From owner-freebsd-stable@FreeBSD.ORG Thu Jul 6 19:46:25 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 90A5D16A4DE for ; Thu, 6 Jul 2006 19:46:25 +0000 (UTC) (envelope-from anton@nikiforov.ru) Received: from vika.newlines.ru (anna.newlines.ru [195.246.218.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0243443D73 for ; Thu, 6 Jul 2006 19:46:23 +0000 (GMT) (envelope-from anton@nikiforov.ru) Received: from localhost (unknown [127.0.0.1]) by vika.newlines.ru (Postfix) with ESMTP id 3FBAB114CA for ; Thu, 6 Jul 2006 23:46:22 +0400 (MSD) Received: from vika.newlines.ru ([127.0.0.1]) by localhost (anna.newlines.ru [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 68250-06 for ; Thu, 6 Jul 2006 23:46:17 +0400 (MSD) Received: from [192.168.80.107] (strijev.office.sportlottery.ru [192.168.80.107]) by vika.newlines.ru (Postfix) with ESMTP for ; Thu, 6 Jul 2006 23:46:17 +0400 (MSD) Message-ID: <44AD688A.6050408@nikiforov.ru> Date: Thu, 06 Jul 2006 23:46:18 +0400 From: Anton Nikiforov User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: ru, en-us, en MIME-Version: 1.0 To: freebsd-stable@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: By amavis at office-gw.newlines.ru Subject: carp+pfsync+freevrrpd+jail X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Jul 2006 19:46:25 -0000 Dear all. I have the following trouble: Using carp and pfsync i have made the redundand firewall (OS is 6.1p2 and everything is done like in mans, even ifconfig options) The only thing that is different that i have 2 ethernet interface (one for crosover link and the other is the paren interface for vlans) host1 ifconfig_vlan101="inet X.Y.Z.1 netmask 255.255.255.0 broadcast X.Y.Z.255 vlan 101 vlandev em0" ifconfig_carp0="vhid 1 pass abc X.Y.Z.3" ifconfig_vlan100="inet A.B.C.1 netmask 255.255.255.0 broadcast A.B.C.255 vlan 100 vlandev em0" ifconfig_carp1="vhid 1 pass abc A.B.C.3" ifconfig_pfsync0="up syncif em1" host2 ifconfig_vlan101="inet X.Y.Z.2 netmask 255.255.255.0 broadcast X.Y.Z.255 vlan 101 vlandev em0" ifconfig_carp0="vhid 1 advskew 100 pass abc X.Y.Z.3" ifconfig_vlan100="inet A.B.C.2 netmask 255.255.255.0 broadcast A.B.C.255 vlan 100 vlandev em0" ifconfig_carp0="vhid 1 advskew 100 pass abc A.B.C.3" ifconfig_pfsync0="up syncif em1" What i have is that when i'm pinging carp0 (inet) or carp1(lan) interface's ip address of my firewall - i'm receivind DUP responses. And when host2 is ths slave and i'm starting to ping carp0 address - no traffic appears on master host - that means that the local carp interface responding to my packets.. That means that in case some service (provided by jail managed by freevrrpd) will be accessed from outside - i cannot be sure what host will answer the request. I have done some tests. When i'm sshing to virtual IP - sometimes i'm getting ssh prompt and can login, and sometimes it says that host auth info is bad (yes, because second server answering me at this time) and sometimes i'm loosing ssh connection while session is active. net.inet.carp.preempt = 1 net.inet.carp.log=2 net.inet.carp.arpbalance=0 No ballance needed. I want to have some service run in main OS, some services run in jail and i want to be sure which host will answer the request when bouth hosts are up and running. Could please someone direct me what to do or where to read? Best regards, Anton Nikiforov