6661
Development and Code Review / Re: IPsec Failover project...
« on: July 31, 2017, 06:38:37 pm »
You did it with Sophos and Uplink Interfaces? Does this work stable? I tried it some time ago but wasn't working as expected.
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
6662
Development and Code Review / Re: IPsec Failover project...
« on: July 31, 2017, 04:31:05 pm »
1) This would require to have a standby host which has to be implemented by Ad I'd guess
2) Works only with if_ipsec and Quagga inside, I don't know if this is possible withing 17.7 or 18.1
ATM it only works with IKEv2 and redundant uplinks on the client side.
2) Works only with if_ipsec and Quagga inside, I don't know if this is possible withing 17.7 or 18.1
ATM it only works with IKEv2 and redundant uplinks on the client side.
6663
Development and Code Review / Re: IPsec Failover project...
« on: July 31, 2017, 09:05:50 am »
Hi,
what exactly to you expect OPN to do for IPSEC HA?
I'm very experienced in Sophos and ASA, but they don't have predefined HA setups, especially when it comes to IKEv1.
Please have a look at: https://forum.opnsense.org/index.php?topic=5547.0
"ipsec: IKEv2 can handle multiple phase 1 with the same IP"
I'm using this feature with ASA in order to handle SAs based on the key-id field to separate connections. This would allow you to failover to X backup interfaces.
Perhaps this already fits you needs and just need some documentation
what exactly to you expect OPN to do for IPSEC HA?
I'm very experienced in Sophos and ASA, but they don't have predefined HA setups, especially when it comes to IKEv1.
Please have a look at: https://forum.opnsense.org/index.php?topic=5547.0
"ipsec: IKEv2 can handle multiple phase 1 with the same IP"
I'm using this feature with ASA in order to handle SAs based on the key-id field to separate connections. This would allow you to failover to X backup interfaces.
Perhaps this already fits you needs and just need some documentation
6664
17.7 Legacy Series / Re: When will OPNsense can support Hyper-v gen 2 VM?
« on: July 27, 2017, 08:53:11 am »
I read in IRC it will be reviewed after 17.7 is released .. but nothing official
6665
17.1 Legacy Series / Re: Bridge failover with CARP on OPNSense
« on: July 26, 2017, 03:07:17 pm »
I think this setup is too specific. Normally the failover mode for bridges are bundled ports on the hardware which switch the network regardless the system is powered on.
http://www.nexcom.com/Products/network-and-communication-solutions/entry-level-appliance/entry-level-appliance/network-communication-nsa-1150/Specifications
Dual pair bypass ...
So when your system fails traffic will just be switched
http://www.nexcom.com/Products/network-and-communication-solutions/entry-level-appliance/entry-level-appliance/network-communication-nsa-1150/Specifications
Dual pair bypass ...
So when your system fails traffic will just be switched
6666
General Discussion / Re: Good-bye PFSense, Hello OPNSense
« on: July 25, 2017, 08:22:53 am »
Hi,
I'm fighting with installing ntopng on a current OPN but it's quite bleeding edge version 3 and therefore many errors when compiling it.
I'm fighting with installing ntopng on a current OPN but it's quite bleeding edge version 3 and therefore many errors when compiling it.
6667
German - Deutsch / Re: CARP und LAGG?
« on: July 20, 2017, 04:43:17 pm »
Ja funktioniert wunderbar. Wobei nicht geswitcht wird wenn nur ein LAGG Member gezogen wird, aber das ist ja OK
6668
German - Deutsch / Re: CARP und LAGG?
« on: July 20, 2017, 02:52:00 pm »
Sorry, wenn du statt LAN1 und LAN2 -> VLAN1 und VLAN2 machst ergibt alles Sinn 
Jo, dann hatten wir das Gleiche ... probiers einfach mal mit dem tunable
Jo, dann hatten wir das Gleiche ... probiers einfach mal mit dem tunable
6669
German - Deutsch / Re: CARP und LAGG?
« on: July 20, 2017, 01:32:32 pm »
Mein Testsetup:
WAN physikalisches IF
LAN1 und LAN2 auf LAGG
Also 3 CARPs.
Wenn ich WAN abstecke war Unit2 Master für WAN und Backup für LANs. Und dann war beim Reboot von Unit2 immer die Unit2 auf einmal für alle Master.
Beim Abstecken von einem LAGG Member ist nix passiert (vorher und nachher).
War das bei dir auch so? Schon oder?
WAN physikalisches IF
LAN1 und LAN2 auf LAGG
Also 3 CARPs.
Wenn ich WAN abstecke war Unit2 Master für WAN und Backup für LANs. Und dann war beim Reboot von Unit2 immer die Unit2 auf einmal für alle Master.
Beim Abstecken von einem LAGG Member ist nix passiert (vorher und nachher).
