machines. For some reason my master machine (which is
working) will freeze up. The interfaces all failover
properly but no traffic will pass
Hello:
Every so often we see a run of these messages where the address
'x.x.x.x' below is a CARP interface address. There will be a
corresponding message for each of the 62 CARP interfaces on the machine.
This server is the backup in a failover pair (not load balanced). The
addresses
On 21:07, Fri 27 Apr 07, Phusion wrote:
> I have a question about the LAN layout for a CARP firewall setup. I am
> wondering what would be more preferable using a hub or a switch in the LAN
> layout below.
>
> router
> |
> hub or switch ?
> /
I have a question about the LAN layout for a CARP firewall setup. I am
wondering what would be more preferable using a hub or a switch in the LAN
layout below.
router
|
hub or switch ?
/ \
fw1 fw2
\ /
hub or switch ?
|
LAN
Let me know
Daniel,
Question: What happens if you run pfsync/carp and your clock is totally
off ?
My backup carp machine have crashed with panic 20-30-40 times since
yesterday
when i started my upgrade from 3.8 to 4.0 (and later 4.0-current).
After sending my email, I made two changes
1
On Mon, Jan 29, 2007 at 04:33:45PM +0100, Thomas Althoff wrote:
> I did the "crash" procedure on 3.9 and found that this is the line
> causing the problem
> if (!r->max_states || r->states < r->max_states)
> I have upgraded my boxes to 4.0-current, no change.
If you can reproduce it with a recen
On 01/29/2007 09:33:45 AM, Thomas Althoff wrote:
Hi,
My firewall cluster is two simple Dell PowerEdge 750 with Pentium4/256
MB RAM and 4 Intel giginterfaces (em driver). I have been using the
same hardware since OpenBSD 3.6, upgraded to 3.7 and 3.8 at "release
time". Same procedure when 3.9 w
On Mon, 29 Jan 2007 16:33:45 +0100
"Thomas Althoff" <[EMAIL PROTECTED]> wrote:
> Hi,
>
>
> My firewall cluster is two simple Dell PowerEdge 750 with Pentium4/256
> MB RAM and 4 Intel giginterfaces (em driver). I have been using the
> same hardware since OpenBSD 3.6, upgraded to 3.7 and 3.8 at "
put (d604bf00,d0de8b00,0,d08b1000,30) at ipv4_input+0x4f1
ipintr(d0200058,d08b0010,10,d08b0010,d08b1000) at ipintr+0x70
Bad frame pointer: 0xd0b2e24
I don't have serial console, so my trace is written down by hand, one
small typo could exist.
I get the trap when the carp "backup"
Stuart Henderson schrieb:
On 2006/11/28 14:34, Jakob Praher wrote:
is there a way to force both carp interfaces to have the same state,
e.g. if carp0 is master so has to be carp1 master ?
yes, set net.inet.carp.preempt=1 in /etc/sysctl.conf, there's a little
discussion about this in c
On 2006/11/28 14:34, Jakob Praher wrote:
> is there a way to force both carp interfaces to have the same state,
> e.g. if carp0 is master so has to be carp1 master ?
yes, set net.inet.carp.preempt=1 in /etc/sysctl.conf, there's a little
discussion about this in carp(4).
hi all,
i am using 2 firewalls via carp.
in my design all the external addresses are physically defined on the
firewall and are destination natted by the firewall.
so i have 2 carp interfaces
carp0 -> ext
carp1 -> int
and on a separate interface i do pfsynch.
i looked at converting pf
Hello,
I have problem with policy routing. My infrastructure looks like: 2
firewalls with carp failover, Internet obtained from ISP via 3 different
VLANs.
Simple schema looks like:
/-VLAN A - CARP A --\
(WAN)---BGE0---VLAN B - CARP B ---BGE1 (LAN)
\-VLAN C - CARP
Hi,
I have some problems with carp and vlans I think. I have four physical
interfaces in my two firewalls, one for pfsync, one to the Internet, DMZ
and LAN. At the LAN interface seven VLAN interfaces are configured. The
Internet and DMZ interfaces are on em(4) and the pfsync and LAN vlans on
I'm looking to understand the proper way to get v6 carp to behave.
The problem is, that when I have one of the firewalls reboot, and its carp
interfaces become 'master', the v6 somehow thinks there is a duplicate v6
address for the address(es) I have configured on the carp interfac
x.x.x.x is our ISP's router IP address. x.x.x.x is an address
from the same network as addresses used in carp. But this don't
represent any problem as everything works fine. I'll do some long
downloads to check whether pfsync works or not.
