From owner-freebsd-pf@FreeBSD.ORG Mon Feb 14 11:07:09 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CDC3710656A6 for ; Mon, 14 Feb 2011 11:07:09 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id BA23A8FC2A for ; Mon, 14 Feb 2011 11:07:09 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p1EB79iQ077255 for ; Mon, 14 Feb 2011 11:07:09 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p1EB79uh077253 for freebsd-pf@FreeBSD.org; Mon, 14 Feb 2011 11:07:09 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 14 Feb 2011 11:07:09 GMT Message-Id: <201102141107.p1EB79uh077253@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Feb 2011 11:07:09 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/146832 pf [pf] "(self)" not always matching all local IPv6 addre o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 46 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Feb 15 18:50:51 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 614FB1065672 for ; Tue, 15 Feb 2011 18:50:51 +0000 (UTC) (envelope-from k@kevinkevin.com) Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 30A848FC27 for ; Tue, 15 Feb 2011 18:50:50 +0000 (UTC) Received: by iwn39 with SMTP id 39so473154iwn.13 for ; Tue, 15 Feb 2011 10:50:50 -0800 (PST) Received: by 10.42.218.66 with SMTP id hp2mr7205977icb.244.1297794457880; Tue, 15 Feb 2011 10:27:37 -0800 (PST) Received: from kkPC (not.enough.unixsluts.com [76.10.166.187]) by mx.google.com with ESMTPS id d21sm3796496ibg.9.2011.02.15.10.27.35 (version=SSLv3 cipher=OTHER); Tue, 15 Feb 2011 10:27:36 -0800 (PST) From: "kevin" To: Date: Tue, 15 Feb 2011 13:27:22 -0500 Message-ID: <00a401cbcd3d$fe313d10$fa93b730$@com> MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcvNPfxCnS/ZyeOKTfOwVLtt4y9p/w== Content-Language: en-us Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Questions about PF + Multiple gateways + CARP on a public ip network X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Feb 2011 18:50:51 -0000 Hello, I have a generally simplistic question about a potential scenario for a FreeBSD PF with multiple gateways/routes. The backend network would not consist of local or private ip addresses - every device will have a public IP. There will be about 7 public subnets that will be handled by the freebsd PF gateway. What would be the ideal configuration for this scenario? Would I need to configure all 7 subnets as persistate routes in rc.conf, and then have a nat directive in pf for each subnet as well? I realize this question is simplistic in nature, but I have only used pf in a public -> private network scenario. My concerns are just maintaining this moving forward. As I grow and add more public subnets , I want to keep managing and maintaining the configuration easy, if possible. So in rc.conf : static_routes="net1 net2 net3 net4 net5 net6 net7" route_net1="-net b.b.b.b/a.a.a.a.a" route_net2="-net c.c.c.c/a.a.a.a.a" route_net3="-net d.d.d.d/a.a.a.a.a" route_net4="-net e.e.e.e/a.a.a.a.a" route_net5="-net f.f.f.f/a.a.a.a.a" route_net6="-net g.g.g.g/a.a.a.a.a" route_net7="-net h.h.h.h/a.a.a.a.a" "a.a.a.a" would be the gateway for one of the 7 subnets. Each subnet should have its own gateway that this freebsd router can route too from inside > outside. Should the freebsd gateway have a gateway ip for each subnet itself? Taken my scenario at face value - what would the best way to configure the PF / Gateway? Keeping in mind that all ips are going to be public ips. If more information is required , please let me know. This is FreeBSD 8.0-RELEASE i386. Thanks! From owner-freebsd-pf@FreeBSD.ORG Wed Feb 16 13:45:15 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0A984106564A for ; Wed, 16 Feb 2011 13:45:15 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 956308FC13 for ; Wed, 16 Feb 2011 13:45:14 +0000 (UTC) Received: by bwz12 with SMTP id 12so1468331bwz.13 for ; Wed, 16 Feb 2011 