Connection hickups with Pfsense and Carp
Hi Guys, I'm facing some issues with Pfsense and a Carp setup where connections are not dropped but the connection is not stable. I have set macspoof on the vm that runs Pfsense, this because it needs it for Carp. My TCPdump actually give good results, a single P so that looks also well. I have tested this with things like sending emails and so on, uploading large files. It seems on sending emails that you most of the time have to canceld a send and resend it, sending goes well than. A tcpdump on such mailserver looks well. For uploading large images it seems that it's slow in uploading because of disconnects, also a good tcdump. Do I need to make specific settings on the vswitch or the real switch between ? Or is something else going on ? Cheers, Matt
This is resolved. It seems that skews that pfsense sets on a backup/failover cluster node are much higher than they were set manually. Pfsense synced them again and it's solved. 2014-04-15 8:52 GMT+02:00 Matt . <yamakasi.014@gmail.com>:
Hi Guys,
I'm facing some issues with Pfsense and a Carp setup where connections are not dropped but the connection is not stable.
I have set macspoof on the vm that runs Pfsense, this because it needs it for Carp.
My TCPdump actually give good results, a single P so that looks also well.
I have tested this with things like sending emails and so on, uploading large files. It seems on sending emails that you most of the time have to canceld a send and resend it, sending goes well than. A tcpdump on such mailserver looks well.
For uploading large images it seems that it's slow in uploading because of disconnects, also a good tcdump.
Do I need to make specific settings on the vswitch or the real switch between ?
Or is something else going on ?
Cheers,
Matt
Traffic issues are solved, but the advertising in not that well. I see on ESXi (vSphere) that you need to enable "Promiscuous Mode", but how on oVirt ? http://www.blissfulidiot.com/2013/11/using-carp-with-vmware-esxi.html Do I need the vdsm-hook-promisc for it ? as I need to make real settings on a VM there I think the vswitch only needs the mode. Information is welcome! 2014-04-16 11:18 GMT+02:00 Matt . <yamakasi.014@gmail.com>:
This is resolved.
It seems that skews that pfsense sets on a backup/failover cluster node are much higher than they were set manually. Pfsense synced them again and it's solved.
2014-04-15 8:52 GMT+02:00 Matt . <yamakasi.014@gmail.com>:
Hi Guys,
I'm facing some issues with Pfsense and a Carp setup where connections are not dropped but the connection is not stable.
I have set macspoof on the vm that runs Pfsense, this because it needs it for Carp.
My TCPdump actually give good results, a single P so that looks also well.
I have tested this with things like sending emails and so on, uploading large files. It seems on sending emails that you most of the time have to canceld a send and resend it, sending goes well than. A tcpdump on such mailserver looks well.
For uploading large images it seems that it's slow in uploading because of disconnects, also a good tcdump.
Do I need to make specific settings on the vswitch or the real switch between ?
Or is something else going on ?
Cheers,
Matt
OK, also this is finetuned, but it would be nice to have some more info about the hooks in these cases... it's interesting as oVirt has the right settings to start with but we need to know what we need to set when we have a setup like this for an example. 2014-04-17 0:35 GMT+02:00 Matt . <yamakasi.014@gmail.com>:
Traffic issues are solved, but the advertising in not that well.
I see on ESXi (vSphere) that you need to enable "Promiscuous Mode", but how on oVirt ?
http://www.blissfulidiot.com/2013/11/using-carp-with-vmware-esxi.html
Do I need the vdsm-hook-promisc for it ? as I need to make real settings on a VM there I think the vswitch only needs the mode.
Information is welcome!
2014-04-16 11:18 GMT+02:00 Matt . <yamakasi.014@gmail.com>:
This is resolved.
It seems that skews that pfsense sets on a backup/failover cluster node are much higher than they were set manually. Pfsense synced them again and it's solved.
2014-04-15 8:52 GMT+02:00 Matt . <yamakasi.014@gmail.com>:
Hi Guys,
I'm facing some issues with Pfsense and a Carp setup where connections are not dropped but the connection is not stable.
I have set macspoof on the vm that runs Pfsense, this because it needs it for Carp.
My TCPdump actually give good results, a single P so that looks also well.
I have tested this with things like sending emails and so on, uploading large files. It seems on sending emails that you most of the time have to canceld a send and resend it, sending goes well than. A tcpdump on such mailserver looks well.
For uploading large images it seems that it's slow in uploading because of disconnects, also a good tcdump.
Do I need to make specific settings on the vswitch or the real switch between ?
Or is something else going on ?
