[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CARP Problems.



This morning I am able to pass packets from the firewall to hosts on
either side no problem but still cannot pass through it.  I've included
the requested information.  This is just one of the firewalls up and
running (Pearl-02) I didn't do pearl-01 as it's up and running in
production and didn't want to mess with it's configuration.

ifconfig -a:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
	inet 127.0.0.1 netmask 0xff000000 
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
sis0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu
1500
	address: 00:00:24:c2:a1:70
	media: Ethernet autoselect (100baseTX full-duplex)
	status: active
	inet 216.230.93.173 netmask 0xfffffff0 broadcast 216.230.93.175
	inet6 fe80::200:24ff:fec2:a170%sis0 prefixlen 64 scopeid 0x1
sis1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu
1500
	address: 00:00:24:c2:a1:71
	media: Ethernet autoselect (100baseTX full-duplex)
	status: active
	inet 10.10.10.254 netmask 0xffffff00 broadcast 10.10.10.255
	inet6 fe80::200:24ff:fec2:a171%sis1 prefixlen 64 scopeid 0x2
sis2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	address: 00:00:24:c2:a1:72
	media: Ethernet autoselect (100baseTX full-duplex)
	status: active
	inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255
	inet6 fe80::200:24ff:fec2:a172%sis2 prefixlen 64 scopeid 0x3
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
pfsync0: flags=41<UP,RUNNING> mtu 1348
	pfsync: syncif: sis2 syncpeer: 224.0.0.240 maxupd: 128
enc0: flags=0<> mtu 1536
carp0: flags=41<UP,RUNNING> mtu 1500
	carp: MASTER vhid 1 advbase 1 advskew 100
	inet 216.230.93.162 netmask 0xfffffff0 
carp1: flags=41<UP,RUNNING> mtu 1500
	carp: MASTER vhid 2 advbase 1 advskew 100
	inet 10.10.10.1 netmask 0xffffff00 
bridge0: flags=41<UP,RUNNING> mtu 1500

netstat -p carp -s:
carp:
	0 packets received (IPv4)
	0 packets received (IPv6)
		0 packets discarded for bad interface
		0 packets shorter than header
		0 discarded for bad checksums
		0 discarded packets with a bad version
		0 discarded because packet too short
		0 discarded for bad authentication
		0 discarded for bad vhid
		0 discarded because of a bad address list
	216 packets sent (IPv4)
	0 packets sent (IPv6)

netstat -p pfsync -s:
pfsync:
	92 packets received (IPv4)
		4 failed state lookup/inserts
	397 packets sent (IPv4)


Let me know if you guys need any other information.
Thanks!
-- Steve

On Mon, 2004-12-13 at 07:33, Allen Pomeroy wrote:
> How about including
> # ifconfig -a
> # netstat -p carp -s
> # netstat -p pfsync -s
> 
> What other troubleshooting have you done?
> AP
> 
> On 13-Dec-04, at 5:26 AM, Steve Mertz wrote:
> 
> > I'm trying to setup redundant firewalls.  What I've done so far is:
> >
> > I got my first firewall (pearl-01) up and running in solo mode, with no
> > carp stuff. Then I got my second firewall (pearl-02) up and running in
> > solo mode, with no carp stuff.
> >
> > Then I changed the configuration for carp and the firewall networking
> > stopped working.  It would no longer pass packets through like it 
> > should
> > as a firewall/router, like it did in solo mode.
> >
> > It also cannot pass packets from itself to other hosts on either the 
> > lan
> > or wan.
> >
> > I am using two Soekris 4801s for my firewalls, which have 3 network
> > ineterfaces on them.
> >
> > I've got OpenBSD 3.6 installed on them with all the latest patches.  My
> > kernel is modified by commenting out gre support for use with poptop, a
> > pptp server from ports.
> >
> > My simple network:
> >
> >  Internet
> >     |
> >   Switch
> >   |    |
> > P01----P02
> >   |    |
> >   Switch
> >     |
> >    LAN
> >
> > Pearl-01:
> > sis0 - WAN IP: aaa.aaa.aaa.154  Network: aaa.aaa.aaa.140/28
> > sis1 - LAN IP: 10.10.10.254     Network: 10.10.10.0/8
> > sis2 - PFSYNC IP: 192.168.0.1   Network: 192.168.0.0/16
> >
> > Pearl-02:
> > sis0 - WAN IP: aaa.aaa.aaa.153  Network: aaa.aaa.aaa.140/28
> > sis1 - LAN IP: 10.10.10.253     Network: 10.10.10.0/8
> > sis2 - PFSYNC IP: 192.169.0.2   Network: 192.168.0.0/16
> >
> > carp0 - aaa.aaa.aaa.162
> > carp1 - 10.10.10.1
> >
> > Pearl-01:
> >
> > /etc/hostname.carp0:
> > inet aaa.aaa.aaa.142 255.255.255.240 aaa.aaa.aaa.155 vhid 1 \
> > pass QW3zi46D39df
> >
> > /etc/hostname.carp1:
> > inet 10.10.10.1 255.255.255.0 10.10.10.255 vhid 2 pass QW3zi46D39df
> >
> > /etc/hostname.pfsync0:
> > up syncpeer 192.168.0.2 syncif sis2
> >
> > /etc/hostname.sis0:
> > inet aaa.aaa.aaa.154 255.255.255.240 NONE
> >
> > /etc/hostname.sis1:
> > inet 10.10.10.254 255.255.255.0 NONE
> >
> > /etc/hostname.sis2:
> > inet 192.168.0.1 255.255.255.0 NONE
> >
> > /etc/pf.conf:
> > pass quick on { sis2 } proto pfsync
> > pass quick on { sis0, sis1 } proto carp keep state
> >
> > /etc/sysctl.conf:
> > net.inet.carp.allow=1           # On by default it says, but just in
> > case.
> > net.inet.carp.preempt=1         # Enable natural selection.
> > net.inet.carp.arpbalance=0      # Load Balancing
> > net.inet.carp.log=1             # CARP logging
> > net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of
> > packets
> >
> >
> > Pearl-02:
> >
> > /etc/hostname.carp0:
> > inet aaa.aaa.aaa.142 255.255.255.240 aaa.aaa.aaa.155 vhid 1 \
> > advskew 100 pass QW3zi46D39df
> >
> > /etc/hostname.carp1:
> > inet 10.10.10.1 255.255.255.0 10.10.10.255 vhid 2 advskew 100 \
> > pass QW3zi46D39df
> >
> > /etc/hostname.pfsync0:
> > up syncpeer 192.168.0.1 syncif sis2
> >
> > /etc/hostname.sis0:
> > inet aaa.aaa.aaa.153 255.255.255.240 NONE
> >
> > /etc/hostname.sis1:
> > inet 10.10.10.253 255.255.255.0 NONE
> >
> > /etc/hostname.sis2:
> > inet 192.168.0.2 255.255.255.0 NONE
> >
> > /etc/pf.conf
> > pass quick on { sis2 } proto pfsync
> > pass quick on { sis0, sis1 } proto carp keep state
> >
> > /etc/sysctl.conf:
> > net.inet.carp.allow=1           # On by default it says, but just in
> > case.
> > net.inet.carp.preempt=1         # Enable natural selection.
> > net.inet.carp.arpbalance=0      # Allows both firewalls to have same 
> > IPs
> > net.inet.carp.log=1             # CARP logging
> > net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of
> > packets
> >
> >
> > Any help would be appreciated.  Let me know if you need any other info
> > to help me get this issues solved.
> >
> > -- Steve



Visit your host, monkey.org