When I connect my laptop directly to my modem and run a speed test I get the proper 500Mb/s speed. However, when I connect my laptop to my RB750Gr3 (which is connected to the modem) my internet speed goes down to 200Mb/s. I tried with other laptops/devices with the same results. The problem persists regardless of Queues being enabled or disabled. Is there something I need to check on my Mikrotik so that I can obtain 500Mb/s on my devices connected to my router please? My configuration is the following:
# apr/22/2021 19:32:24 by RouterOS 6.48
# software id = 8GVC-967D
#
# model = RB750Gr3
# serial number = 8AFF091B1B69
/caps-man channel
add band=2ghz-onlyn control-channel-width=20mhz frequency=2462 name=channel1
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
/interface pptp-client
add connect-to=server1.freevpn.me name=VPN-NAME password= user=\
.me
/caps-man datapath
add bridge=bridge1 name=Bridge
/caps-man security
add authentication-types=wpa2-psk,wpa2-eap encryption=aes-ccm name=security1 \
passphrase=
/caps-man configuration
add channel=channel1 country=malta datapath=Bridge mode=ap name=Config \
security=security1 ssid=S
/interface list
add name=WAN
add include=all name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key=\
2WR133301567
/ip firewall layer7-protocol
add name=Facebook regexp="^.+(facebook).*\$"
add name=Youtube regexp=\
"^.+(youtube.com | googlevideo.com | akamaihd.net).*\$"
add name=Discord regexp="^.+(discord).*\$"
/ip kid-control
add disabled=yes fri=18h-22h mon=18h-22h name="Kyle Schedule" sun=6h-22h thu=\
18h-22h tue=18h-22h wed=18h-22h
/ip pool
add name=dhcp_pool ranges=192.168.2.10-192.168.2.90
/ip dhcp-server
add address-pool=dhcp_pool disabled=no interface=bridge1 name=dhcp3
/queue simple
add max-limit=16M/400M name="All traffic" target=192.168.2.0/24
add max-limit=15M/400M name=Unlimited parent="All traffic" priority=1/1 \
target="192.168.2.196/32,192.168.2.197/32,192.168.2.183/32,192.168.2.184/3\
2,192.168.2.252/32"
add max-limit=3M/150M name=Limited parent="All traffic" target=\
192.168.2.90/32,192.168.2.89/32,192.168.2.13/32
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge1
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=Config
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=all
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
all wan-interface-list=all
/interface list member
add interface=ether1-WAN list=WAN
add interface=ether2 list=LAN
add interface=bridge1 list=LAN
add list=LAN
/ip address
add address=192.168.2.1/24 interface=bridge1 network=192.168.2.0
/ip dhcp-client
add disabled=no interface=ether1-WAN
/ip dhcp-server lease
add address=192.168.2.191 client-id=1:d8:9c:67:62:db:9 comment=\
"Elton JC HP Wifi" mac-address=D8:9C:67:62:DB:09 server=dhcp3
add address=192.168.2.188 client-id=1:ec:71:db:54:e1:52 comment="Front CCTV" \
mac-address=EC:71:DB:54:E1:52 server=dhcp3
add address=192.168.2.178 client-id=1:ec:71:db:cf:28:71 comment="Living CCTV" \
mac-address=EC:71:DB:CF:28:71 server=dhcp3
add address=192.168.2.173 comment="Security System" mac-address=\
00:1F:08:04:92:7B server=dhcp3
add address=192.168.2.177 client-id=1:f4:81:39:e2:e9:39 comment=\
"Canon Printer" mac-address=F4:81:39:E2:E9:39 server=dhcp3
add address=192.168.2.254 client-id=1:4:18:d6:9e:f5:9a comment="Ubiquiti AP" \
mac-address=04:18:D6:9E:F5:9A server=dhcp3
add address=192.168.2.2 client-id=1:74:4d:28:72:fd:c3 comment="BedRoom CAP" \
