From owner-freebsd-bugbusters@freebsd.org Mon Sep 28 08:31:04 2015 Return-Path: Delivered-To: freebsd-bugbusters@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id ED6029D06BD for ; Mon, 28 Sep 2015 08:31:04 +0000 (UTC) (envelope-from Silvio.Wanka@fiege.com) Received: from nwsmxrext1p.dc4.tds.de (nwsmxrext1p.tds-sharedservices.de [188.95.0.38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 985C71ED4 for ; Mon, 28 Sep 2015 08:31:00 +0000 (UTC) (envelope-from Silvio.Wanka@fiege.com) Received: from nwscmxcus4p.cus.tds.rz (nwscmxcus4p.cus.tds.rz [188.95.7.83]) by nwsmxrext1p.dc4.tds.de (Postfix) with ESMTP id 1A334BC0EE4 for ; Mon, 28 Sep 2015 10:23:23 +0200 (CEST) Received: from nwscmxcus4p.cus.tds.rz (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id EFD407A406F for ; Mon, 28 Sep 2015 10:23:22 +0200 (CEST) Received: from nwsmxrout1p.dc4.tds.de (nwsmxrout1p.cus.tds.rz [188.95.7.74]) by nwscmxcus4p.cus.tds.rz (Postfix) with ESMTP id D9C5C7A4059 for ; Mon, 28 Sep 2015 10:23:22 +0200 (CEST) Received: from fieinfhcs1vp.fiege.com (fieinfhcs1vp.nat.tds.rz [10.145.73.72]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by nwsmxrout1p.dc4.tds.de (Postfix) with ESMTPS id CC25A1C0805 for ; Mon, 28 Sep 2015 10:23:22 +0200 (CEST) Received: from FIEINFMBX2VP.fiege.com ([169.254.2.105]) by fieinfhcs1vp.nat.tds.rz ([10.145.73.72]) with mapi id 14.03.0224.002; Mon, 28 Sep 2015 10:23:22 +0200 From: "Wanka, Silvio" To: "freebsd-bugbusters@FreeBSD.org" Subject: can't use a firewall cluster as DGW Thread-Topic: can't use a firewall cluster as DGW Thread-Index: AdD3fVrJOCNsWQygROao0xWx3yKR+Q== Date: Mon, 28 Sep 2015 08:23:20 +0000 Message-ID: <08C1F0DB82CAD14DA46313AE457AFF721B922437@fieinfmbx2vp.fiege.com> Accept-Language: de-DE, en-US Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.145.74.8] MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-bugbusters@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Coordination of the Problem Report handling effort." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Sep 2015 08:31:05 -0000 SGksDQoNCkkgbmVlZCBhIHNpbXBsZSBzb2x1dGlvbiB3aGljaCBpcyBvZmZlcmVkIGJ5IGRuc21h c3EsIHNvIHRoZSBzaW1wbGUgd2F5IHdhcyB0b28gaW5zdGFsbCBwZnNlbmNlIGFzIFZNd2FyZSBW TSBhbmQgdXNlIHRoZSB3ZWIgaW50ZXJmYWNlIHRvIGNvbmZpZ3VyZSBkbnNtYXNxLCBidXQgdGhl IERlZmF1bHQgR2F0ZXdheSBkb2VzIG5vdCB3b3JrLiBCZWNhdXNlIHBmc2VuY2UgaXMgc29tZXRp bWVzIOKAnHNwZWNpYWzigJ0gaWYgaGF2ZSByZXBsYWNlcyB0aGUgSEQgb2YgdGhlIFZNIGJ5IHRo ZSB2bWRrIG9mZmVyZWQgb24gRnJlZUJTRCBEb3dubG9hZCBzaXRlICgxMC4yKS4gQnV0IGl0IGlz IHRoZSBzYW1lIHByb2JsZW0sIGlmIEkgc3RhcnQgdGhlIHNhbWUgVk0gd2l0aCBhIExpbnV4IExp dmUgSVNPIGFsbCB3b3JrcyBwcm9wZXJseS4gQW5kIGFsc28gV2luZG93cyBoYXMgbm8gcHJvYmxl