War das bei dir auch so? Schon oder?
6670
17.1 Legacy Series / Re: CARP Bug in 17.1 resulting in split brains or backup always "master" ???
« on: July 19, 2017, 11:03:04 am »
As written in another thread dont tick "Disable preempt" on both FWs and set a tunable of net.inet.carp.senderr_demotion_factor=0 on both firewalls. Reboot and you're good
6671
German - Deutsch / Re: CARP und LAGG?
« on: July 19, 2017, 10:59:38 am »
Ich hab das Problem gelöst indem ich auf BEIDEN FWs den Haken bei "Disable preempt" NICHT gesetzt habe.
Zusätzlich auf beiden Systemen ein Tunable:
net.inet.carp.senderr_demotion_factor=0
Nach einem Reboot von beiden Kisten war das Phänomen wie von dir beschrieben bei mir nicht mehr vorhanden.
Probiers mal ...
EDIT: Sorry, der reply gilt "Wayne Train"
Zusätzlich auf beiden Systemen ein Tunable:
net.inet.carp.senderr_demotion_factor=0
Nach einem Reboot von beiden Kisten war das Phänomen wie von dir beschrieben bei mir nicht mehr vorhanden.
Probiers mal ...
EDIT: Sorry, der reply gilt "Wayne Train"
6672
17.1 Legacy Series / Re: CARP Bug in 17.1 resulting in split brains or backup always "master" ???
« on: July 14, 2017, 10:24:47 am »
Ahhh, I reread you initial post.
This is not called splitbrain! Splitbrain is when both machines are in master state and you have a flapping of MACs on the switch.
What you have is a mix of master/standby on same machine.
I did a reboot now, and also after the reboot M1 was MASTER on WAN and BACKUP for LAGG, other machine vice versa. The I pulled out power and plugged in again, now M2 is MASTER for all. Strange ...
This is not called splitbrain! Splitbrain is when both machines are in master state and you have a flapping of MACs on the switch.
What you have is a mix of master/standby on same machine.
I did a reboot now, and also after the reboot M1 was MASTER on WAN and BACKUP for LAGG, other machine vice versa. The I pulled out power and plugged in again, now M2 is MASTER for all. Strange ...
6673
17.1 Legacy Series / Re: CARP Bug in 17.1 resulting in split brains or backup always "master" ???
« on: July 14, 2017, 10:06:58 am »
So, I created a LAGG with 2 IF's and on this LAGG 2 VLANs with CARP.
I tested every scenario, no splitbrains, but now MASTER state is always on machine 2.
I believe this has something to do with the LACP balancing because packets for VLAN88 are sent over igb1 and packets for VLAN99 are sent over igb2. Must be something like this.
After a reboot of both machines MASTER state is on machine1 again.
Did you enable fast timeouts on LAGG? This didn't work with my setup, so please don't.
Oh, OK, now I plugged out WAN, then Machine2 is MASTER for WAN and STANDBY for LAGG. Only dis- and enabling CARP fixes this. Hm, also when I plug one cable of LAGG one is MASTER for WAN and the other MASTER for LAN (LAGG). This wasn't the case in my first test.
I tested every scenario, no splitbrains, but now MASTER state is always on machine 2.
I believe this has something to do with the LACP balancing because packets for VLAN88 are sent over igb1 and packets for VLAN99 are sent over igb2. Must be something like this.
After a reboot of both machines MASTER state is on machine1 again.
Did you enable fast timeouts on LAGG? This didn't work with my setup, so please don't.
Oh, OK, now I plugged out WAN, then Machine2 is MASTER for WAN and STANDBY for LAGG. Only dis- and enabling CARP fixes this. Hm, also when I plug one cable of LAGG one is MASTER for WAN and the other MASTER for LAN (LAGG). This wasn't the case in my first test.
6674
17.1 Legacy Series / Re: 17.1.9 kills VPN
« on: July 13, 2017, 12:02:33 pm »
Do you also have a log from the client?
6675
17.1 Legacy Series / Re: CARP Bug in 17.1 resulting in split brains or backup always "master" ???
« on: July 12, 2017, 04:17:39 pm »Hi,
no it didn't. And furthermore there seems to be another Bug: After trying with the LAGG, I wanted to delete it, and the whole system crashed. I had this before on both nodes before I did a clean reinstall. OPNsense detected a bug and i filed it with a short description. It was related to some errors and uncaught exceptions in the lagg_edit.php file, but I'm not a programmer...
I'm really hoping, that the next minor relase is coming soon, since 17.1.8 isn't really what I expected from OPNsense. 16.x was really fine, I had no issues. Until 17.1.4 everything worked fine and then it started getting really weird...
Thank you.
Seems I found a similar one ...
https://github.com/opnsense/core/issues/1715