Date: Thu, 18 Oct 2007 14:32:13 +0200 From: Milan Obuch <freebsd-net@dino.sk> To: freebsd-net@freebsd.org Subject: Re: packet loss with carp on 6.2 Message-ID: <200710181432.14461.freebsd-net@dino.sk> In-Reply-To: <200710181250.26291.max@love2party.net> References: <2385.62.242.232.132.1192696439.squirrel@www.enableit.dk> <3981.62.242.232.132.1192703560.squirrel@www.enableit.dk> <200710181250.26291.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday 18 October 2007 12:50:19 Max Laier wrote:
> On Thursday 18 October 2007, Klavs Klavsen wrote:
> > I tried to just disable carp on the new machine (simply comment out
> > carp config from /etc/rc.conf.local) and now the packet loss is gone -
> > and hasn't been there for half an hour, so far.
>
> I supposed you also had to change your firewall rules? Otherwise your
> ruleset might not be ready to deal with carp and that could be the reason
> why you get the bad results? Start debugging by looking at "netstat -ssp
> carp" on either machine and take a careful look at your pf.conf. I also
> suggest that you add "log" to all you block rules and watch tcpdump on
> pflog0 while pinging.
>
> > Seems the carp network interfaces has bugs.
>
> That's a pretty bold assertion given the limited debugging you have
> done ;)
>
I am experiencing something similar. I am trying to put together two PC
firewall with failover. My rc.conf has following lines
cloned_interfaces="carp0 vlan1 carp1"
ifconfig_rl0="172.16.194.67/29"
ifconfig_carp0="172.16.194.66/29 vhid 1 pass pass1"
ifconfig_rl1="192.168.0.1/30"
ifconfig_fxp0="up"
ifconfig_vlan1="10.0.0.61/26 vlan 1 vlandev fxp0 name fxp0.1"
ifconfig_carp1="10.0.0.1/26 vhid 2 pass pass2"
pf_enable="YES"
pfsync_enable="YES"
pfsync_syncdev="rl1"
pfsync_syncpeer="192.168.0.2"
In my yet rudimentary pf.conf I do not block nothing, all I have there is
ext_if="rl0"
syn_if="rl1"
int_if="fxp0.1"
internal_net="192.168.0.0/16"
external_addr="172.16.194.66"
nat on $ext_if from $internal_net to any -> $external_addr
pass in all
pass out all
pass quick on { $syn_if } proto pfsync
pass quick on { $ext_if $int_if } proto carp keep state
Last two lines could be left out for now, it is just preparation, and no
effect, I think. (I adopted them from some man page.)
In this scenario, pinging 10.0.0.12 from outside gives me packet loss, whereas
deleting carp1 and assigning 10.0.0.1 to fxp0.1 gives me no packet loss.
Host 10.0.0.12 has 10.0.0.1 as its gateway.
Do you have any idea where is the culprit? I do not think this should have
anything with firewall setting in my case...
Regards
Milan
--
No need to mail me directly. Just reply to mailing list, please.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200710181432.14461.freebsd-net>