05:45:13 -0800 (PST) Received: by 10.204.126.147 with SMTP id c19mr498510bks.127.1297863913235; Wed, 16 Feb 2011 05:45:13 -0800 (PST) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id 12sm150094bki.7.2011.02.16.05.45.11 (version=SSLv3 cipher=OTHER); Wed, 16 Feb 2011 05:45:12 -0800 (PST) Message-ID: <4D5BD4E6.90605@my.gd> Date: Wed, 16 Feb 2011 14:45:10 +0100 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <00a401cbcd3d$fe313d10$fa93b730$@com> In-Reply-To: <00a401cbcd3d$fe313d10$fa93b730$@com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: Questions about PF + Multiple gateways + CARP on a public ip network X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Feb 2011 13:45:15 -0000 On 2/15/11 7:27 PM, kevin wrote: > I have a generally simplistic question about a potential scenario for a > FreeBSD PF with multiple gateways/routes. > > > > The backend network would not consist of local or private ip addresses - > every device will have a public IP. There will be about 7 public subnets > that will be handled by the freebsd PF gateway. > We've had to address a pretty similar problematic not very long ago. Let's say: Your PF box has a default gateway Z.Z.Z.Z Your PF box receives a packet from IP X.X.X.X on IP A.A.A.254 for network A.A.A.A/P and routes it. Your PF box receives the answer from the A.A.A.A/P network, and routes the packet *through it's default gateway* Z.Z.Z.Z The question is, do you have multiple upstream interconnections ? If you received the packet from another router than Z.Z.Z.Z, you'll still be routing it back through Z.Z.Z.Z => asymmetric routing => BAD Instead of: EXTERNAL <===> PF <===> DESTINATION You'd be looking at: EXTERNAL ====> PF ====> DESTINATION ====> PF ====> DEFAULTGW ====> EXTERNAL To work around this problem, we use "reply-to" rules here. Then depending on what interface the packet arrived on, we route it back through the correct gateway. The problem with this is as your number of interconnections increases, you have a harder time managing your pf conf. You basically have a duplicate rule for each interconnection, with just the reply-to parameters changing. If you have only 1 upstream interconnection, this won't be a problem for you. I'm not sure there is another approach but if there is, I haven't seen it yet -.- > > What would be the ideal configuration for this scenario? Would I need to > configure all 7 subnets as persistate routes in rc.conf, and then have a nat > directive in pf for each subnet as well? I realize this question is > simplistic in nature, but I have only used pf in a public -> private network > scenario. > Wait do you want to route or to NAT ? If you NAT, be aware that your clients on the public networks you serve will only ever see requests coming from *your PF* 's IPs. I'm pretty sure this is not what you want. > > > My concerns are just maintaining this moving forward. As I grow and add more > public subnets , I want to keep managing and maintaining the configuration > easy, if possible. > > > > So in rc.conf : > > > > static_routes="net1 net2 net3 net4 net5 net6 net7" > > route_net1="-net b.b.b.b/a.a.a.a.a" > > route_net2="-net c.c.c.c/a.a.a.a.a" > > route_net3="-net d.d.d.d/a.a.a.a.a" > > route_net4="-net e.e.e.e/a.a.a.a.a" > > route_net5="-net f.f.f.f/a.a.a.a.a" > > route_net6="-net g.g.g.g/a.a.a.a.a" > > route_net7="-net h.h.h.h/a.a.a.a.a" > > > > > > "a.a.a.a" would be the gateway for one of the 7 subnets. Each subnet should > have its own gateway that this freebsd router can route too from inside > > outside. Should the freebsd gateway have a gateway ip for each subnet > itself? > > > > Taken my scenario at face value - what would the best way to configure the > PF / Gateway? Keeping in mind that all ips are going to be public ips. > > I think it all depends on whether you have multiple upstream connections or not, as I pointed out above. If you don't, that would be the simplest way indeed. If you do, I can see the asymmetric routing problem rearing its head... > > > > If more information is required , please let me know. This is FreeBSD > 8.0-RELEASE i386. > > > > Thanks! > > > > > > > > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Wed Feb 16 16:02:11 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E1DF01065670 for ; Wed, 16 Feb 2011 16:02:11 +0000 (UTC) (envelope-from k@kevinkevin.