> We are using OpenBSD 3.7 with carp preemption and we have checked that
> all interfaces are connected while booting. Carp preemptive failover
> works perfectly: we tested it unplugging the ethernet cable from the
> nics which are used for carp.
>
> We also experienced that AR
We are using OpenBSD 3.7 with carp preemption and we have checked that
all interfaces are connected while booting. Carp preemptive failover
works perfectly: we tested it unplugging the ethernet cable from the
nics which are used for carp.
We also experienced that ARP thing during the migration of
> After hours of thinking, reading manuals and googling I decided to
> send a mail to this list.
>
> We have two OpenBSD firewalls using CARP + PFSYNC to provide
> redundance. The problem is that long downloads stall randomly. For
> example, downloading a 700 MB ISO stal
ble 3.7 checkout could fix it if you use xl.
> Check CVS and see.
>
We are using rl as external interfaces and fxp as internal interfaces
for carp. Pfsync interfaces are rl, too.
We might get a different setup for pf with pfsync and carp from a
sysadmin. We will check the differences bet
> Another question: Can P2P traffic create such a great amount of
> connections that we might run out of resources to keep the state of
> them? Could that be the reason of our problem with pfsync?
No...
And you have of course global limits for states etc i pf.conf as well...
>
> Thanks again.
>
After hours of thinking, reading manuals and googling I decided to
send a mail to this list.
We have two OpenBSD firewalls using CARP + PFSYNC to provide
redundance. The problem is that long downloads stall randomly. For
example, downloading a 700 MB ISO stalls at about 120 MB, although
this
ig alias commands above for fxp0.
No. And there is no problem do assign other networks to the same nic... I
Did my tests on a desktop OBSD 3.8 with one nic and decided to add some
more alias networks to the fxp0 for this laboration. But this was as said
not the problem...
>
>> vlan0: flags=8943
an: 21 parent interface: fxp0
> groups: vlan
> inet6 fe80::2d0:b7ff:fec8:cbeb%vlan0 prefixlen 64 scopeid 0x12
> inet 192.168.21.2 netmask 0xff00 broadcast 192.168.21.255
Do you need IP addresses on your vlan devices? carp will bind fine to
any interface with the
Hi
Are there any known problems with VLAN and CARP?
(I use x86 3.8 with all cvs stable updates up to jan 30)
Look at the following output:
[EMAIL PROTECTED]:~#ifconfig fxp0 inet alias 192.168.21.2 netmask 255.255.255.0
broadcast 192.168.21.255 up
[EMAIL PROTECTED]:~#ifconfig fxp0 inet alias
On 02/02/2006 04:04:09 PM, Steven S wrote:
If I wish FW1 to be primary and FW2 to be secondary I set advskew on
FW1 to
be smaller than FW2. If I set preempt on both firewalls and I lose
power to
DMZ switch, then both FW1 and FW2 change the advskew to 240. So in
this
case which is MASTER?
T
After these threads it's now much more clearer to me.
I think I now have the same view of it as you (I hope):
Two firewalls boot with preempt set to 1. FWA with all carp masters, and FWB
with all carp backups (advskew 100). If the dmz3 switch is without power both
FWA and FWB changes ad
FW1 to
be smaller than FW2. If I set preempt on both firewalls and I lose power to
DMZ switch, then both FW1 and FW2 change the advskew to 240. So in this
case which is MASTER? The mentioned carp/INIT bug didn't help here:-) I
dont know the answer as to why. I only know my workaround was
Does that work?
"man carp" says:
--snip--
EXAMPLES
For firewalls and routers with multiple interfaces, it is desirable to
failover all of the carp interfaces together, when one of the physical
interfaces goes down. This is achieved by the preempt option. Enable it
Agreed, it does smell of race.
Yes, I do preempt on whichever FW I wish the primary to be.
Nope. I figured it was just me.
-Steve S.
Per-Olov Sjöholm wrote:
> After these threads it's now much more clearer to me.
>
..
> It smells like a random race condition problem that occurs only with
> in
Right. When preempt is set any carp interface which has a real interface
down causes all carps to use 240 for the skew. At this point I think it is
simply a race to see which interface takes MASTER. That is why I used
preempt on only one FW. This insures that, in a situation like the one
top post... ok
I *think* I have tracked it down...
