From owner-freebsd-pf@FreeBSD.ORG Tue Jun 6 04:39:46 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 64E3B16C34A for ; Tue, 6 Jun 2006 04:10:12 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout4.email.verio.net (dfw-smtpout4.email.verio.net [129.250.36.44]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3CD0443D68 for ; Tue, 6 Jun 2006 04:10:09 +0000 (GMT) (envelope-from fox@verio.net) Received: from [129.250.36.62] (helo=dfw-mmp2.email.verio.net) by dfw-smtpout4.email.verio.net with esmtp id 1FnStM-00072y-IU for freebsd-pf@freebsd.org; Tue, 06 Jun 2006 04:10:08 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp2.email.verio.net with esmtp id 1FnStM-0003Uh-Ez for freebsd-pf@freebsd.org; Tue, 06 Jun 2006 04:10:08 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id DC6D88E2E7; Mon, 5 Jun 2006 23:10:01 -0500 (CDT) Date: Mon, 5 Jun 2006 23:10:01 -0500 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20060606041001.GA4870@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org References: <20060605234031.GA4787@verio.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk User-Agent: Mutt/1.5.9i Subject: Re: pfsync after reboot does not synchronize X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jun 2006 04:39:53 -0000 Kian Mohageri wrote: > > > Why does pfsync synchronize the state tables when I use the > > "ifconfig syncdev" trick to force a bulk update, yet it does > > not do this when the system is booting up? > > What does your rc.conf look like? gateway_enable="YES" pf_enable="YES" pf_rules="/usr/local/etc/pf.conf" pflog_enable="YES" pfsync_enable="YES" pfsync_syncdev="fxp0" defaultrouter="192.168.40.254" cloned_interfaces="carp0 carp1" ifconfig_dc0="inet 192.168.40.231 netmask 255.255.255.224" ifconfig_dc1="inet 172.16.30.2 netmask 255.255.255.0" ifconfig_fxp0="up" ifconfig_carp0="inet 192.168.40.230 netmask 255.255.255.224 vhid 230" ifconfig_carp1="inet 172.16.30.1 netmask 255.255.255.0 vhid 11" As you can see, no IP is put on the sync interface; it is merely configured up. Auto-negotiation succeeds on both ends of the cross cable: media: Ethernet autoselect (100baseTX ) > > Why does pfsync keep repeating the bulk update request and then give > > up? What message is not getting through? > > Are you running the same versions of everything on all nodes? > Different versions of pfsync can sometimes not keep state with > eachother (3.8 -> 3.9comes to mind). Both are FreeBSD 6.0-RELEASE cloned from the same disk. > > set skip on pfsync0 > > > > pass quick on fxp0 proto pfsync # $pfsync_syncdev > > Won't fix your problem, but if you 'set skip' on that interface, you > don't need to 'pass quick' as filtering isn't applied. Note that the "set skip" is on the pfsync0 pseudo interface, while the "pass quick" is on the actual fxp0 interface. Is there a protocol other than pfsync that should be permitted on that interface? I didn't expect I'd see any other protocol there, so I didn't bother to allow anything else. -- David DeSimone == Network Admin == fox@verio.net "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley