From owner-freebsd-net@FreeBSD.ORG Thu Oct 18 12:11:47 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3DB8C16A419 for ; Thu, 18 Oct 2007 12:11:47 +0000 (UTC) (envelope-from kl@vsen.dk) Received: from www.EnableIT.dk (r2d2.enableit.dk [195.35.83.82]) by mx1.freebsd.org (Postfix) with ESMTP id C334013C45D for ; Thu, 18 Oct 2007 12:11:46 +0000 (UTC) (envelope-from kl@vsen.dk) Received: from localhost (localhost [127.0.0.1]) by www.EnableIT.dk (Postfix) with ESMTP id 3B77EA1C8B; Thu, 18 Oct 2007 14:11:45 +0200 (CEST) X-Virus-Scanned: amavisd-new at EnableIT.dk Received: from www.enableit.dk (localhost [127.0.0.1]) by www.EnableIT.dk (Postfix) with ESMTP id D5461A1BA6; Thu, 18 Oct 2007 14:11:42 +0200 (CEST) Received: from 62.242.232.132 (SquirrelMail authenticated user klavs) by www.enableit.dk with HTTP; Thu, 18 Oct 2007 14:11:42 +0200 (CEST) Message-ID: <1270.62.242.232.132.1192709502.squirrel@www.enableit.dk> Date: Thu, 18 Oct 2007 14:11:42 +0200 (CEST) From: "Klavs Klavsen" To: "Max Laier" User-Agent: SquirrelMail/1.4.4 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-net@freebsd.org, Klavs Klavsen Subject: Re: packet loss with carp on 6.2 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Oct 2007 12:11:47 -0000 On Thu, October 18, 2007 12:50, Max Laier said: > On Thursday 18 October 2007, Klavs Klavsen wrote: >> I tried to just disable carp on the new machine (simply comment out >> carp config from /etc/rc.conf.local) and now the packet loss is gone - >> and hasn't been there for half an hour, so far. > > I supposed you also had to change your firewall rules? Otherwise your > ruleset might not be ready to deal with carp and that could be the reason > why you get the bad results? I added these rules: # Allow pfsync Updates In/Out pass quick on $if_mgmt proto pfsync keep state # Allow CARP Advertisements In/Out pass quick on {$if_mgmt, $if_fwnet, $if_inet} proto carp keep state I wasn't running any performance tests or anything - just normal traffic. also - I had an "pass log on $if_XX all" enabled - which matches all the traffic that wasn't specifically matched (ie. expected) traffic. And no backup CARP host running - but I don't see why, NOT having the spare CARP host up, should cause a packet loss. >Start debugging by looking at "netstat -ssp > carp" on either machine and take a careful look at your pf.conf. I also > suggest that you add "log" to all you block rules and watch tcpdump on > pflog0 while pinging. > I just looked through the pflog file (26MB for 55 minutes) - primarily passes - only 14 k. blocks. The blocks were broadcasts, and cisco hsrp stuff (and pfsync, until I just "allowed it for all - as above" - but since the secondary host wasn't up - pfsync wouldn't work anyways). >> Seems the carp network interfaces has bugs. > > That's a pretty bold assertion given the limited debugging you have > done ;) > fair enough - I said "it seems" :) I see no obvious explanation though, why using a carp interface, vs. a normal interface, would somehow give me a packet loss. if a block/pass rule somehow did not match the packages through the new interfaces, I'd expect to get a 100% packet loss :) -- Regards, Klavs Klavsen, GSEC - kl@vsen.dk - http://www.vsen.dk PGP: 7E063C62/2873 188C 968E 600D D8F8 B8DA 3D3A 0B79 7E06 3C62 "Those who do not understand Unix are condemned to reinvent it, poorly." --Henry Spencer