Cheers,
Matt
Am 17.04.2014 01:11, schrieb Matt .:
OK, also this is finetuned, but it would be nice to have some more info about the hooks in these cases... it's interesting as oVirt has the right settings to start with but we need to know what we need to set when we have a setup like this for an example.
Well maybe begin yourself as a good example and write down for the community / others what you did to solve your problems? I'm a little amazed you want to know from others the settings needed but you don't provide anything of your settings you already tweaked to achieve your goal. a good way to start would maybe etherpad.ovirt.org and write some FAQ for the most common use cases? If no one else is willing to start I will do it at some time (when I have some). But this will most likely be in my spare time, so don't expect too much. :) -- Mit freundlichen Grüßen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH & Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
On Thu, Apr 17, 2014 at 01:11:13AM +0200, Matt . wrote:
OK, also this is finetuned, but it would be nice to have some more info about the hooks in these cases... it's interesting as oVirt has the right settings to start with but we need to know what we need to set when we have a setup like this for an example.
Could you explain what you have done, and what do you need promiscuouity for? oVirt has "port mirroring" that allows to mirror ip traffic from one vm network to another.
2014-04-17 0:35 GMT+02:00 Matt . <yamakasi.014@gmail.com>:
Traffic issues are solved, but the advertising in not that well.
I see on ESXi (vSphere) that you need to enable "Promiscuous Mode", but how on oVirt ?
http://www.blissfulidiot.com/2013/11/using-carp-with-vmware-esxi.html
Do I need the vdsm-hook-promisc for it ? as I need to make real settings on a VM there I think the vswitch only needs the mode.
Information is welcome!
Hi Guys, I'm not able to write a howto yet as we need to check how this is running on high traffic and we are going soon. Than, we need to test some other functions before I can actually write something down. Because this is not all documented well indeed I'm in testmode and doing some @ life system as reallife environments are always coming with other things than your prefec test. I cannot say I needed promiscuouity, I did some things you would normally do on pfsense which fixed that part. Some old message you really need to discard instead of clicking it away was confusing this test. 2014-04-17 9:08 GMT+02:00 Dan Kenigsberg <danken@redhat.com>:
On Thu, Apr 17, 2014 at 01:11:13AM +0200, Matt . wrote:
OK, also this is finetuned, but it would be nice to have some more info about the hooks in these cases... it's interesting as oVirt has the right settings to start with but we need to know what we need to set when we have a setup like this for an example.
Could you explain what you have done, and what do you need promiscuouity for? oVirt has "port mirroring" that allows to mirror ip traffic from one vm network to another.
2014-04-17 0:35 GMT+02:00 Matt . <yamakasi.014@gmail.com>:
Traffic issues are solved, but the advertising in not that well.
I see on ESXi (vSphere) that you need to enable "Promiscuous Mode", but how on oVirt ?
http://www.blissfulidiot.com/2013/11/using-carp-with-vmware-esxi.html
Do I need the vdsm-hook-promisc for it ? as I need to make real
settings
on a VM there I think the vswitch only needs the mode.
Information is welcome!
On 04/17/2014 04:08 AM, Matt . wrote:
Hi Guys,
I'm not able to write a howto yet as we need to check how this is running on high traffic and we are going soon. Than, we need to test some other functions before I can actually write something down.
Because this is not all documented well indeed I'm in testmode and doing some @ life system as reallife environments are always coming with other things than your prefec test.
I cannot say I needed promiscuouity, I did some things you would normally do on pfsense which fixed that part. Some old message you really need to discard instead of clicking it away was confusing this test.
you are not supposed to need the promiscious hook for sniffing/mirroring - that's by now part of engine/vdsm (at vnic level in earlier versions, and at network profile in later versions iirc)
2014-04-17 9:08 GMT+02:00 Dan Kenigsberg <danken@redhat.com <mailto:danken@redhat.com>>:
On Thu, Apr 17, 2014 at 01:11:13AM +0200, Matt . wrote: > OK, also this is finetuned, but it would be nice to have some more info > about the hooks in these cases... it's interesting as oVirt has the right > settings to start with but we need to know what we need to set when we have > a setup like this for an example.
Could you explain what you have done, and what do you need promiscuouity for? oVirt has "port mirroring" that allows to mirror ip traffic from one vm network to another.
> > > 2014-04-17 0:35 GMT+02:00 Matt . <yamakasi.014@gmail.com <mailto:yamakasi.014@gmail.com>>: > > > Traffic issues are solved, but the advertising in not that well. > > > > I see on ESXi (vSphere) that you need to enable "Promiscuous Mode", but > > how on oVirt ? > > > > http://www.blissfulidiot.com/2013/11/using-carp-with-vmware-esxi.html > > > > Do I need the vdsm-hook-promisc for it ? as I need to make real settings > > on a VM there I think the vswitch only needs the mode. > > > > Information is welcome!
