From owner-freebsd-questions@FreeBSD.ORG  Fri Mar 20 18:07:05 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9C0451065675
	for <freebsd-questions@freebsd.org>;
	Fri, 20 Mar 2009 18:07:05 +0000 (UTC)
	(envelope-from ipfreak@yahoo.com)
Received: from web52106.mail.re2.yahoo.com (web52106.mail.re2.yahoo.com
	[206.190.48.109])
	by mx1.freebsd.org (Postfix) with SMTP id 451968FC1D
	for <freebsd-questions@freebsd.org>;
	Fri, 20 Mar 2009 18:07:05 +0000 (UTC)
	(envelope-from ipfreak@yahoo.com)
Received: (qmail 54123 invoked by uid 60001); 20 Mar 2009 18:07:04 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024;
	t=1237572424; bh=kXy+u2tUSzI9STEsWwkUTkv3xMvUjh7zdU7iv51WcjQ=;
	h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type;
	b=PneplzKCWin7MjCogZz9W9Febytfs4uAmPA5+LDIWBgHICRxbEeMOSNRiKMh4xAOpRRzIpLYknf4EFWVQ3GrNLXZVy6jYU760SAAXjxNv6Fe/p3Ho3Y/PFQ5/qz6IMUXQS5Vcoe70ersuq0d208LvDh75F2nx+3PSb4gLitHqeg=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com;
	h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type;
	b=57pPfTem/W1VctI++5qkNoHbBfG3TEjbYOBYFQjG6aJfpGoFY58bTQgkxFlgQ0xkxLYh5e5YH/WLRaHBo+YPS7VrkQeBBUdxv8DwgeA7IfR1oA+f6Eefd4isGoOzRBpka7227Nr27g+3ejK98tEaJEZkpxKjQpX3Kia3pJ4dl2g=;
Message-ID: <752369.54009.qm@web52106.mail.re2.yahoo.com>
X-YMail-OSG: _st93SsVM1mg4h9N5azyuMKB1RsTdIkYl_mRjOc1KYjRMMYFWeOmb9f6ySsD1jPULa55mVC8jvj4NmJdMlZwrVQ5TVEeFxxAgECPJkXbIgplsrG0dMjf7KEIZ6hPvIxcifjuHhmI1c5c9KVcxtR50h_A6viuheIr9U6ztKL2gwL_fKpiYVSVwPaUHMtShuf6R78CT8pdaHbeF34bWOQu6wc_kc9OiCRTtwmcimDJJSXc8r1J1h5R3D5l2z4dvEyB3UHx0J4T0vGsvcDl
Received: from [72.83.186.118] by web52106.mail.re2.yahoo.com via HTTP;
	Fri, 20 Mar 2009 11:07:04 PDT
X-Mailer: YahooMailWebService/0.7.289.1
Date: Fri, 20 Mar 2009 11:07:04 -0700 (PDT)
From: gahn <ipfreak@yahoo.com>
To: Nikos Vassiliadis <nvass9573@gmx.com>
In-Reply-To: <49C0AEF8.804@gmx.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: freebsd general questions <freebsd-questions@freebsd.org>
Subject: Re: ipfw and carp
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: ipfreak@yahoo.com
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Mar 2009 18:07:05 -0000



Thanks!

Indeed I did have:

${fwcmd} 140 allow all from $CARP-PEER_physical_interface to any via $local_external_interface

But it alone doesn't seem to be enough, sometimes it work but sometimes it doesn't. with tcpdump, sometimes I can't see the VRRPv2 advertisement.

So now i added:

${fwcmd} 150 allow all from any to 224.0.0.18 vi $local_external_interface

now it seem to be working perfect.




--- On Wed, 3/18/09, Nikos Vassiliadis <nvass9573@gmx.com> wrote:

> From: Nikos Vassiliadis <nvass9573@gmx.com>
> Subject: Re: ipfw and carp
> To: ipfreak@yahoo.com
> Cc: "freebsd general questions" <freebsd-questions@freebsd.org>
> Date: Wednesday, March 18, 2009, 1:21 AM
> gahn wrote:
> > Did any one use ipfw with CARP before? is there
> anything specific
> > about ipfw configurations working with CARP? I have
> two servers and
> > they configured with CARP. they are working fine
> except i can't turn
> > on ipfw.
> 
> Did you add the rules needed to let CARP traffic in and out
> of the
> boxes?
> 
> ipfw denies everything by default. So, you have to
> explicitly
> let CARP traffic through. Something like "allow carp
> from any
> to any" would do for a quick test.
> 
> Nikos
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe@freebsd.org"