[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf/carp for redundant production use



Hi everyone,

Firewall 1 troubleshooting info can be found at
http://restricted.dyndns.org/pffw1.txt


Firewall 2 @ http://restricted.dyndns.org/pffw2.txt

The links include:
1. ifconfig output pre/post cable removal
2. pfctl -s state pre/post cable removal
3. pf.conf configs of both firewall


Please let me know what you find.

Thanks in advance,

Neil


Matt Rowley writes:



I got pf and carp working together. However, I have noticed that TCP
oriented application doesn't get recover well when I disconnect a
cable.  I setup a netcat listener on a machine inside the network.
Then I ran  netcat from another machine outside the network. I was
able to connect  and was able to send some characters. However, when I
disconnected the  primary firewall's external interface, netcat won't
work anymore until I  execute netcat again that connects to the shared
external ip address. Am I missing any configuration? Looks like it's
related to pf state  tables not being sent to the backup firewall.

Show your entire pf.conf. Let's see some troubleshooting commands. Run ifconfig before and after pulling the cable, etc.

pfctl -s state on the carp slave would also be helpful, to see if pfsync is getting through.