bSB3aXRoIHRoaXMgZmlyZXdhbGwgY2x1c3RlciBhcyBER1cuDQoNCkkgY2FuIHBpbmcgYW55IG90 aGVyIGRldmljZSBpbiB0aGUgc3VibmV0IChleGNlcHQgZGV2aWNlcyB3aGljaCBkb2VzIG5vdCBh bnN3ZXIgb24gSUNNUCkgYnV0IGZvciB0aGUgREdXIEkgZ2V0IGFsd2F5czoNCg0KUGluZzogc2Vu ZHRvOiBIb3N0IGlzIGRvd24NCg0KQW55IExpbnV4IG9yIFdpbmRvd3Mgc3lzdGVtIGNhbiBwaW5n IHRvIHRoaXMgSVAgYW5kIGFsc28gdGhlIExpdmUgTGludXggd2hpY2ggaGFzIHRoZSBzYW1lIE1B QyBhbmQgd2FzIGNvbmZpZ3VyZWQgd2l0aCB0aGUgc2FtZSBuZXR3b3JrIHNldHRpbmdzIChJUCwg TWFzaywgR2F0ZXdheSkuDQoNCk15IG5ldHdvcmsgZ3V5IGdpdmVzIG1lIHRoZSBoaW50IHRoYXQg dGhpcyBGVyBjbHVzdGVyIHVzZXMgdmlydHVhbCBNQUMgYWRkcmVzc2VzIGFuZCBzb21lIGRldmlj ZXMgY2Fu4oCZdCBoYW5kbGUgdGhpcyBjb3JyZWN0bHkuIFNvIEkgaGF2ZSBjaGVja2VkIHRoZSBB UlAgdGFibGUgZGlyZWN0bHkgYWZ0ZXIgdGhlIGFib3J0ZWQgbm90IHdvcmtpbmcgcGluZyBhbmQg b2YgY291cnNlLCB0aGlzIGNhbuKAmXQgd29yazoNCg0KIyBhcnAgMTkyLjE5OC45LjI1NA0KPyAo MTkyLjE5OC45LjI1NCkgYXQgKGluY29tcGxldGUpIG9uIGVtMCBleHBpcmVkIFtldGhlcm5ldF0N Cg0KSXQgbG9va3MgZm9yIG1lIHRoYXQgQlNEIGRvZXMgbm90IHVuZGVyc3RhbmQgdGhlIEFSUCBw cm90b2NvbCAoZXh0ZW5zaW9uL3ZhcmlhbnQ/KSB3aGljaCBpcyB1c2VkIGhlcmUuIEkgbXVzdCBu b3cgZGVjaWRlIGlmIEkgc3dpdGNoIHRvIExpbnV4IG9yIGFkZCBhIHN0YXRpYyBBUlAgZW50cnks IEJUVyBpcyB0aGVyZSBhbHJlYWR5IGEgY29uZmlnIGZpbGUgZm9yIHN0YXRpYyBhcnAgZW50cmll cyB0byBkb27igJl0IGxvc3MgdGhlbSBhZnRlciBhIHJlYm9vdD8NCg0KQnIsDQpTaWx2aW8NCg0K RGllc2UgRS1NYWlsIGVudGjDpGx0IHZlcnRyYXVsaWNoZSB1bmQvb2RlciByZWNodGxpY2ggZ2Vz Y2jDvHR6dGUgSW5mb3JtYXRpb25lbi4gV2VubiBTaWUgbmljaHQgZGVyIHJpY2h0aWdlIEFkcmVz c2F0IHNpbmQgb2RlciBkaWVzZSBFLU1haWwgaXJydMO8bWxpY2ggZXJoYWx0ZW4gaGFiZW4sIGlu Zm9ybWllcmVuIFNpZSBiaXR0ZSBzb2ZvcnQgZGVuIEFic2VuZGVyIHVuZCB2ZXJuaWNodGVuIFNp ZSBkaWVzZSBNYWlsLiBEYXMgdW5lcmxhdWJ0ZSBLb3BpZXJlbiBzb3dpZSBkaWUgdW5iZWZ1Z3Rl IFdlaXRlcmdhYmUgZGllc2VyIE1haWwgaXN0IG5pY2h0IGdlc3RhdHRldC4NCg0KDQoNCldpciBh cmJlaXRlbiBhdXNzY2hsaWXDn2xpY2ggYXVmIEdydW5kbGFnZSBkZXIgQWxsZ2VtZWluZW4gRGV1 dHNjaGVuIFNwZWRpdGV1cmJlZGluZ3VuZ2VuLCBqZXdlaWxzIG5ldWVzdGVyIEZhc3N1bmcuIERp ZXNlIGJlc2NocsOkbmtlbiBpbiBaaWZmZXIgMjMgQURTcCBkaWUgZ2VzZXR6bGljaGUgSGFmdHVu ZyBmw7xyIEfDvHRlcnNjaMOkZGVuIG5hY2ggwqcgNDMxIEhHQiBmw7xyIFNjaMOkZGVuIGltIHNw ZWRpdGlvbmVsbGVuIEdld2FocnNhbSBhdWYgNSwtLSBFdXJvL2tnLCBiZWkgbXVsdGltb2RhbGVu IFRyYW5zcG9ydGVuIHVudGVyIEVpbnNjaGx1c3MgZWluZXIgU2VlYmVmw7ZyZGVydW5nIGF1ZiAy IFNaUi9rZyBzb3dpZSBmZXJuZXIgamUgU2NoYWRlbmZhbGwgYnp3LiAtZXJlaWduaXMgYXVmIDEg TWlvLiBiencuIDIgTWlvLiBFdXJvIG9kZXIgMiBTWlIva2csIGplIG5hY2hkZW0sIHdlbGNoZXIg QmV0cmFnIGjDtmhlciBpc3QuIEVyZ8OkbnplbmQgd2lyZCB2ZXJlaW5iYXJ0LCBkYXNzICgxKSBa aWZmZXIgMjcgQURTcCB3ZWRlciBkaWUgSGFmdHVuZyBkZXMgU3BlZGl0ZXVycyBub2NoIGRpZSBa dXJlY2hudW5nIGRlcyBWZXJzY2h1bGRlbnMgdm9uIExldXRlbiB1bmQgc29uc3RpZ2VuIERyaXR0 ZW4gYWJ3ZWljaGVuZCB2b24gZ2VzZXR6bGljaGVuIFZvcnNjaHJpZnRlbiB3aWUgwqcgNTA3IEhH