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id B35B58FC0C for ; Wed, 16 Feb 2011 16:02:11 +0000 (UTC) Received: by iyb26 with SMTP id 26so1392113iyb.13 for ; Wed, 16 Feb 2011 08:02:10 -0800 (PST) Received: by 10.42.4.1 with SMTP id 1mr1111359icq.370.1297872130832; Wed, 16 Feb 2011 08:02:10 -0800 (PST) Received: from kkPC (not.enough.unixsluts.com [76.10.166.187]) by mx.google.com with ESMTPS id d21sm674213ibg.21.2011.02.16.08.02.07 (version=SSLv3 cipher=OTHER); Wed, 16 Feb 2011 08:02:08 -0800 (PST) From: "kevin" To: "'Damien Fleuriot'" , References: <00a401cbcd3d$fe313d10$fa93b730$@com> <4D5BD4E6.90605@my.gd> In-Reply-To: <4D5BD4E6.90605@my.gd> Date: Wed, 16 Feb 2011 11:01:53 -0500 Message-ID: <00cf01cbcdf2$d54f6100$7fee2300$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcvN38soqdQ2xJ/zRmO/cfG0wxAAHgAEwTKA Content-Language: en-us Cc: Subject: RE: Questions about PF + Multiple gateways + CARP on a public ip network X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Feb 2011 16:02:12 -0000 >If you have only 1 upstream interconnection, this won't be a problem for >you. These boxes are in a collocation facility, in a data center. There are multiple upstream providers, but I am using the data center's default gateways for each allocated subnet. So I imagine the routing to the multiple upstreams would be done after being routed via their gateway. > Wait do you want to route or to NAT ? I want to route. I don't want to nat. My mistake for misleading. Each device behind this firewall is a dedicated server in a data center. They need to transparently maintain connectivity to the outside world and from the outside world. > I think it all depends on whether you have multiple upstream connections > or not, as I pointed out above. I suppose I would have to confirm this with my data center's networking department. I would imagine that it would be standard practice for them to handle the multiple upstreams themselves. To give you a little background, I am currently utilizing two transparent bridging firewalls at the moment. Unfortunately one of the firewalls will completely lock up with no console messages if they both are on. The idea is to employ carp + pf to maintain some sort of automated failover mechanism instead of a cold standby. At the same time I don't want to change the architecture of my internal network more than perhaps modifying the default gateways configured on each device. Your help is appreciated, Kevin From owner-freebsd-pf@FreeBSD.ORG Wed Feb 16 16:10:42 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 84060106564A for ; Wed, 16 Feb 2011 16:10:42 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 1D3B18FC17 for ; Wed, 16 Feb 2011 16:10:41 +0000 (UTC) Received: by bwz12 with SMTP id 12so1599735bwz.13 for ; Wed, 16 Feb 2011 08:10:41 -0800 (PST) Received: by 10.204.71.141 with SMTP id h13mr635143bkj.180.1297872640444; Wed, 16 Feb 2011 08:10:40 -0800 (PST) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id u23sm242120bkw.21.2011.02.16.08.10.38 (version=SSLv3 cipher=OTHER); Wed, 16 Feb 2011 08:10:39 -0800 (PST) Message-ID: <4D5BF6FE.8090704@my.gd> Date: Wed, 16 Feb 2011 17:10:38 +0100 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: kevin References: <00a401cbcd3d$fe313d10$fa93b730$@com> <4D5BD4E6.90605@my.gd> <00cf01cbcdf2$d54f6100$7fee2300$@com> In-Reply-To: <00cf01cbcdf2$d54f6100$7fee2300$@com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Questions