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Hi, I really needed to enable the hook... Will investigate on new hosts! 2014-05-11 22:37 GMT+02:00 Itamar Heim <iheim@redhat.com>:
On 04/17/2014 04:08 AM, Matt . wrote:
Hi Guys,
I'm not able to write a howto yet as we need to check how this is running on high traffic and we are going soon. Than, we need to test some other functions before I can actually write something down.
Because this is not all documented well indeed I'm in testmode and doing some @ life system as reallife environments are always coming with other things than your prefec test.
I cannot say I needed promiscuouity, I did some things you would normally do on pfsense which fixed that part. Some old message you really need to discard instead of clicking it away was confusing this test.
you are not supposed to need the promiscious hook for sniffing/mirroring - that's by now part of engine/vdsm (at vnic level in earlier versions, and at network profile in later versions iirc)
2014-04-17 9:08 GMT+02:00 Dan Kenigsberg <danken@redhat.com <mailto:danken@redhat.com>>:
On Thu, Apr 17, 2014 at 01:11:13AM +0200, Matt . wrote: > OK, also this is finetuned, but it would be nice to have some more info > about the hooks in these cases... it's interesting as oVirt has the right > settings to start with but we need to know what we need to set when we have > a setup like this for an example.
Could you explain what you have done, and what do you need promiscuouity for? oVirt has "port mirroring" that allows to mirror ip traffic from one vm network to another.
> > > 2014-04-17 0:35 GMT+02:00 Matt . <yamakasi.014@gmail.com <mailto:yamakasi.014@gmail.com>>:
> > > Traffic issues are solved, but the advertising in not that well. > > > > I see on ESXi (vSphere) that you need to enable "Promiscuous Mode", but > > how on oVirt ? > > > > http://www.blissfulidiot.com/2013/11/using-carp-with-vmware-esxi.html > > > > Do I need the vdsm-hook-promisc for it ? as I need to make real settings > > on a VM there I think the vswitch only needs the mode. > > > > Information is welcome!
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Itamar, On some testhost I'm updating now to 3.4(.x) I also need to install the hook it seems... it's not there by default. Any idea why you thought it should be ? Cheers, Matt 2014-05-12 14:55 GMT+02:00 Matt . <yamakasi.014@gmail.com>:
Hi,
I really needed to enable the hook... Will investigate on new hosts!
2014-05-11 22:37 GMT+02:00 Itamar Heim <iheim@redhat.com>:
On 04/17/2014 04:08 AM, Matt . wrote:
Hi Guys,
I'm not able to write a howto yet as we need to check how this is running on high traffic and we are going soon. Than, we need to test some other functions before I can actually write something down.
Because this is not all documented well indeed I'm in testmode and doing some @ life system as reallife environments are always coming with other things than your prefec test.
I cannot say I needed promiscuouity, I did some things you would normally do on pfsense which fixed that part. Some old message you really need to discard instead of clicking it away was confusing this test.
you are not supposed to need the promiscious hook for sniffing/mirroring - that's by now part of engine/vdsm (at vnic level in earlier versions, and at network profile in later versions iirc)
2014-04-17 9:08 GMT+02:00 Dan Kenigsberg <danken@redhat.com <mailto:danken@redhat.com>>:
On Thu, Apr 17, 2014 at 01:11:13AM +0200, Matt . wrote: > OK, also this is finetuned, but it would be nice to have some more info > about the hooks in these cases... it's interesting as oVirt has the right > settings to start with but we need to know what we need to set when we have > a setup like this for an example.
Could you explain what you have done, and what do you need promiscuouity for? oVirt has "port mirroring" that allows to mirror ip traffic from one vm network to another.
> > > 2014-04-17 0:35 GMT+02:00 Matt . <yamakasi.014@gmail.com <mailto:yamakasi.014@gmail.com>>:
> > > Traffic issues are solved, but the advertising in not that well. > > > > I see on ESXi (vSphere) that you need to enable "Promiscuous Mode", but > > how on oVirt ? > > > > http://www.blissfulidiot.com/2013/11/using-carp-with- vmware-esxi.html > > > > Do I need the vdsm-hook-promisc for it ? as I need to make real settings > > on a VM there I think the vswitch only needs the mode. > > > > Information is welcome!
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On 05/15/2014 04:26 AM, Matt . wrote:
Itamar,
On some testhost I'm updating now to 3.4(.x) I also need to install the hook it seems... it's not there by default.