I had dmz4-dmz6 100% configured but no cables connected to the switch. The
carp interfaces for them were in "init" state as they could not talk to each
other. Although it all seemed to work as it should for all other interfaces.
ci-x)
> dmz2 - bge0 (server build in broadcom)
> dmz3-6 - sis0-4 (soekris pci quad)
>
> em0, em1 and em2 run at gig speed. All other at 100.
>
>
> I use carp on all interfaces [ except pfsync ;-) ].
> I also have net.inet.carp.preempt=1
>
)
em0, em1 and em2 run at gig speed. All other at 100.
I use carp on all interfaces [ except pfsync ;-) ].
I also have net.inet.carp.preempt=1
The primary fw is master for all carp interfaces and everything *mostly* works
perfect.
THE PROBLEM:
Sometimes when I reboot one of the firewalls not all
On Jan 27, 2006, at 10:48 AM, Karl O. Pinc wrote:
On 01/26/2006 04:49:28 PM, Jon Simola wrote:
Try adding carpdev into your hostname files, and in my experience
creating the carp and adding the IP address to it in seperate
commands
works better, ala:
# cat /etc/hostname.em0
inet 10.0.3.4
On 01/26/2006 04:49:28 PM, Jon Simola wrote:
Try adding carpdev into your hostname files, and in my experience
creating the carp and adding the IP address to it in seperate commands
works better, ala:
# cat /etc/hostname.em0
inet 10.0.3.4 255.255.252.0 NONE
# cat /etc/hostname.carp8
carpdev
files, and in my experience
> creating the carp and adding the IP address to it in seperate commands
> works better, ala:
>
> # cat /etc/hostname.em0
> inet 10.0.3.4 255.255.252.0 NONE
> # cat /etc/hostname.carp8
> carpdev em0 vhid 8 pass bloogh advbase 200 advskew 1
> inet 10.0.
On 1/26/06, Per-Olov Sjöholm <[EMAIL PROTECTED]> wrote:
> [EMAIL PROTECTED]:~#more /etc/hostname.carp1
> 192.168.8.1 255.255.252.0 192.168.11.255 vhid 2 pass mypassword
Try adding carpdev into your hostname files, and in my experience
creating the carp and adding the IP address to it
Hi
I have been using two firewalls with a carp+pfsync (6 interfaces + a dedicated
pfsync) setup in a company environment based on OpenBSD 3.6 for a year. Now I
have upgraded to 3.8 an see *really* strange things...
The LAN is a supernet 192.168.8.0 with a /22 mask which seems to be a problem
Hi, i have such problem.
I am using carp balancing on the gate to the Internet.
preempt=1
arpabalance=1
Firstly, on 3.8 arpbalansing didn`t work.
I saw this article
http://www.isi.qut.edu.au/people/mbradfor/openbsd-carp-arpbalance.html
I recompile the kernel with a patch "IP-Based
Bala
hello,
> I noticed in your original email that fw2 had advskews of 10's and
> 100's. This suggests that CARP may not be setup the way you think it
> is (based on the asvskew 240 in the hostname files).
The difference appear, when I have testing various configurations. Now
I
On 1/5/06, Karl O. Pinc <[EMAIL PROTECTED]> wrote:
> I have not been following your problem.
>
> You have net.inet.carp.preempt=1 in /etc/sysctl.conf?
>
> If not then that's likely your problem. (Then reboot
> or man sysctl.)
Yes, I have preempt enabled:
fw1:
# sysctl net.inet.carp.preempt
net.i
ev em0
> advskew 240 pass 31337
> # cat /etc/hostname.carp2
> inet 111.111.111.14 255.255.255.0 111.111.111.255 vhid 3 carpdev em0
> advskew 240 pass 31337
> # cat /etc/hostname.carp3
> inet 111.111.111.16 255.255.255.0 111.111.111.255 vhid 4 carpdev em0
> advskew 240 pass 31337
I notic
On Jan 5, 2006, at 3:18 PM, Kilaru Sambaiah wrote:
unease. Carp interface can have aliases? Is it a good idea?
What is
the best way to go
about it?
Yes.
$ cat /etc/hostname.carp0
inet 10.0.0.2 255.255.255.0 10.0.0.255 carpdev em0 vhid 1 pass foo
inet alias 10.0.0.3 255.255.255.0
Hello All,
We have 3 systems connected to the net with ip addresses x.y.z/28
mask. We are
planning to go with pf with carp and pfsync redundancy.
