Topics

1

General Discussion / Updated Python script to whois BGP ASNs and get a list of network blocks.

« on: January 02, 2020, 11:46:48 pm »

It's probably not a very common use case, but I need the ability to make policy routing decisions to destination networks owned by specific organizations. On pfS I was using pfBNG to resolve BGP Autonomous System numbers to network blocks, as this isn't a core feature for pFs either.

There are some old threads here and here discussing it, and the base code contributed by NilsS that I built off of can be found there.

What I've done since then is made it work with Python 3, but also made it a bit easier to use and added a method to call it via http. This means you can self-host the script, and feed/update OPNsense aliases automatically.

Personally, I run it as a Docker container, but there's no requirement to use Docker. All you need is python with Flask ("pip install Flask", if you don't have it already). There are some public services that can do this as well, but I prefer to run my own just in case I accidentally run into API limits or the service unexpectedly disappears.

I readily admit that I can barely code my way out of a paper bag. I feel like what I did with Flask is clunky as hell, but it works. PRs welcome.

https://github.com/ddimick/asn-to-ip
https://hub.docker.com/r/ddimick/asn-to-ip

2

18.1 Legacy Series / CARP breaks haproxy health checks?

« on: March 10, 2018, 01:22:36 am »

I'm running two OPNsense 18.1.3 systems with LAN/WAN/DMZ interfaces and CARP VIP.

LAN CARP VIP 192.168.1.1/17
LAN OPNsense-1 192.168.1.2/17
LAN OPNsense-2 192.168.1.3/17

DMZ CARP VIP 192.168.254.1/24
DMZ OPNsense-1 192.168.254.2/24
DMZ OPNsense-2 192.168.254.3/24

I'm running haproxy only on my master OPNsense-1 system. When OPNsense-1 is running by itself, everything works great.

When I boot OPNsense-2, everything still works great except all my haproxy HTTP health checks running on OPNsense-1 fail.

If I shut down OPNsense-2, the haproxy HTTP health checks on OPNsense-1 immediately start working again.

All traffic through either OPNsense system works fine in both scenarios. The only thing that stops working are the haproxy health checks.

What could be causing this behavior?

3

18.1 Legacy Series / [SOLVED] CARP won't become MASTER, both systems always BACKUP

« on: February 07, 2018, 09:12:28 pm »

I'm replacing a working pfSense HA setup, so I'm reasonably sure the network is set up properly. I have two OPNsense 18.1.1 VMs running on ESXi 6.5. ESXi is configured to permit promiscuous mode, MAC address changes, and forged transmits. There are no other systems running CARP on my network.

Every three seconds the system log reports:

Code: [Select]

Feb 7 12:08:04 opnsense: /usr/local/etc/rc.carpbackup: Carp cluster member "192.168.0.5 - (1@em1)" has resumed the state "BACKUP" for vhid 1
Feb 7 12:08:04 configd.py: [8b269f1d-df1c-4809-871a-4f3ee75db2ba] Carp backup event
Feb 7 12:08:04 opnsense: /usr/local/etc/rc.carpmaster: Carp cluster member "192.168.0.5 - (1@em1)" has resumed the state "MASTER" for vhid 1
Feb 7 12:08:04 configd.py: [30b8e115-bc25-4339-9f7f-92176a1a471f] Carp master event
Feb 7 12:08:04 kernel: ifa_maintain_loopback_route: deletion failed for interface em1: 3
Feb 7 12:08:04 kernel: carp: 1@em1: MASTER -> BACKUP (more frequent advertisement received)
Feb 7 12:08:04 kernel: carp: 1@em1: BACKUP -> MASTER (master timed out)

Code: [Select]

em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=98<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:0c:29:30:b0:1d
        hwaddr 00:0c:29:30:b0:1d
        inet 192.168.0.2 netmask 0xffff8000 broadcast 192.168.127.255
        inet 192.168.0.5 netmask 0xffff8000 broadcast 192.168.127.255 vhid 1
        inet6 fe80::20c:29ff:fe30:b01d%em1 prefixlen 64 scopeid 0x2
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        carp: BACKUP vhid 1 advbase 1 advskew 0
        groups: Inside
What am I missing?

Edit: There is no carp0 interface listed when I look at ifconfig output.