Any idea why you thought it should be ?
there is no need for the hook for port mirroring. you can define a vnic profile with port mirroring via the engine and vdsm has this feature built-in. if you need more than just port mirroring (say, port forwarding), then you still need the hook.
Cheers,
Matt
2014-05-12 14:55 GMT+02:00 Matt . <yamakasi.014@gmail.com <mailto:yamakasi.014@gmail.com>>:
Hi,
I really needed to enable the hook... Will investigate on new hosts!
2014-05-11 22:37 GMT+02:00 Itamar Heim <iheim@redhat.com <mailto:iheim@redhat.com>>:
On 04/17/2014 04:08 AM, Matt . wrote:
Hi Guys,
I'm not able to write a howto yet as we need to check how this is running on high traffic and we are going soon. Than, we need to test some other functions before I can actually write something down.
Because this is not all documented well indeed I'm in testmode and doing some @ life system as reallife environments are always coming with other things than your prefec test.
I cannot say I needed promiscuouity, I did some things you would normally do on pfsense which fixed that part. Some old message you really need to discard instead of clicking it away was confusing this test.
you are not supposed to need the promiscious hook for sniffing/mirroring - that's by now part of engine/vdsm (at vnic level in earlier versions, and at network profile in later versions iirc)
2014-04-17 9:08 GMT+02:00 Dan Kenigsberg <danken@redhat.com <mailto:danken@redhat.com> <mailto:danken@redhat.com <mailto:danken@redhat.com>>>:
On Thu, Apr 17, 2014 at 01:11:13AM +0200, Matt . wrote: > OK, also this is finetuned, but it would be nice to have some more info > about the hooks in these cases... it's interesting as oVirt has the right > settings to start with but we need to know what we need to set when we have > a setup like this for an example.
Could you explain what you have done, and what do you need promiscuouity for? oVirt has "port mirroring" that allows to mirror ip traffic from one vm network to another.
> > > 2014-04-17 0:35 GMT+02:00 Matt . <yamakasi.014@gmail.com <mailto:yamakasi.014@gmail.com> <mailto:yamakasi.014@gmail.com <mailto:yamakasi.014@gmail.com>__>>:
> > > Traffic issues are solved, but the advertising in not that well. > > > > I see on ESXi (vSphere) that you need to enable "Promiscuous Mode", but > > how on oVirt ? > > > > http://www.blissfulidiot.com/__2013/11/using-carp-with-__vmware-esxi.html <http://www.blissfulidiot.com/2013/11/using-carp-with-vmware-esxi.html> > > > > Do I need the vdsm-hook-promisc for it ? as I need to make real settings > > on a VM there I think the vswitch only needs the mode. > > > > Information is welcome!
_________________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>
OK, now I'm confused. For MacSpoofing we per default don't have the "macspoof" feature in the engine am I right ? To get that... you need to set: engine-config -s EnableMACAntiSpoofingFilterRules=false --cver=3.X But no hook needs to be installed for this ? I don't have ping at the momment with macspoof set on true on a VM. 2014-05-15 12:35 GMT+02:00 Itamar Heim <iheim@redhat.com>:
On 05/15/2014 04:26 AM, Matt . wrote:
Itamar,
On some testhost I'm updating now to 3.4(.x) I also need to install the hook it seems... it's not there by default.
Any idea why you thought it should be ?
there is no need for the hook for port mirroring. you can define a vnic profile with port mirroring via the engine and vdsm has this feature built-in.
if you need more than just port mirroring (say, port forwarding), then you still need the hook.
Cheers,
Matt
2014-05-12 14:55 GMT+02:00 Matt . <yamakasi.014@gmail.com <mailto:yamakasi.014@gmail.com>>:
Hi,
I really needed to enable the hook... Will investigate on new hosts!
2014-05-11 22:37 GMT+02:00 Itamar Heim <iheim@redhat.com <mailto:iheim@redhat.com>>:
On 04/17/2014 04:08 AM, Matt . wrote:
Hi Guys,
I'm not able to write a howto yet as we need to check how this is running on high traffic and we are going soon. Than, we need to test some other functions before I can actually write something down.
Because this is not all documented well indeed I'm in testmode and doing some @ life system as reallife environments are always coming with other things than your prefec test.
I cannot say I needed promiscuouity, I did some things you would normally do on pfsense which fixed that part. Some old message you really need to discard instead of clicking it away was confusing this test.
you are not supposed to need the promiscious hook for sniffing/mirroring - that's by now part of engine/vdsm (at vnic level in earlier versions, and at network profile in later versions iirc)
2014-04-17 9:08 GMT+02:00 Dan Kenigsberg <danken@redhat.com <mailto:danken@redhat.com> <mailto:danken@redhat.com <mailto:danken@redhat.com>>>:
On Thu, Apr 17, 2014 at 01:11:13AM +0200, Matt . wrote: > OK, also this is finetuned, but it would be nice to have some more info > about the hooks in these cases... it's interesting as oVirt has the right > settings to start with but we need to know what we need to set when we have > a setup like this for an example.