QiwgQXJ0LiAyNSBNw5wsIEFydC4gMzYgQ0lNLCBBcnQuIDIwLCAyMSBDTU5JIHp1IEd1bnN0ZW4g ZGVzIEF1ZnRyYWdnZWJlcnMgZXJ3ZWl0ZXJ0LCAoMikgZGVyIFNwZWRpdGV1ciBhbHMgVmVyZnJh Y2h0ZXIgaW4gZGVuIGluIMKnIDUxMiBBYnMuIDIgTnIuIDEgSEdCIGF1ZmdlZsO8aHJ0ZW4gRsOk bGxlbiBkZXMgbmF1dGlzY2hlbiBWZXJzY2h1bGRlbiBvZGVyIEZldWVyIGFuIEJvcmQgbnVyIGbD vHIgZWlnZW5lcyBWZXJzY2h1bGRlbiBoYWZ0ZXQgdW5kICgzKSBkZXIgU3BlZGl0ZXVyIGFscyBG cmFjaHRmw7xocmVyIGltIFNpbm5lIGRlciBDTU5JIHVudGVyIGRlbiBpbiBBcnQuIDI1IEFicy4g MiBDTU5JIGdlbmFubnRlbiBWb3JhdXNzZXR6dW5nZW4gbmljaHQgZsO8ciBuYXV0aXNjaGVzIFZl cnNjaHVsZGVuLCBGZXVlciBhbiBCb3JkIG9kZXIgTcOkbmdlbCBkZXMgU2NoaWZmZXMgaGFmdGV0 Lg0KDQoNCg0KQWxsIG91ciBidXNpbmVzcyBpcyB0cmFuc2FjdGVkIGV4Y2x1c2l2ZWx5IG9uIHRo ZSBiYXNpcyBvZiB0aGUgR2VybWFuIEZyZWlnaHQgRm9yd2FyZGVycycgU3RhbmRhcmQgVGVybXMg YW5kIENvbmRpdGlvbnMgKEFEU3ApLCBhbmQsIHRvIHRoZSBleHRlbnQgdGhlc2UgZG8gbm90IGFw cGx5IHRvIGxvZ2lzdGljcyBzZXJ2aWNlcywgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBHZW5lcmFs IFRlcm1zIGFuZCBDb25kaXRpb25zIGZvciBMb2dpc3RpY3MgKExvZ2lzdGlrLUFHQikgbW9zdCBy ZWNlbnQgZWRpdGlvbi4gVW5kZXIgQ2xhdXNlIDIzIEFEU3AsIGxpYWJpbGl0eSBmb3IgZGFtYWdl L2xvc3MgdG8gZ29vZHMgYWNjb3JkaW5nIHRvIMKnIDQzMSBIR0IgKEdlcm1hbiBDb21tZXJjaWFs IENvZGUpIGlzIGxpbWl0ZWQgLSB0byA1IEVVUi9rZyB3aGlsc3QgaW4gdGhlIGN1c3RvZHkgb2Yg dGhlIGZyZWlnaHQgZm9yd2FyZGVyIC0gdG8gMiBTRFIva2cgKFNwZWNpYWwgRHJhd2luZyBSaWdo dHMpIGZvciBtdWx0aW1vZGFsIGNhcnJpYWdlIGluY2wuIHNlYSB0cmFuc3BvcnQgLSB0byAxIG1p bGxpb24gRVVSIG9yIDIgU0RSL2tnIHBlciBjbGFpbSBvciB0byAyIG1pbGxpb24gRVVSIG9yIDIg U0RSL2tnIHBlciBldmVudCwgaXJyZXNwZWN0aXZlIG9mIHRoZSBudW1iZXIgb2YgY2xhaW1zIHBl ciBldmVudCwgaW4gZWFjaCBjYXNlIHdoaWNoZXZlciBpcyBoaWdoZXIuIElmIHdlIGFyZSBsaWFi bGUgYWNjb3JkaW5nIHRvIHRoZSBwcm92aXNpb25zIG9mIHRoZSBNb250cmVhbCBDb252ZW50aW9u LCBjbGF1c2UgMjcgQURTcCBzaGFsbCBub3QgYXBwbHkuIENsYXVzZSAyNyBBRFNwIHNoYWxsIGFs c28gbm90IGJlIGNvbnNpZGVyZWQgYXMgYW4gZXh0ZW5zaW9uIG9mIG91ciBsaWFiaWxpdHkgdGhy b3VnaCBpbXB1dGF0aW9uIG9mIGRlZmF1bHQgYnkgYWdlbnRzLCByZXByZXNlbnRhdGl2ZXMsIGVt cGxveWVlcywgc3ViY29udHJhY3RvcnMgb3Igb3RoZXIgdGhpcmQgcGFydGllcyBpbiB0aGUgY2Fz ZXMgb2YgQXJ0LiAzNiBDSU0sIEFydC4gMjEgQ01OSSBvciBzZWN0aW9uIDY2MCBIR0IuIE90aGVy d2lzZSBjbGF1c2UgMjcgQURTcCBzaGFsbCByZW1haW4gdW5hZmZlY3RlZC4NCg0KDQo= From owner-freebsd-bugbusters@freebsd.org Mon Sep 28 08:35:25 2015 Return-Path: Delivered-To: freebsd-bugbusters@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5AE599D09D5 for ; Mon, 28 Sep 2015 08:35:25 +0000 (UTC) (envelope-from allanjude@freebsd.org) Received: from mx1.scaleengine.net (mx1.scaleengine.net [209.51.186.6]) by mx1.freebsd.org (Postfix) with ESMTP id 3C7B41138 for ; Mon, 28 Sep 2015 08:35:24 +0000 (UTC) (envelope-from allanjude@freebsd.org) Received: from [100.64.0.39] (unknown [212.37.10.150]) (Authenticated