[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CARP



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, 15 Dec 2004 07:33:51 -0500
Jason Dixon <[email protected]> wrote:
> > Sorry for this lengthy reply, I hope you all can forgive me for
> > this, but as I am but a beginner with PF/CARP I hope we can avoid
> > hostility.
> >
> > I have two boxes, with similar configs, on IP addresses 10.10.1.131
> > and 10.10.1.134, both /16.
> [snip]
> 
> What is working and what isn't?  What is the output of "ifconfig -a"
> on each box?
Basically I do not know what I had done wrong in my PF. I ventured a
different approach, so I added a third interface to each box, giving me
a cross over for pfsync to run on, so I then had lo0, xl0, fxp0, and
sis0/dc0 interfaces, so to save getting things wrong, i used the
following rule for all interfaces:
pass in quick on interface all keep state
pass out quick on interface all keep state
Woah and behold, things began to look promising as I was able to ping
various devices.
After one day of head scratching and things not routing well I noticed
some odd ARP packets, a few hours later I realised that I had connected
the cross over cable between the wrong interfaces, then wow! Things
actually started to work, all except of course the mirroring of state
table. Pfsync was not running:
ifconfig pfsync0 up
Things are nearly fully functional for me now, however, I don't seem to
have perfect throughput when a box is shot in the head, sometimes things
work OK for the client, and some times they don't and connections either
lag to the point of timeout, or just drop and cant get re-established.
Sorry if I sound like a "Loinux whiny", I'm almost there, just need a
few more pointers. 
1) If I reduce advskew to something like 10 on machine A and 12 on
machine b, would that increase the stability of the firewalls?
2) Why does it seem that when the master returns from me issuing a
reboot does the connection for the client appear to get shaky again?
- -- 
/--  _| | Regards. Please note, my PGP key ID has changed.
|-- / | | If you are planning on sending me something encrypted
\__ \_| | please update your keyring. Debian/OpenBSD. 53C9FC6C.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBwghdjtZArFPJ/GwRAu2LAJ9JhfN5KyDkitwcG4LYRFyNMsTTwQCbBE7I
fNYABQeZXtQJyfnZiGVNXTg=
=rJfZ
-----END PGP SIGNATURE-----