Could you explain what you have done, and what do you need promiscuouity for? oVirt has "port mirroring" that allows to mirror ip traffic from one vm network to another.
> > > 2014-04-17 0:35 GMT+02:00 Matt . <yamakasi.014@gmail.com <mailto:yamakasi.014@gmail.com> <mailto:yamakasi.014@gmail.com <mailto:yamakasi.014@gmail.com>__>>:
> > > Traffic issues are solved, but the advertising in not that well. > > > > I see on ESXi (vSphere) that you need to enable "Promiscuous Mode", but > > how on oVirt ? > > > > http://www.blissfulidiot.com/__2013/11/using-carp-with-__ vmware-esxi.html
<http://www.blissfulidiot.com/2013/11/using-carp-with- vmware-esxi.html> > > > > Do I need the vdsm-hook-promisc for it ? as I need to make real settings > > on a VM there I think the vswitch only needs the mode. > > > > Information is welcome!
_________________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>
On 05/15/2014 06:42 AM, Matt . wrote:
OK, now I'm confused.
For MacSpoofing we per default don't have the "macspoof" feature in the engine am I right ?
To get that... you need to set:
engine-config -s EnableMACAntiSpoofingFilterRules=false --cver=3.X
But no hook needs to be installed for this ? I don't have ping at the momment with macspoof set on true on a VM.
macspoofing is more than just promiscuous mode for port mirroring, which does require the hook to be installed (and the VM to be restarted)
2014-05-15 12:35 GMT+02:00 Itamar Heim <iheim@redhat.com <mailto:iheim@redhat.com>>:
On 05/15/2014 04:26 AM, Matt . wrote:
Itamar,
On some testhost I'm updating now to 3.4(.x) I also need to install the hook it seems... it's not there by default.
Any idea why you thought it should be ?
there is no need for the hook for port mirroring. you can define a vnic profile with port mirroring via the engine and vdsm has this feature built-in.
if you need more than just port mirroring (say, port forwarding), then you still need the hook.
Cheers,
Matt
2014-05-12 14:55 GMT+02:00 Matt . <yamakasi.014@gmail.com <mailto:yamakasi.014@gmail.com> <mailto:yamakasi.014@gmail.com <mailto:yamakasi.014@gmail.com>__>>:
Hi,
I really needed to enable the hook... Will investigate on new hosts!
2014-05-11 22:37 GMT+02:00 Itamar Heim <iheim@redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>>>:
On 04/17/2014 04:08 AM, Matt . wrote:
Hi Guys,
I'm not able to write a howto yet as we need to check how this is running on high traffic and we are going soon. Than, we need to test some other functions before I can actually write something down.
Because this is not all documented well indeed I'm in testmode and doing some @ life system as reallife environments are always coming with other things than your prefec test.
I cannot say I needed promiscuouity, I did some things you would normally do on pfsense which fixed that part. Some old message you really need to discard instead of clicking it away was confusing this test.
you are not supposed to need the promiscious hook for sniffing/mirroring - that's by now part of engine/vdsm (at vnic level in earlier versions, and at network profile in later versions iirc)
2014-04-17 9:08 GMT+02:00 Dan Kenigsberg <danken@redhat.com <mailto:danken@redhat.com> <mailto:danken@redhat.com <mailto:danken@redhat.com>> <mailto:danken@redhat.com <mailto:danken@redhat.com> <mailto:danken@redhat.com <mailto:danken@redhat.com>>>>:
On Thu, Apr 17, 2014 at 01:11:13AM +0200, Matt . wrote: > OK, also this is finetuned, but it would be nice to have some more info > about the hooks in these cases... it's interesting as oVirt has the right > settings to start with but we need to know what we need to set when we have > a setup like this for an example.
Could you explain what you have done, and what do you need promiscuouity for? oVirt has "port mirroring" that allows to mirror ip traffic from one vm network to another.