sender: allanjude.freebsd@scaleengine.com) by mx1.scaleengine.net (Postfix) with ESMTPSA id 8BEB0D1BB for ; Mon, 28 Sep 2015 08:35:23 +0000 (UTC) Message-ID: <5608FBCA.8070108@freebsd.org> Date: Mon, 28 Sep 2015 04:35:22 -0400 From: Allan Jude User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-Version: 1.0 To: freebsd-bugbusters@freebsd.org Subject: Re: can't use a firewall cluster as DGW References: <08C1F0DB82CAD14DA46313AE457AFF721B922437@fieinfmbx2vp.fiege.com> In-Reply-To: <08C1F0DB82CAD14DA46313AE457AFF721B922437@fieinfmbx2vp.fiege.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-bugbusters@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Coordination of the Problem Report handling effort." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Sep 2015 08:35:25 -0000 On 09/28/2015 04:23, Wanka, Silvio wrote: > Hi, > > I need a simple solution which is offered by dnsmasq, so the simple way was too install pfsence as VMware VM and use the web interface to configure dnsmasq, but the Default Gateway does not work. Because pfsence is sometimes “special” if have replaces the HD of the VM by the vmdk offered on FreeBSD Download site (10.2). But it is the same problem, if I start the same VM with a Linux Live ISO all works properly. And also Windows has no problem with this firewall cluster as DGW. > > I can ping any other device in the subnet (except devices which does not answer on ICMP) but for the DGW I get always: > > Ping: sendto: Host is down > > Any Linux or Windows system can ping to this IP and also the Live Linux which has the same MAC and was configured with the same network settings (IP, Mask, Gateway). > > My network guy gives me the hint that this FW cluster uses virtual MAC addresses and some devices can’t handle this correctly. So I have checked the ARP table directly after the aborted not working ping and of course, this can’t work: > > # arp 192.198.9.254 > ? (192.198.9.254) at (incomplete) on em0 expired [ethernet] > > It looks for me that BSD does not understand the ARP protocol (extension/variant?) which is used here. I must now decide if I switch to Linux or add a static ARP entry, BTW is there already a config file for static arp entries to don’t loss them after a reboot? > > Br, > Silvio > > Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. > > > > Wir arbeiten ausschließlich auf Grundlage der Allgemeinen Deutschen Spediteurbedingungen, jeweils neuester Fassung. Diese beschränken in Ziffer 23 ADSp die gesetzliche Haftung für Güterschäden nach § 431 HGB für Schäden im speditionellen Gewahrsam auf 5,-- Euro/kg, bei multimodalen Transporten unter Einschluss einer Seebeförderung auf 2 SZR/kg sowie