Messages

1

General Discussion / Re: CARP arp reply with wrong src mac

« on: October 14, 2021, 02:38:06 pm »

Does anyone know of a solution that works with equipment that reads the source MAC address in the frame instead of parsing the ARP reply/announcement for the VIP MAC address?

I understand that from


VRRP April 2004
https://datatracker.ietf.org/doc/html/rfc3768#section-8.2

To

VRRPv3 March 2010
https://datatracker.ietf.org/doc/html/rfc5798#page-29

That it looks like this note has been added to clarify

“Note that the source address of the Ethernet frame
   of this ARP response is the physical MAC address of the physical
   router.“


But there is some equipment from other manufactures, ex. Nokia, Cisco, Juniper inspect the source mac of an ARP response to determine the MAC address associated with the IP.


At a previous point

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=141023

The option to modify the source mac was an option

net.link.ether.inet.carp_mac is set to 1

But it was removed as it deviated from the protocol.

The question is, what other options exist for interoperability with these vendors?

2

19.7 Legacy Series / Re: [solved] Squid not starting

« on: July 17, 2019, 06:29:16 pm »

I just updated as well but neither solution is working. I also have these items in my squid logs.

Code: [Select]

kid1| FATAL: The /usr/local/libexec/squid/security_file_certgen -s /var/squid/ssl_crtd -M 4MB helpers are crashing too rapidly, need help!

(security_file_certgen): Uninitialized SSL certificate database directory: /var/squid/ssl_crtd. To initialize, run "security_file_certgen -c -s /var/squid/ssl_crtd".


3

Web Proxy Filtering and Caching / Re: Squid will not start with SSL Enabled

« on: May 07, 2019, 07:35:58 pm »

I just tested with another instance and it would not work until I created an internal CA, I also created an internal Intermediate CA and that is what I'm using for SSL inspection.

4

Web Proxy Filtering and Caching / Re: Squid will not start with SSL Enabled

« on: May 07, 2019, 06:13:24 pm »

Give this a try,

In General
disable proxy

In forward proxy
enable
ssl inspection
log sni information only
and check that a CA is selected.

Go back to general and enable proxy.
I also had to hit the start icon in the top right as well as it was complaining about an SSL directory that needs to be created.

Also, I added the Remote ACL prior to enabling.

5

Web Proxy Filtering and Caching / Re: Squid will not start with SSL Enabled

« on: May 07, 2019, 05:40:18 pm »

I was able to get it running by adding a CA then turning off "Enable Proxy" and then turning it back on.

6

Web Proxy Filtering and Caching / Re: Squid will not start with SSL Enabled

« on: May 07, 2019, 05:18:39 pm »

I too have this issue with a new OPNsense installation.

OPNsense 19.1.7-amd64
FreeBSD 11.2-RELEASE-p9-HBSD
OpenSSL 1.0.2r 26 Feb 2019

Set Current Directory to                    /var/squid/cache
Page faults                                  with physical i/o: 0
Maximum Resident                          Size: 733648 KB
CPU Usage:                                  5.539 seconds = 5.391 user + 0.149 sys
Squid Cache                                  (Version 3.5.28): Terminated abnormally.
FATAL: Ipc::Mem::Segment::open   failed to shm_open(/var/run/squid/ssl_session_cache.shm): (2) No such file or directory