> > > 2014-04-17 0:35 GMT+02:00 Matt . <yamakasi.014@gmail.com <mailto:yamakasi.014@gmail.com> <mailto:yamakasi.014@gmail.com <mailto:yamakasi.014@gmail.com>__> <mailto:yamakasi.014@gmail.com <mailto:yamakasi.014@gmail.com> <mailto:yamakasi.014@gmail.com <mailto:yamakasi.014@gmail.com>__>__>>:
> > > Traffic issues are solved, but the advertising in not that well. > > > > I see on ESXi (vSphere) that you need to enable "Promiscuous Mode", but > > how on oVirt ? > > > > http://www.blissfulidiot.com/____2013/11/using-carp-with-____vmware-esxi.htm... <http://www.blissfulidiot.com/__2013/11/using-carp-with-__vmware-esxi.html>
<http://www.blissfulidiot.com/__2013/11/using-carp-with-__vmware-esxi.html <http://www.blissfulidiot.com/2013/11/using-carp-with-vmware-esxi.html>> > > > > Do I need the vdsm-hook-promisc for it ? as I need to make real settings > > on a VM there I think the vswitch only needs the mode. > > > > Information is welcome!
___________________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>>
OK, we are on the same line there. The issue is that it doesn't work on this host, others do. I have a 3.3 cluster and 3.4... both are enabled using the command... or can't you have 2 versions ? 2014-05-15 12:43 GMT+02:00 Itamar Heim <iheim@redhat.com>:
On 05/15/2014 06:42 AM, Matt . wrote:
OK, now I'm confused.
For MacSpoofing we per default don't have the "macspoof" feature in the engine am I right ?
To get that... you need to set:
engine-config -s EnableMACAntiSpoofingFilterRules=false --cver=3.X
But no hook needs to be installed for this ? I don't have ping at the momment with macspoof set on true on a VM.
macspoofing is more than just promiscuous mode for port mirroring, which does require the hook to be installed (and the VM to be restarted)
2014-05-15 12:35 GMT+02:00 Itamar Heim <iheim@redhat.com <mailto:iheim@redhat.com>>:
On 05/15/2014 04:26 AM, Matt . wrote:
Itamar,
On some testhost I'm updating now to 3.4(.x) I also need to install the hook it seems... it's not there by default.
Any idea why you thought it should be ?
there is no need for the hook for port mirroring. you can define a vnic profile with port mirroring via the engine and vdsm has this feature built-in.
if you need more than just port mirroring (say, port forwarding), then you still need the hook.
Cheers,
Matt
2014-05-12 14:55 GMT+02:00 Matt . <yamakasi.014@gmail.com <mailto:yamakasi.014@gmail.com> <mailto:yamakasi.014@gmail.com <mailto:yamakasi.014@gmail.com
__>>:
Hi,
I really needed to enable the hook... Will investigate on new hosts!
2014-05-11 22:37 GMT+02:00 Itamar Heim <iheim@redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>>>:
On 04/17/2014 04:08 AM, Matt . wrote:
Hi Guys,
I'm not able to write a howto yet as we need to check how this is running on high traffic and we are going soon. Than, we need to test some other functions before I can actually write something down.
Because this is not all documented well indeed I'm in testmode and doing some @ life system as reallife environments are always coming with other things than your prefec test.
I cannot say I needed promiscuouity, I did some things you would normally do on pfsense which fixed that part. Some old message you really need to discard instead of clicking it away was confusing this test.
you are not supposed to need the promiscious hook for sniffing/mirroring - that's by now part of engine/vdsm (at vnic level in earlier versions, and at network profile in later versions iirc)
2014-04-17 9:08 GMT+02:00 Dan Kenigsberg <danken@redhat.com <mailto:danken@redhat.com> <mailto:danken@redhat.com <mailto:danken@redhat.com
<mailto:danken@redhat.com <mailto:danken@redhat.com> <mailto:danken@redhat.com <mailto:danken@redhat.com>>>>:
On Thu, Apr 17, 2014 at 01:11:13AM +0200, Matt . wrote: > OK, also this is finetuned, but it would be nice to have some more info > about the hooks in these cases... it's interesting as oVirt has the right > settings to start with but we need to know what we need to set when we have > a setup like this for an example.
Could you explain what you have done, and what do you need promiscuouity for? oVirt has "port mirroring" that allows to mirror ip traffic from one vm network to another.
> > > 2014-04-17 0:35 GMT+02:00 Matt . <yamakasi.014@gmail.com <mailto:yamakasi.014@gmail.com> <mailto:yamakasi.014@gmail.com <mailto:yamakasi.014@gmail.com>__> <mailto:yamakasi.014@gmail.com <mailto:yamakasi.014@gmail.com> <mailto:yamakasi.014@gmail.com <mailto:yamakasi.014@gmail.com>__>__>>:
> > > Traffic issues are solved, but the advertising in not that well. > > > > I see on ESXi (vSphere) that you need to enable "Promiscuous Mode", but > > how on oVirt ? > > > > http://www.blissfulidiot.com/____2013/11/using-carp-with-___ _vmware-esxi.html <http://www.blissfulidiot.com/__2013/11/using-carp-with-__ vmware-esxi.html>
<http://www.blissfulidiot.com/__2013/11/using-carp-with-__ vmware-esxi.html <http://www.blissfulidiot.com/2013/11/using-carp-with- vmware-esxi.html>> > > > > Do I need the vdsm-hook-promisc for it ? as I need to make real settings > > on a VM there I think the vswitch only needs the mode. > > > > Information is welcome!