mac-address=74:4D:28:72:FD:C3 server=dhcp3
add address=192.168.2.90 client-id=1:d4:5d:64:4:29:8a comment=\
"K gaming PC Lan" mac-address=D4:5D:64:04:29:8A server=dhcp3
add address=192.168.2.162 comment="Argus CCTV" mac-address=18:62:E4:37:97:DC \
server=dhcp3
add address=192.168.2.114 mac-address=68:9A:87:82:82:EF server=dhcp3
add address=192.168.2.100 client-id=1:f4:91:1e:d1:b8:74 mac-address=\
F4:91:1E:D1:B8:74 server=dhcp3
add address=192.168.2.118 client-id=1:66:f9:11:61:a8:69 comment="OnePlus 6" \
mac-address=66:F9:11:61:A8:69 server=dhcp3
add address=192.168.2.109 client-id=1:c4:84:66:b7:10:9a mac-address=\
C4:84:66:B7:10:9A server=dhcp3
add address=192.168.2.119 client-id=1:98:9:cf:5a:1c:f1 comment="OnePlus 7" \
mac-address=98:09:CF:5A:1C:F1 server=dhcp3
add address=192.168.2.199 client-id=1:8c:85:90:78:bf:29 comment="Macbook Pro" \
mac-address=8C:85:90:78:BF:29 server=dhcp3
add address=192.168.2.198 client-id=1:7c:d3:a:75:82:5d comment=\
"work laptop wifi" mac-address=7C:D3:0A:75:82:5D server=dhcp3
add address=192.168.2.101 client-id=1:58:40:4e:ae:3e:66 comment="iPad" \
mac-address=58:40:4E:AE:3E:66 server=dhcp3
add address=192.168.2.197 client-id=1:d0:c6:37:60:cb:10 comment=\
"Work Laptop Wifi" mac-address=D0:C6:37:60:CB:10 server=dhcp3
add address=192.168.2.194 client-id=1:54:88:e:a0:dd:b3 comment=\
"Samsung Living Rm TV Wifi" mac-address=54:88:0E:A0:DD:B3 server=dhcp3
add address=192.168.2.120 comment="Android Box FTP" mac-address=\
00:11:6E:03:08:46 server=dhcp3
add address=192.168.2.196 client-id=1:94:5:bb:16:d1:4c comment="mac wired" \
mac-address=94:05:BB:16:D1:4C server=dhcp3
add address=192.168.2.193 client-id=1:5e:51:c8:d7:2d:1f comment=\
"Ipad2" mac-address=5E:51:C8:D7:2D:1F server=dhcp3
add address=192.168.2.192 client-id=1:24:4b:3:a7:c1:37 comment=\
"Samsung Living Room TV Ethernet" mac-address=24:4B:03:A7:C1:37 server=\
dhcp3
add address=192.168.2.110 client-id=1:3e:30:3e:f7:c6:be mac-address=\
3E:30:3E:F7:C6:BE server=dhcp3
add address=192.168.2.89 client-id=1:dc:41:a9:1:30:1a comment="Surface" \
mac-address=DC:41:A9:01:30:1A server=dhcp3
add address=192.168.2.250 client-id=1:74:ac:b9:6c:4c:c7 comment=\
"Ubiquity Living rm" mac-address=74:AC:B9:6C:4C:C7 server=dhcp3
add address=192.168.2.202 client-id=1:54:4:a6:a6:db:f4 mac-address=\
54:04:A6:A6:DB:F4 server=dhcp3
add address=192.168.2.190 client-id=1:c8:d9:d2:9c:4a:15 comment=\
"Dongle Wired" mac-address=C8:D9:D2:9C:4A:15 server=dhcp3
add address=192.168.2.200 client-id=1:c8:d9:d2:7d:d3:d3 comment="JC Wired" \
mac-address=C8:D9:D2:7D:D3:D3 server=dhcp3
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=\
192.168.2.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=Bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
d this subnet before enable it" list=Bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=Bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=Bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
need this subnet before enable it" list=Bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
Bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogons
add address=224.0.0.0/4 comment=\
"MC, Class D, IANA # Check if you need this subnet before enable it" \
list=Bogons
add address=www.youtube.com list="Block youtube"
add address=googlevideo.com list="Block youtube"
add address=v16a.tiktokcdn.com list="Block tiktok"
add address=p16-tiktokcdn-com.akamaized.net list="Block tiktok"
add address=log.tiktokv.com list="Block tiktok"
