|
|
||||||||
FreeBSD 7, pf, carp, pfsync
G'day Mate! I' ve discovered just today this useful forum: I'm pleased to join you!
My first post is about a weird problem encountered few days ago... I've two firewalls configured in parallel (connected with a crossover cable) and I use pfsync+carp to failover. So one firewall (A) handles all traffic as MASTER and, if it dies or if some NIC interface go down, the second firewall (B) takes over automatically. Well... As usually everything works properly, but since a few days ago "B" takes control and "A" become backup. "A" cannot return to be master until rebooting. After reboot, "A" is the master for a while, then I've the same problem... I identified a problem here: Quote:
Quote:
Meanwhile, in B node: Quote:
This is the only strange thing on DMZ interface... : Quote:
I read somewhere that the result of "pfctl -ss" must give the same result on both nodes: Quote:
Some additional information: Quote:
Quote:
Quote:
Please ask me, if you need further information... Thank you all! |
|
|||
If one firewall needs to be able to take over from a failing one, it needs the same states.
Have you tried to increase the logging level? From the carp man page: Code:
net.inet.carp.log Value of 0 disables any logging. Value of 1 enables logging of bad carp packets. Values above 1 enable logging state changes of carp interfaces. Default value is 1. Code:
BUGS Possibility to view state changes using tcpdump(1) has not been ported from OpenBSD yet. You could ask on the OpenBSD misc list, but you will be surely told to drop FreeBSD and try the latest and greatest OpenBSD. The OpenBSD pf devs, usually have no idea which pf version FreeBSD 7.x is using. Have you seen http://www.mail-archive.com/misc@ope.../msg83651.html ?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Ehm.. where carps write logs?!
Thank you J65nko, I'll try to ask on various pf lists too... |
|
|||
Update...
Its a strange day, today... Yesterday I changed the nodes states, so now the master is the old backup. And it works fine... The new backup (the nodes that give me problem) seems to be ok... but... The last rule of my pf ruleset is for load balancing between external connections ... Quote:
Quote:
After a flush it becomes normal: Quote:
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
CARP | Abbass | OpenBSD Security | 3 | 13th April 2011 07:22 PM |
pfsync and pf.conf | tenderoni | OpenBSD Security | 1 | 8th October 2010 07:48 PM |
Clustering with CARP | revzalot | OpenBSD General | 10 | 17th September 2009 04:44 AM |
pfsync+carp+wifi firewall redundancy inquiry | revzalot | OpenBSD Security | 1 | 18th May 2009 03:06 PM |
carp configuration | ohhcarp | OpenBSD General | 3 | 16th April 2009 10:50 PM |