___________________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>>
On 05/15/2014 06:45 AM, Matt . wrote:
OK, we are on the same line there.
The issue is that it doesn't work on this host, others do.
I have a 3.3 cluster and 3.4... both are enabled using the command... or can't you have 2 versions ?
multiple versions shouldn't be an issue. I'll let danken and others continue to torubleshoot why not working though.
2014-05-15 12:43 GMT+02:00 Itamar Heim <iheim@redhat.com <mailto:iheim@redhat.com>>:
On 05/15/2014 06:42 AM, Matt . wrote:
OK, now I'm confused.
For MacSpoofing we per default don't have the "macspoof" feature in the engine am I right ?
To get that... you need to set:
engine-config -s EnableMACAntiSpoofingFilterRul__es=false --cver=3.X
But no hook needs to be installed for this ? I don't have ping at the momment with macspoof set on true on a VM.
macspoofing is more than just promiscuous mode for port mirroring, which does require the hook to be installed (and the VM to be restarted)
2014-05-15 12:35 GMT+02:00 Itamar Heim <iheim@redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>>>:
On 05/15/2014 04:26 AM, Matt . wrote:
Itamar,
On some testhost I'm updating now to 3.4(.x) I also need to install the hook it seems... it's not there by default.
Any idea why you thought it should be ?
there is no need for the hook for port mirroring. you can define a vnic profile with port mirroring via the engine and vdsm has this feature built-in.
if you need more than just port mirroring (say, port forwarding), then you still need the hook.
Cheers,
Matt
2014-05-12 14:55 GMT+02:00 Matt . <yamakasi.014@gmail.com <mailto:yamakasi.014@gmail.com> <mailto:yamakasi.014@gmail.com <mailto:yamakasi.014@gmail.com>__> <mailto:yamakasi.014@gmail.com <mailto:yamakasi.014@gmail.com> <mailto:yamakasi.014@gmail.com <mailto:yamakasi.014@gmail.com>__>__>>:
Hi,
I really needed to enable the hook... Will investigate on new hosts!
2014-05-11 22:37 GMT+02:00 Itamar Heim <iheim@redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>> <mailto:iheim@redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>>>>:
On 04/17/2014 04:08 AM, Matt . wrote:
Hi Guys,
I'm not able to write a howto yet as we need to check how this is running on high traffic and we are going soon. Than, we need to test some other functions before I can actually write something down.
Because this is not all documented well indeed I'm in testmode and doing some @ life system as reallife environments are always coming with other things than your prefec test.
I cannot say I needed promiscuouity, I did some things you would normally do on pfsense which fixed that part. Some old message you really need to discard instead of clicking it away was confusing this test.
you are not supposed to need the promiscious hook for sniffing/mirroring - that's by now part of engine/vdsm (at vnic level in earlier versions, and at network profile in later versions iirc)
2014-04-17 9:08 GMT+02:00 Dan Kenigsberg <danken@redhat.com <mailto:danken@redhat.com> <mailto:danken@redhat.com <mailto:danken@redhat.com>> <mailto:danken@redhat.com <mailto:danken@redhat.com> <mailto:danken@redhat.com <mailto:danken@redhat.com>>> <mailto:danken@redhat.com <mailto:danken@redhat.com> <mailto:danken@redhat.com <mailto:danken@redhat.com>> <mailto:danken@redhat.com <mailto:danken@redhat.com> <mailto:danken@redhat.com <mailto:danken@redhat.com>>>>>:
On Thu, Apr 17, 2014 at 01:11:13AM +0200, Matt . wrote: > OK, also this is finetuned, but it would be nice to have some more info > about the hooks in these cases... it's interesting as oVirt has the right > settings to start with but we need to know what we need to set when we have > a setup like this for an example.
Could you explain what you have done, and what do you need promiscuouity for? oVirt has "port mirroring" that allows to mirror ip traffic from one vm network to another.