add address=ib.tiktokv.com list="Block tiktok"
add address=api-h2.tiktokv.com list="Block tiktok"
add address=v16m.tiktokcdn.com list="Block tiktok"
add address=api.tiktokv.com list="Block tiktok"
add address=v19.tiktokcdn.com list="Block tiktok"
add address=mon.musical.ly list="Block tiktok"
add address=api2-16-h2.musical.ly list="Block tiktok"
add address=api2.musical.ly list="Block tiktok"
add address=log2.musical.ly list="Block tiktok"
add address=api2-21-h2.musical.ly list="Block tiktok"
add address=192.168.2.101 disabled=yes list=VPN
add address=240.0.0.0/4 comment=Reserved list=Bogons
add address=192.168.2.177-192.168.2.188 list="Allow WAN"
add address=192.168.2.118/31 list="Allow WAN"
add address=192.168.2.190-192.168.2.202 list="Allow WAN"
add address=192.168.2.173 list="Allow WAN"
add address=192.168.2.254-192.168.2.250 list="Allow WAN"
add address=192.168.2.101 list="Allow WAN"
add address=192.168.2.89 list="Allow WAN"
add address=192.168.2.118 list="Allow Lan"
add address=192.168.2.16 list="Allow Lan"
/ip firewall filter
# inactive time
add action=drop chain=forward comment="Disable ALL WAN" out-interface=\
ether1-WAN src-address-list="!Allow Lan" time=\
21h30m-7h,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment="Disable Selective WAN" disabled=yes \
out-interface=ether1-WAN src-address-list="!Allow WAN"
add action=drop chain=forward comment="Disable WAN on DHCP with time" \
disabled=yes out-interface=ether1-WAN src-address=\
192.168.2.3-192.168.2.99 time=20h-17h,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment="Tiktok drop" dst-address-list=\
"Block tiktok" log=yes log-prefix=tk protocol=tcp
add action=accept chain=input disabled=yes port=69 protocol=udp
add action=accept chain=forward disabled=yes port=69 protocol=udp
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=input comment="DNS from outside drop UDP" dst-port=53 \
in-interface=ether1-WAN protocol=udp
add action=drop chain=input comment="DNS from outside drop TCP" dst-port=53 \
in-interface=ether1-WAN protocol=tcp
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1-WAN
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
Bogons
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=accept chain=input comment="Allow ping" dst-limit=\
30,30,dst-address/1m40s limit=30,30:packet protocol=icmp
add action=accept chain=input comment="Accept established" connection-state=\
established
add action=accept chain=input comment="Accept related" connection-state=\
related
add action=drop chain=input comment="Drop the rest" in-interface=ether1-WAN
add action=fasttrack-connection chain=forward comment="Fasttrack DNS TCP" \
dst-port=53 protocol=tcp
add action=fasttrack-connection chain=forward comment="Fasttrack DNS UDP" \
dst-port=53 protocol=udp
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
"Facebook -created automatically Layer 7" connection-mark=no-mark \
dst-port=53 layer7-protocol=*1 new-connection-mark=youtube_conn \
passthrough=yes protocol=udp
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=vpn \
passthrough=yes src-address-list=VPN
/ip firewall nat
add action=redirect chain=dstnat comment="Proxy redirect" disabled=yes \
dst-port=80 protocol=tcp to-ports=8080
add action=masquerade chain=srcnat disabled=yes out-interface=VPN-NAME
add action=masquerade chain=srcnat comment=Masquerade ipsec-policy=out,none \
out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=53 log-prefix=elt protocol=udp \