about PF + Multiple gateways + CARP on a public ip network X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Feb 2011 16:10:42 -0000 On 2/16/11 5:01 PM, kevin wrote: >> If you have only 1 upstream interconnection, this won't be a problem for >> you. > > These boxes are in a collocation facility, in a data center. There are > multiple upstream providers, but I am using the data center's default > gateways for each allocated subnet. So I imagine the routing to the multiple > upstreams would be done after being routed via their gateway. > If you only have one gateway, then you have nothing to worry about for this part. >> Wait do you want to route or to NAT ? > > I want to route. I don't want to nat. My mistake for misleading. Each device > behind this firewall is a dedicated server in a data center. They need to > transparently maintain connectivity to the outside world and from the > outside world. > Then your static routes should work just fine, really. Alternatively you can use PF's route-to option in your pass rules, but that would likely be harder to maintain (just like our reply-to rules are). > >> I think it all depends on whether you have multiple upstream connections >> or not, as I pointed out above. > > I suppose I would have to confirm this with my data center's networking > department. I would imagine that it would be standard practice for them to > handle the multiple upstreams themselves. > Again if you only have a single gateway from the datacenter guys, nothing to worry about for you. > To give you a little background, I am currently utilizing two transparent > bridging firewalls at the moment. Unfortunately one of the firewalls will > completely lock up with no console messages if they both are on. The idea is > to employ carp + pf to maintain some sort of automated failover mechanism > instead of a cold standby. > If you expect a lot of traffic, I recommend you do NOT use pfsync to synchronize existing sessions on the backup firewall. Of course the side effect will be that should the master fail, all the active connections will be dropped and will have to be established again on the standby firewall. > At the same time I don't want to change the architecture of my internal > network more than perhaps modifying the default gateways configured on each > device. > > > Your help is appreciated, > > Kevin > > From owner-freebsd-pf@FreeBSD.ORG Wed Feb 16 20:59:29 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9BC79106564A for ; Wed, 16 Feb 2011 20:59:29 +0000 (UTC) (envelope-from k@kevinkevin.com) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 38F908FC25 for ; Wed, 16 Feb 2011 20:59:28 +0000 (UTC) Received: by wyf19 with SMTP id 19so1778451wyf.13 for ; Wed, 16 Feb 2011 12:59:28 -0800 (PST) Received: by 10.216.164.69 with SMTP id b47mr851022wel.79.1297889968276; Wed, 16 Feb 2011 12:59:28 -0800 (PST) Received: from kkPC (not.enough.unixsluts.com [76.10.166.187]) by mx.google.com with ESMTPS id r80sm73893wei.39.2011.02.16.12.59.25 (version=SSLv3 cipher=OTHER); Wed, 16 Feb 2011 12:59:27 -0800 (PST) From: "kevin" To: "'Damien Fleuriot'" References: <00a401cbcd3d$fe313d10$fa93b730$@com> <4D5BD4E6.90605@my.gd> <00cf01cbcdf2$d54f6100$7fee2300$@com> <4D5BF6FE.8090704@my.gd> In-Reply-To: <4D5BF6FE.8090704@my.gd> Date: Wed, 16 Feb 2011 15:59:11 -0500 Message-ID: <017801cbce1c$5d99fc90$18cdf5b0$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcvN9A6MU5sHEFjNQqS4aQ2yo/ALtQAJ/FrQ Content-Language: en-us Cc: freebsd-pf@freebsd.org Subject: RE: Questions about PF + Multiple gateways + CARP on a public ip network X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Feb 2011 20:59:29 -0000 >If you only have one gateway, then you have nothing to worry about for >this part. They provide a gateway address for each subnet they allocate to me -- which probably is assigned to the same device for them, but