Messages

Hey franco,

i was curious about this issue, so i tested the exact same Hardware with the exact same config on pfsense. There i can activate the Carp Master state without a kernel panic.
With FreeBSD without any Appliance on it, it works too. I've even tested it with OpenBSD, and i got the same Results -> Everything works like a charm.
I will send you the crash report as soon as i can.

Regards,
Edge

Well, i know that the Card is supported.
The Problem is indeed the Intel ix(gbe) driver. I've tuned some variables in /boot/loader.conf.local:
kern.ipc.nmbclusters="1000000"
kern.ipc.nmbjumbop="524288"
But this does not effect my kernel panic.
Even ifconfig ix0 -vlanhwfilter -vlanhwtso -tso which disables TSO does not have an effect.
The behaviour is always the same:
As soon as my Carp IF will be promoted as master, the kernel panic comes up immediately. On PfSense Forum there are quite other people which have the same Problems, but i did not found a working solution yet.
Does anyone have some experience with the Intel ix(gbe) Driver and FreeBSD with Carp and VLAN?

Best Regards

Hello,
yesterday i was curious if Opnsense is ready for my working Environment. So I configured two Sun Blades and installed Opnsense on them.
I configured my Firewall, some IPSec Tunnels and some other small things. Then i wanted to created a HA Environment, so i can reboot or modify one Firewall when it is needed.
But after I created the first Carp Virtual Interface and gave it a IP, my Opnsense Box suddenly wasn't pingable any more. So i had a look at the console via IPMI and there it was: a Kernel Panic. When i reboot the Server, i can work on it again, but only for a few seconds, then the System crashed again.
Here is what i did exactly:
Created some VLANs on my Main NIC (Intel^® Ethernet Converged Network Adapter X540-T1 driver is the Intel ix driver)
Then i created a Carp VIP on one of these VLANs and voila, kernel panic.
I wanted to send you the Bug Report, but this function does not work for me either, i can only click No after a Login.
So here is an excerpt of the Log:

Code Select Expand

<6>carp: demoted by -240 to 0 (pfsync bulk fail)
<6>carp: VHID 142@ix1_vlan3820: BACKUP -> MASTER (preempting a slower master)
kernel trap 12 with interrupts disabled


Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address = 0x17
fault code = supervisor read data, page not present
instruction pointer = 0x20:0xffffffff80a33600
stack pointer         = 0x28:0xfffffe085ec043e0
frame pointer         = 0x28:0xfffffe085ec04450
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = resume, IOPL = 0
current process = 12 (irq265: ix1:que 0)
version.txt06000016412503550450  7613 ustarrootwheelFreeBSD 10.1-RELEASE-p6 #0 5aa5ada(master): Thu Feb 26 16:26:03 CET 2015
    root@sensey64:/usr/obj/usr/src/sys/SMP
If you are interessted in the full log, i can send it via E-Mail to you.
For now, is my NIC incompatible or can i fix this Problem somehow?

Best Regards...
Edge

I found something strange, i think it's only an issue with the Webgui:

When i establish an IPSec IKEv1 Site-to-Site Connection between two endpoints, everything works like a charm. I can ping through the tunnel, can transfer data etc.
But in the Gui Status -> IPSec -> Overview the Tunnel has always Status disconnected.
Again: Traffic is working well, in both directions, i've played with Firewall Rules but nothing gets me another Status than disconnected even the Tunnel is up and running.
Could you be so kind to check this?

Thanks in advance

Hi franco,

thx for your little Update. IKEv1 works like a charm now.
I'm waiting for your input, when i finish the script, i will commit it to the community for an easy-migration of their pf.conf Firewalls.

Greetings

Hi Folks,

i've installed opnsense and tested it. Seems very interessting for me and i think i will change our OpenBSD Firewall to Opnsense soon.
I have 2 Questions:
1.) Do you support ikev1? We have some Customers which still use ikev1 for IPSec VPN. I tried to establish a VPN between them and my Opnsense GW, but when i choose ikev1 i only receive "charon: 03[NET] received unsupported IKE version 1.0 from 1.2.3.4, sending INVALID_MAJOR_VERSION" Could you give me a hint?
2.) I have a large pf.conf from my Firewall and i don't want to copy it via Browser. So i would like to write a Script which converts my pf.conf to a format which fits to Opnsense. I've searched via command line but i wasn't able to find the file where to save Firewall Rules. Could you give an advise here where to find the file?
Thanks and keep going!

Hi there,

i've found this interesting new Project today while searching for a Firewall Appliance which can handle BGP.
Is Opnsense bgp aware (pfsense e.g. has BGP capability)
Or are there any other possible solutions (something like quagga and opnsense together in one hardware) ?

Best Regards..
Edge