src-address=192.168.2.118 to-addresses=8.8.8.8 to-ports=53
add action=dst-nat chain=dstnat dst-port=53 protocol=tcp src-address=\
192.168.2.118 to-addresses=8.8.8.8
/ip kid-control device
add mac-address=44:D8:84:31:BA:15 name=kyle-iphone user="kSchedule"
add mac-address=A8:5E:45:63:DF:95 name=kyle-gaming user="kSchedule"
add mac-address=00:E0:33:2D:B8:2F name=Kyle-samsung-pc user="kSchedule"
add mac-address=4C:63:71:E3:32:1D name=kyle-xaomi user="kSchedule"
add mac-address=D4:5D:64:04:29:8A name=kyle-gaming-lan user="kSchedule"
add mac-address=B4:B6:76:79:B9:4F name="kyle Samsung PC" user="kSchedule"
/ip proxy
set cache-administrator=anon#gmail.com cache-on-disk=yes cache-path=\
disk1/webproxy
/ip route
add distance=1 gateway=VPN-NAME routing-mark=vpn
add disabled=yes distance=1 dst-address=192.168.0.1/32 gateway=ether1-WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp
set enabled=yes
/system clock
set time-zone-name=Europe/Malta
/system watchdog
set watchdog-timer=no
/tool bandwidth-server
set enabled=no
Your problem certainly comes from the CPU. You have some firewall rules which are consuming CPU (especially the layer7 ones), and 750G has not much CPU power.
To verify this: open winbox, display CPU while doing a bandwith test and verify that your CPU goes to 100%. Disable some firewall rules (not queues), try again, etc.
Related
I am a newbie to openstack (deployed using kolla-ansible) and have created two instances both are ubuntu 20.04 VMs. I am able to ping and ssh them from the host machine (192.168.211.133) and vice versa. However instances are unable to access internet. The virtual router is also unable to access internet:
Configuration of one of the machine is below;
root#kypo-virtual-machine:/etc/apt/sources.list.d# ip netns ls
qrouter-caca1d42-86b4-42a2-b591-ec7a90437029 (id: 1)
qdhcp-0ec41857-9420-4322-9fef-e332c034e98e (id: 0)
root#kypo-virtual-machine:/etc/apt/sources.list.d# ip netns e qrouter-caca1d42-86b4-42a2-b591-ec7a90437029 route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.211.1 0.0.0.0 UG 0 0 0 qg-f31a26b7-25
192.168.64.0 0.0.0.0 255.255.192.0 U 0 0 0 qr-e5c8842c-c2
192.168.211.0 0.0.0.0 255.255.255.0 U 0 0 0 qg-f31a26b7-25
Netplan of instance shows:
# This file is generated from information provided by the datasource. Changes
# to it will not persist across an instance reboot. To disable cloud-init's
# network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
version: 2
ethernets:
ens3:
dhcp4: true
match:
macaddress: fa:16:3e:a7:9d:70
mtu: 1450
set-name: ens3
And IP sheme is:
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc
fq_codel state UP group default qlen 1000
link/ether fa:16:3e:a7:9d:70 brd ff:ff:ff:ff:ff:ff
inet 192.168.65.39/18 brd 192.168.127.255 scope global dynamic ens3
valid_lft 85719sec preferred_lft 85719sec
inet6 fe80::f816:3eff:fea7:9d70/64 scope link
valid_lft forever preferred_lft forever
From Horizon
IP Addresses
kypo-base-net
192.168.65.39, 192.168.211.250
Security Groups
kypo-base-proxy-sg
ALLOW IPv6 to ::/0
ALLOW IPv4 icmp from 0.0.0.0/0
ALLOW IPv4 22/tcp from 0.0.0.0/0
ALLOW IPv4 udp from b9904736-6d8a
ALLOW IPv4 tcp from b9904736-6d8a
ALLOW IPv4 tcp from 73ca626b-7cfb
ALLOW IPv4 udp from 73ca626b-7cfb
ALLOW IPv4 to 0.0.0.0/0
I was able to resolve the issue by pinpointing that the gateway used by the virtual router (192.168.211.1) was different form the one used by my host VM (192.168.211.2).