I would need to establish these rules in my freebsd firewall , correct? >If you expect a lot of traffic, I recommend you do NOT use pfsync to >synchronize existing sessions on the backup firewall. Why not? Is this a generally accepted practice not to use pfsync because of this? How much traffic is too much? The firewalls should average about 5,000 - 10,000 states on any given day, afaik. Im more worried about failover than I am about states being kept, but it would be nice to utilize pfsync if it wouldn't be too risky. Thanks, Kevin From owner-freebsd-pf@FreeBSD.ORG Thu Feb 17 02:07:19 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4A74F106564A for ; Thu, 17 Feb 2011 02:07:19 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id DBCB08FC0A for ; Thu, 17 Feb 2011 02:07:16 +0000 (UTC) Received: by wwf26 with SMTP id 26so2035757wwf.31 for ; Wed, 16 Feb 2011 18:07:15 -0800 (PST) Received: by 10.227.41.204 with SMTP id p12mr1109506wbe.153.1297908435722; Wed, 16 Feb 2011 18:07:15 -0800 (PST) Received: from [192.168.0.20] (paris.c-mal.com [88.170.200.60]) by mx.google.com with ESMTPS id w25sm323294wbd.23.2011.02.16.18.07.13 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 16 Feb 2011 18:07:14 -0800 (PST) References: <00a401cbcd3d$fe313d10$fa93b730$@com> <4D5BD4E6.90605@my.gd> <00cf01cbcdf2$d54f6100$7fee2300$@com> <4D5BF6FE.8090704@my.gd> <017801cbce1c$5d99fc90$18cdf5b0$@com> In-Reply-To: <017801cbce1c$5d99fc90$18cdf5b0$@com> Mime-Version: 1.0 (iPhone Mail 8A293) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Message-Id: <4B65A291-893E-4B5D-BE2F-E4A72A85C733@my.gd> X-Mailer: iPhone Mail (8A293) From: Damien Fleuriot Date: Thu, 17 Feb 2011 03:06:56 +0100 To: kevin Cc: "" Subject: Re: Questions about PF + Multiple gateways + CARP on a public ip network X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Feb 2011 02:07:19 -0000 On 16 Feb 2011, at 21:59, "kevin" wrote: >> If you only have one gateway, then you have nothing to worry about for >> this part. >=20 > They provide a gateway address for each subnet they allocate to me -- whic= h > probably is assigned to the same device for them, but I would need to > establish these rules in my freebsd firewall , correct? >=20 Then you have different paths for inbound traffic right ? This means you'll want to reply to any given packet via the same path it ori= ginally took, which was not necessarily your default gateway. So, IMO, this implies the use of source routing, impersonated by pf's reply-= to option rules. >=20 >> If you expect a lot of traffic, I recommend you do NOT use pfsync to >> synchronize existing sessions on the backup firewall. >=20 > Why not? Is this a generally accepted practice not to use pfsync because o= f > this? How much traffic is too much? The firewalls should average about 5,0= 00 > - 10,000 states on any given day, afaik. >=20 We had to disable pfsync here because it actually hogged way too many resour= ces. We're talking 100k+ states here with ~5k http requests per sec. > Im more worried about failover than I am about states being kept, but it > would be nice to utilize pfsync if it wouldn't be too risky. You will be fine, 5-10k states isn't much. Now I have absolutely no idea what kind of hardware you have, but this reall= y isn't much. We let go of pfsync only a few weeks ago and mostly as a precautionary measu= re with over 60k states at any given time.