> > > 2014-04-17 0:35 GMT+02:00 Matt . <yamakasi.014@gmail.com <mailto:yamakasi.014@gmail.com> <mailto:yamakasi.014@gmail.com <mailto:yamakasi.014@gmail.com>__> <mailto:yamakasi.014@gmail.com <mailto:yamakasi.014@gmail.com> <mailto:yamakasi.014@gmail.com <mailto:yamakasi.014@gmail.com>__>__> <mailto:yamakasi.014@gmail.com <mailto:yamakasi.014@gmail.com> <mailto:yamakasi.014@gmail.com <mailto:yamakasi.014@gmail.com>__> <mailto:yamakasi.014@gmail.com <mailto:yamakasi.014@gmail.com> <mailto:yamakasi.014@gmail.com <mailto:yamakasi.014@gmail.com>__>__>__>>:
> > > Traffic issues are solved, but the advertising in not that well. > > > > I see on ESXi (vSphere) that you need to enable "Promiscuous Mode", but > > how on oVirt ? > > > > http://www.blissfulidiot.com/______2013/11/using-carp-with-______vmware-esxi... <http://www.blissfulidiot.com/____2013/11/using-carp-with-____vmware-esxi.html>
<http://www.blissfulidiot.com/____2013/11/using-carp-with-____vmware-esxi.htm... <http://www.blissfulidiot.com/__2013/11/using-carp-with-__vmware-esxi.html>>
<http://www.blissfulidiot.com/____2013/11/using-carp-with-____vmware-esxi.htm... <http://www.blissfulidiot.com/__2013/11/using-carp-with-__vmware-esxi.html>
<http://www.blissfulidiot.com/__2013/11/using-carp-with-__vmware-esxi.html <http://www.blissfulidiot.com/2013/11/using-carp-with-vmware-esxi.html>>> > > > > Do I need the vdsm-hook-promisc for it ? as I need to make real settings > > on a VM there I think the vswitch only needs the mode. > > > > Information is welcome!
_____________________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> http://lists.ovirt.org/______mailman/listinfo/users <http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users>>
<http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>>>
On Thu, May 15, 2014 at 12:45:46PM +0200, Matt . wrote:
OK, we are on the same line there.
The issue is that it doesn't work on this host, others do.
It is very hard for me to follow your condition, and top-posting does not help. Does the macspoof hook work fine on other host? And only here unknown macs are filtered? In that case, we should figure out what is different in this host, and see the domxml of the troublesome VM.
Hi, I don't do top-postings, just a reply to all. It works now on all hosts! I was testing with a Run Once with no macspoof option and changed the CARP IP on the pfsense box to alias, and back to carp... where with alias I was able to ping with carp not... and this was good because of the disabled macspoof option. After this change I was also, with spoof true and not set, able to ping the IP on the CARP interface itself, so I think Pfsense messed something up here with ARP tables (I know form the past). After a restart of the VM I was able to ping all IP, also CARP as it was starting with macspoof true again. Some other thing I'm curious about... let's say you have 3 servers in a cluster, 2 installed with the macspoof hook and one not. The VM with macspoof enabled starts on the host without the hook and you migrate it to a host where the hooks is installed. What happens... ? Cheers, Matt 2014-05-15 13:39 GMT+02:00 Dan Kenigsberg <danken@redhat.com>:
On Thu, May 15, 2014 at 12:45:46PM +0200, Matt . wrote:
OK, we are on the same line there.
The issue is that it doesn't work on this host, others do.
It is very hard for me to follow your condition, and top-posting does not help.
Does the macspoof hook work fine on other host? And only here unknown macs are filtered? In that case, we should figure out what is different in this host, and see the domxml of the troublesome VM.
On Thu, May 15, 2014 at 02:18:39PM +0200, Matt . wrote:
Hi,
I don't do top-postings, just a reply to all.
It works now on all hosts!
I was testing with a Run Once with no macspoof option and changed the CARP IP on the pfsense box to alias, and back to carp... where with alias I was able to ping with carp not... and this was good because of the disabled macspoof option. After this change I was also, with spoof true and not set, able to ping the IP on the CARP interface itself, so I think Pfsense messed something up here with ARP tables (I know form the past).
After a restart of the VM I was able to ping all IP, also CARP as it was starting with macspoof true again.
Some other thing I'm curious about... let's say you have 3 servers in a cluster, 2 installed with the macspoof hook and one not. The VM with macspoof enabled starts on the host without the hook and you migrate it to a host where the hooks is installed. What happens... ?
When I answer to your question immediately after it, it's easier to corrolate a question and an answer. Top-posting is frowned upon. Once a domain xml has been created by Vdsm, it is migrated intact to the destination, so there too, no filtering would take place. Do note that having different installed on your cluster is bound to cause random problem, and is better avoided. Dan.
participants (4)
-
Dan Kenigsberg -
Itamar Heim -
Matt . -
Sven Kieske