kypo#kypo-virtual-machine:/etc/kolla$ ip route show
default via 192.168.211.2 dev ens33 proto dhcp
src 192.168.211.133 metric 100
I modify the gateway;
openstack subnet set --gateway 192.168.211.2 public-subnet
And now my instances are able to access internet.
The main reason for this configuration issue was while creating the subnet I used auto for --gateway option and obviously it didn't pick the correct gateway.
I have 2 provider on my mikrotik
eth1 - grey dynamic ip
eth3 - pppoe - white statiŃ ip (adsl modem)
How can I connect from winbox to static IP?
/ip firewall mangle
add action=mark-connection chain=input comment="Connmark in from ISP1" connection-mark=no-mark in-interface=ether1 new-connection-mark=conn_isp1 \
passthrough=no
add action=mark-connection chain=input comment="Connmark in from ISP3" connection-mark=no-mark in-interface=pppoe new-connection-mark=conn_isp3 \
passthrough=no
add action=mark-routing chain=output connection-mark=conn_isp1 new-routing-mark=isp1 passthrough=no
add action=mark-routing chain=output connection-mark=conn_isp3 new-routing-mark=isp3 passthrough=no
8291 is open
I can ping to pppoe.
When I try to connect I get " login failure for user xxx from xxx via winbox"
Check ip services print, if www is not enabled just /ip service enable www
Then you can play in Firewall to accept what connection from where/which interface.
I am trying to create a cluster between 2 nodes with 2 network interfaces each. The idea is that the cluster changes of node when in the node that is active some of its 2 interfaces fall (or the 2 logically). The problem is that the cluster only changes of node if the interface eth1 of the active node falls. If the interface eth0 of the active node falls, the cluster never changes nodes.
This is the network configuration of the nodes:
node1:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.3 netmask 255.255.255.248 broadcast 192.168.0.7
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.26.34.2 netmask 255.255.255.248 broadcast 172.26.34.7
node2:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.4 netmask 255.255.255.248 broadcast 192.168.0.7
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.26.34.3 netmask 255.255.255.248 broadcast 172.26.34.7
These are the commands I use to create the cluster between the nodes and assign the resources:
pcs cluster auth node1 node2 -u hacluster -p 1234 --debug --force
pcs cluster setup --name HAFirewall node1 node2 --force
pcs cluster start --all
pcs resource create VirtualIP_eth0 ocf:heartbeat:IPaddr2 ip=192.168.0.1 cidr_netmask=29 nic=eth0 op monitor interval=30s --group InterfacesHA
pcs resource create VirtualIP_eth1 ocf:heartbeat:IPaddr2 ip=172.26.34.1 cidr_netmask=29 nic=eth1 op monitor interval=30s --group InterfacesHA
pcs property set stonith-enabled=false
pcs property set no-quorum-policy=ignore
pcs resource enable InterfacesHA
This is the configuration of the corosync.conf file:
totem {
version: 2
secauth: off
cluster_name: HAFirewall
transport: udpu
}
nodelist {
node {
ring0_addr: node1
nodeid: 1
}
node {
ring0_addr: node2
nodeid: 2
}
}
quorum {
provider: corosync_votequorum
two_node: 1
}
logging {
to_logfile: yes
logfile: /var/log/corosync/corosync.log
to_syslog: yes
}
This is the output of the pcs status command:
Cluster name: HAFirewall
Stack: corosync
Current DC: node1 (version 1.1.16-94ff4df) - partition WITHOUT quorum
Last updated: Tue Oct 27 19:01:35 2020
Last change: Tue Oct 27 18:22:27 2020 by hacluster via crmd on node2