= From owner-freebsd-pf@FreeBSD.ORG Thu Feb 17 16:58:47 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 35C811065672; Thu, 17 Feb 2011 16:58:47 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-ew0-f54.google.com (mail-ew0-f54.google.com [209.85.215.54]) by mx1.freebsd.org (Postfix) with ESMTP id 952778FC16; Thu, 17 Feb 2011 16:58:46 +0000 (UTC) Received: by ewy24 with SMTP id 24so1165116ewy.13 for ; Thu, 17 Feb 2011 08:58:45 -0800 (PST) Received: by 10.204.59.72 with SMTP id k8mr1939725bkh.208.1297961924670; Thu, 17 Feb 2011 08:58:44 -0800 (PST) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id 12sm795520bki.7.2011.02.17.08.58.42 (version=SSLv3 cipher=OTHER); Thu, 17 Feb 2011 08:58:43 -0800 (PST) Message-ID: <4D5D53C2.3010707@my.gd> Date: Thu, 17 Feb 2011 17:58:42 +0100 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: Jack Vogel References: <4D41417A.20904@my.gd> <1DB50624F8348F48840F2E2CF6040A9D014BEB8833@orsmsx508.amr.corp.intel.com> <4D41B197.6070308@my.gd> <201101280146.57028.wmn@siberianet.ru> <4D41C9FC.10503@my.gd> <20110127195741.GA40449@icarus.home.lan> <4D41D7BE.3030208@my.gd> <20110127205845.GA41537@icarus.home.lan> <4D429A9F.8040307@my.gd> In-Reply-To: <4D429A9F.8040307@my.gd> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Sergey Lobanov , "freebsd-stable@freebsd.org" , Jeremy Chadwick , "freebsd-pf@freebsd.org" Subject: Re: High interrupt rate on a PF box + performance X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Feb 2011 16:58:47 -0000 On 1/28/11 11:29 AM, Damien Fleuriot wrote: > On 1/27/11 10:44 PM, Jack Vogel wrote: >> >> The 8.X kernel is NOT single-threaded. Anything but. And the stack has >> also been improved, I believe there are still bottlenecks but its far better >> than the old days. >> >> The igb driver in 8.2 creates up to 8 queues on the right hardware, they >> are each auto-bound to a particular CPU. >> >> The older version you are running had issues and hence multiqueue was >> not enabled. So, do upgrade once 8.2 is finalized :) >> >> Cheers, >> >> Jack >> > > Going to push for us to install 8.2 as soon as the release hits, thanks > for your feedback Jack :) Hello guys, list, This is a quick headsup regarding this issue. We have now swapped our PF firewalls to active-active and observed, as one would expect, approx. 50% drop of traffic, seeing it's now balanced between 2 machines :) We have also disabled pfsync (which also resulted in a massive drop of interrupts). One of the hosts is running 8.2-PRERELEASE , and this is the one for which I'm providing stats now. For completeness, also find the graphs: http://my.gd/fw_graphs/ # vmstat -i interrupt total rate irq16: mpt0 320899 0 irq21: atapci1 35 0 irq22: ehci0 ehci1 1992267 2 cpu0: timer 1330310985 1979 irq258: igb0:que 0 829898 1 irq259: igb0:que 1 3255 0 irq260: igb0:que 2 2059 0 irq261: igb0:que 3 1060 0 irq262: igb0:link 2 0 irq263: igb1:que 0 2676083520 3981 irq264: igb1:que 1 2676853656 3982 irq265: igb1:que 2 2682493388 3990 irq266: igb1:que 3 2688637571 3999 irq267: igb1:link 2 0 irq273: igb3:que 0 2654678899 3949 irq274: igb3:que 1 2648682488 3940 irq275: igb3:que 2 2650599952 3943 irq276: igb3:que 3 2657367887 3953 irq277: igb3:link 2 0 cpu1: timer 1330301807 1978 cpu2: timer 1330301315 1978 cpu3: timer 1330301347 1978 Total 26659762294 39659 # pfctl -si Status: Enabled for 7 days 18:43:34 Debug: Urgent Interface Stats for igb3 IPv4 IPv6 Bytes In 1585211309166 0 Bytes Out 2044715081803 0 Packets In Passed 6238056055 0 Blocked 15350206 0 Packets Out Passed 6300823415 0 Blocked 1223577 0 State Table Total Rate current entries 37627 searches 25108284353 37351.6/s inserts 2157108574 3209.0/s removals 2157070947 3208.9/s Counters match 2175657232 3236.6/s bad-offset 0 0.0/s fragment 104 0.0/s short 5 0.0/s normalize 557 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 6 0.0/s proto-cksum 52649 0.1/s state-mismatch 340029 0.5/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 90 0.0/s igb0@pci0:7:0:0: class=0x020000 card=0x145a8086 chip=0x10d68086 rev=0x02 hdr=0x00 vendor = 'Intel Corporation' device = '82575GB Gigabit Network Connection' class = network subclass = ethernet bar [10] = type Memory, range 32, base 0xdabc0000, size 131072, enabled bar [14] = type Memory, range 32, base 0xdac00000, size 2097152, enabled bar [18] = type I/O Port, range 32, base 0xdcc0, size 32, enabled bar [1c] = type Memory, range 32, base 0xdabb8000, size 16384, enabled cap 01[40] = powerspec 2 supports D0 D3 current D0 cap 05[50] = MSI supports 1 message, 64 bit cap 11[60] = MSI-X supports 10 messages in map 0x1c enabled cap 10[a0] = PCI-Express 2 endpoint max data 256(256) link x4(x4) ecap 0001[100] = AER 1 0 fatal 0 non-fatal 1 corrected ecap 0003[140] = Serial 1 001b21ffff12f438 synproxy 0 0.0/s (there are 4 of these, it's a quad port card) From owner-freebsd-pf@FreeBSD.ORG Thu Feb 17 21:50:10 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0F38B106566C for ; Thu, 17 Feb 2011 21:50:10 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from mail.cksoft.de (mail.cksoft.de [IPv6:2001:4068:10::3]) by mx1.freebsd.org (Postfix) with ESMTP id BF7228FC1E for ; Thu, 17 Feb 2011 21:50:09 +0000 (UTC) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 2044E41C7A9; Thu, 17 Feb 2011 22:50:09 +0100 (CET) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([192.168.74.103]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id yEgxmZf8XVoa; Thu, 17 Feb 2011 22:50:05 +0100 (CET) Received: by mail.cksoft.de (Postfix, from userid 66) id A3D7841C7AF; Thu, 17 Feb 2011 22:50:05 +0100 (CET) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id D0AA84448F3; Thu, 17 Feb 2011 21:46:52 +0000 (UTC) Date: Thu, 17 Feb 2011 21:46:52 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Mohacsi Janos In-Reply-To: Message-ID: <20110217214400.S13400@maildrop.int.zabbadoz.net> References: <4D3ADF52.1020205@borderworlds.dk> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-pf@FreeBSD.org Subject: Re: NAT64 support in pf? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Feb 2011 21:50:10 -0000 On Sun, 23 Jan 2011, Mohacsi Janos wrote: Hi, > nat64 code for OpenBSD has been developed: > http://ecdysis.viagenie.ca/download.html > > This should be ported to FreeBSD, since uses BSD license. As people keep pinging me about this: http://www.freebsd.org/news/status/report-2010-10-2010-12.html#IPv6-and-VIMAGE I have the patch for the upcoming pf45 and am in contact with Marc and Simon as well as Ermal and the pfsense people to coordinate things. Expect it to become available someone in the future once a couple of things have been solved; the plan is to have it in FreeBSD 9. /bz -- Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family. From owner-freebsd-pf@FreeBSD.ORG Fri Feb 18 08:55:28 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 82E7B106564A for ; Fri, 18 Feb 2011 08:55:28 +0000 (UTC) (envelope-from eirnym@gmail.com) Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com [209.85.214.44]) by mx1.freebsd.org (Postfix) with ESMTP id 180B48FC12 for ; Fri, 18 Feb 2011 08:55:27 +0000 (UTC) Received: by bwz13 with SMTP id 13so16657bwz.17 for ; Fri, 18 Feb 2011 00:55:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:from:date:message-id:subject:to :content-type; bh=xrc/DrQL1QCnx9fs70wMvnN9Syeo8gIs48OwCLElHms=; b=VXLVxE1wFEXuqHCLlPjn0QImDshK4PGZ9ctkxFlRyaRyTk17LVAvCls2tuGTwl3FIJ 7YSBr3X/MkScX8gIKSXH5BAcJ13z540DYK5slhG+Us75YzdWA9vieuXZNR6m20b+HA3F 6da1vKEDhl54Pxr/xQA55yjnuTQ2ACHMKJOvg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; b=KgwE68KSiA6xqlaUHawoSrmqrILBzuONpkLZvUjeiFiw63vf/0s8lnxiIJ4aHqt63h nQOVOfbxG2LIHUaShndNpq7FMd92igOmUQGAYWt0KtE0Jrq9cUa54CIjZgnhH2YGfsu5 k+0Rz3QTA5LpVFQRas4hdnmlYmsUKUembwzks= Received: by 10.204.98.15 with SMTP id o15mr383281bkn.14.1298017615154; Fri, 18 Feb 2011 00:26:55 -0800 (PST) MIME-Version: 1.0 Received: by 10.204.71.211 with HTTP; Fri, 18 Feb 2011 00:26:35 -0800 (PST) From: Eir Nym Date: Fri, 18 Feb 2011 11:26:35 +0300 Message-ID: To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Subject: PF from OpenBSD 4.7 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Feb 2011 08:55:28 -0000 I heard while ago about packet filter update coming, but there're no news about. Which status of this update?