ferner je Schadenfall bzw. -ereignis auf 1 Mio. bzw. 2 Mio. Euro oder 2 SZR/kg, je nachdem, welcher Betrag höher ist. Ergänzend wird vereinbart, dass (1) Ziffer 27 ADSp weder die Haftung des Spediteurs noch die Zurechnung des Verschuldens von Leuten und sonstigen Dritten abweichend von gesetzlichen Vorschriften wie § 507 HGB, Art. 25 MÜ, Art. 36 CIM, Art. 20, 21 CMNI zu Gunsten des Auftraggebers erweitert, (2) der Spediteur als Verfrachter in den in § 512 Abs. 2 Nr. 1 HGB aufgeführten Fällen des nautischen Verschulden oder Feuer an Bord nur für eigenes Verschulden haftet und (3) der Spediteur als Frachtführer im Sinne d er CMNI unter den in Art. 25 Abs. 2 CMNI genannten Voraussetzungen nicht für nautisches Verschulden, Feuer an Bord oder Mängel des Schiffes haftet. > > > > All our business is transacted exclusively on the basis of the German Freight Forwarders' Standard Terms and Conditions (ADSp), and, to the extent these do not apply to logistics services, in accordance with the General Terms and Conditions for Logistics (Logistik-AGB) most recent edition. Under Clause 23 ADSp, liability for damage/loss to goods according to § 431 HGB (German Commercial Code) is limited - to 5 EUR/kg whilst in the custody of the freight forwarder - to 2 SDR/kg (Special Drawing Rights) for multimodal carriage incl. sea transport - to 1 million EUR or 2 SDR/kg per claim or to 2 million EUR or 2 SDR/kg per event, irrespective of the number of claims per event, in each case whichever is higher. If we are liable according to the provisions of the Montreal Convention, clause 27 ADSp shall not apply. Clause 27 ADSp shall also not be considered as an extension of our liability through imputation of default by agents, representatives, employees, subcontractors or other thi r d parties in the cases of Art. 36 CIM, Art. 21 CMNI or section 660 HGB. Otherwise clause 27 ADSp shall remain unaffected. > > > _______________________________________________ > freebsd-bugbusters@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-bugbusters > To unsubscribe, send any mail to "freebsd-bugbusters-unsubscribe@freebsd.org" > FreeBSD does not have any problems with ARP. There are a few possibilities here: 1) Did you check that the IP address you are trying to ping is actually assigned to an interface in pfSense? 2) In the VMWare options for the NIC, enable 'promiscuous mode', this allows the NIC to receive packets destin for a MAC address other than the one on the VMWare virtual NIC, and can solve this problem among others, especially when using virtual MAC addresses (like lagg(4) and carp(4)) 3) Can the pfsense ping the IP that you are trying to ping the pfSense from? -- Allan Jude