|
Hi,
Configuration mistake? Did you forget a "keep state" or was it another
semantical issue?
No, to clarify I had to make the firewall rules to the clustered service
stateless. I log all blocked traffic, so I would have seen it if it
was just getting blocked. But it wasn't getting blocked, though, it
just kind of disappeared after going on the bridge. After I
allowed traffic without keeping state from my client machine to the
cluster node it started working (except for the mtu).
So you're saying that pf can't handle fragments with states?
No I don't have any scrub rules.
Ok.
I set the mtu on the link level. How do you change it at the routing
level? That would definitely be desirable. I'm trying to figure out
When you set up the route, you specify the mtu, something like this:
ip route add 192.168.0.0/24 via 10.10.10.1 dev eth1 mtu 1280
and you check it by its slow cache entry:
ip -o -s -s route show cache
It's extremely simple and straightforward.
why the mtu discovery isn't working. It works if I'm on the same
network, but not if I have to use a route. On the director I get this
on a tcpdump:
08:55:00.924860 192.168.0.48 > 192.168.0.143: icmp: 192.168.0.48 unreachable -
need to frag (mtu 1280)
I can't make out much of this, I'm afraid.
But I never see that on 192.168.0.143. Doing a tcpdump on the router,
I see it on vlan0 at 192.168.0.1, which is on the router interface
for 192.168.0.48, but never on vlan2 at 192.168.0.129 which is the
router interface for 192.168.0.143.
Stupid question: Do you have overlapping netmasks?
The mtu on the gif interface is 1280:
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
I assume it's because of the overhead of encapsulation.
Yes.
Best regards,
Roberto Nibali, ratz
--
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc
| 