We are planning to use two systems with 3 nic cards for this. We
would like to have
aliases for both the m/c listening to x.y.z/28 all ip
On 12/31/05, ed <[EMAIL PROTECTED]> wrote:
> On Thu, 29 Dec 2005 14:41:38 +0100
> Marcin Miksowski <[EMAIL PROTECTED]> wrote:
>
> > Is there any solution to resolve my problems with carp? If there is
> > necessary to show You more informations on my current confi
On Thu, 29 Dec 2005 14:41:38 +0100
Marcin Miksowski <[EMAIL PROTECTED]> wrote:
> Is there any solution to resolve my problems with carp? If there is
> necessary to show You more informations on my current configuration I
> will do everything what I only can.
>From experience CA
r
Ethernet cable. Now they are running OpenBSD 3.8, but earlier I have
setup with 3.7. Systems installations are almost default, with default
kernels.
I have configured 35 carp addresses. Thay are filtered and redirected
to internal network on firewalls. Both machines have identical pf.conf
and almost
On Thu, Dec 08, 2005 at 11:32:39PM +, ed wrote:
> Hello,
>
> Has anyone written scripts to ensure that preempt fail over fails over
> all the carp interfaces to backup upon one becoming backup, I have found
> often that a single interface will become backup leaving the remaini
Hello,
Has anyone written scripts to ensure that preempt fail over fails over
all the carp interfaces to backup upon one becoming backup, I have found
often that a single interface will become backup leaving the remaining
interfaces as master, which obviously messes things up.
--
Regards, Ed
n-multicast addresses to those physical pfsync interfaces and ensure
that you can pass traffic between the two. Configure pf on both boxes
to NAT traffic out over its external carp'd IP address when it is coming
in on $pfsync_if from $pfsync_net.
This allows your carp backup to still ha
> Traffic shouldn't even be getting OUT on the backup in this situation.
i agree - there is no correct solution without using an ip addr for
each real interface.
would be nice to for example use an external ntp server to sync with,
but unless it uses another route (rather than ip-less carp'd
inte
one small problem with carp and ip-less interfaces..
scenario: you have no ip address bound to each of the real interfaces,
and carp is sharing the one address for you (isp only gives you 1
address).
only the master can craft packets out (assuming this shared carp'ed
address is the ext
On Thu, Nov 17, 2005 at 03:02:56PM +1100, Alex Strawman wrote:
> ok, now this makes sense, how is the next hop meant to send packets
> back? it sends them to the mac address the carp0 is broadcasting,
> which the master happily accepts, only to see its not in its state
> table, and drops it.
>
> t
27;m willing to be you have
> identical VRID/VHID's in there.
Or the VRRP thing is a red herring, and some other configuration
problem is causing the both carp devices to try to become master at the
same time.
Either way, the symptom sounds like two devices both trying to talk with
the same MA
ame,
> the OS is trying to make sense of what it believes to be a CARP
> packet, but really isn't. The CARP packet format is described in src/
> sys/netinet/ip_carp.h. The VRRP packet format is in the RFC (http://
> www.faqs.org/rfcs/rfc2338.html).
It does work, I have this type
Hello,
In my firewall-setup, I use two OpenBSD 3.7 machines, each with two carp
interfaces (outside/inside).
Preemption is enabled in sysctl.conf on both machines, my intention was
that if one interface goes down or to BACKUP, the other one should do so,
too. So on one machine, both interfaces
On Oct 19, 2005, at 6:21 PM, Zack Lawson wrote:
Hey everyone,
I am having an issue where CARP interfaces on the same network segment
as VRRP interfaces (on our ISP's routers) are causing the CARP
interfaces to malfunction.
I also get the following errors in /var/log/messages:
/bsd:
On 10/19/05, Zack Lawson <[EMAIL PROTECTED]> wrote:
> Hey everyone,
>
> I am having an issue where CARP interfaces on the same network segment
> as VRRP interfaces (on our ISP's routers) are causing the CARP
> interfaces to malfunction.
>
> I also get the follo
u are using.
> i have had a similar problem when mixing different carp interfaces with
> the same vhid on them same switch.
>
> try changing your vhid for something higher (or lower)
>
> Lucas
>
>
>
> Zack Lawson wrote:
>
> >Hey everyone,
> >
>
Hey everyone,
I am having an issue where CARP interfaces on the same network segment
as VRRP interfaces (on our ISP's routers) are causing the CARP
interfaces to malfunction.
I also get the following errors in /var/log/messages:
/bsd: carp: received len 8 < 36 on carp2
last message
1 - 100 of 249 matches
Mail list logo