2 nodes configured
2 resources configured
Online: [ node1 ]
OFFLINE: [ node2 ]
Full list of resources:
Resource Group: InterfacesHA
VirtualIP_eth0 (ocf::heartbeat:IPaddr2): Started node1
VirtualIP_eth1 (ocf::heartbeat:IPaddr2): Started node1
Daemon Status:
corosync: active/disabled
pacemaker: active/disabled
pcsd: active/enabled
This is the output of the crm configure show command:
node 1: node1
node 2: node2
primitive VirtualIP_eth0 IPaddr2 \
params ip=192.168.0.1 cidr_netmask=29 \
op start interval=0s timeout=20s \
op stop interval=0s timeout=20s \
op monitor interval=30s
primitive VirtualIP_eth1 IPaddr2 \
params ip=172.26.34.1 cidr_netmask=29 \
op start interval=0s timeout=20s \
op stop interval=0s timeout=20s \
op monitor interval=30s
group InterfacesHA VirtualIP_eth0 VirtualIP_eth1
location cli-prefer-InterfacesHA InterfacesHA role=Started inf: node1
property cib-bootstrap-options: \
stonith-enabled=false \
no-quorum-policy=ignore \
have-watchdog=false \
dc-version=1.1.16-94ff4df \
cluster-infrastructure=corosync \
cluster-name=HAFirewall
And these are the interfaces of node1 when it is active and has the virtual IPs up:
eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether ac:1f:6b:90:a5:58 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.3/29 brd 192.168.0.7 scope global eth0
valid_lft forever preferred_lft forever
inet 192.168.0.1/29 brd 192.168.0.7 scope global secondary eth0
valid_lft forever preferred_lft forever
inet6 fe80::ae1f:6bff:fe90:a558/64 scope link
valid_lft forever preferred_lft forever
eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether ac:1f:6b:90:a5:59 brd ff:ff:ff:ff:ff:ff
inet 172.26.34.2/29 brd 172.26.34.7 scope global eth1
valid_lft forever preferred_lft forever
inet 172.26.34.1/29 brd 172.26.34.7 scope global secondary eth1
valid_lft forever preferred_lft forever
inet6 fe80::ae1f:6bff:fe90:a559/64 scope link
valid_lft forever preferred_lft forever
Any idea why the cluster works perfectly when the eth1 interface is down and does not work when the etho interface is down?
Greetings and thanks.
i believe you need to specify both interfaces in corosync.conf:
interface {
ringnumber: 0
bindnetaddr: 192.168.0.4
...
interface {
ringnumber: 1
bindnetaddr: 172.26.34.3
...
I need to set up a VIP with pcs in a 2 CentOS 7 node cluster. The resoruce gets defined like that:
pcs resource create MyVip ocf:heartbeat:IPaddr2 ip=10.215.208.164/24 cidr_netmask=24 nic=ens32 op monitor interval=3s
This same config is working well in all other deployments. I just can't understand what the error means:
Failed Actions:
* MyVip_start_0 on node02 'not configured' (6): call=6, status=complete, exitreason='[findif] failed',
last-rc-change='Fri Dec 28 20:47:26 2018', queued=0ms, exec=58ms
This is the interface thats seems not found:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:92:e2:f9 brd ff:ff:ff:ff:ff:ff
inet 10.215.208.173/24 brd 10.215.208.255 scope global noprefixroute ens32
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:fe92:e2f9/64 scope link
valid_lft forever preferred_lft forever
If you are getting
vip_start_0 on serv1.XXX.com 'unknown error' (1): call=6, status=complete, exitreason='[findif] failed',
last-rc-change='Sat Sep 19 16:16:19 2020', queued=1ms, exec=159ms
Check if you have NIC setup for the resource:
pcs config
And check in response whether NIC is defined:
Cluster Name: VIP
Corosync Nodes:
serv1.centos7g.com serv2.XXX.com
Pacemaker Nodes:
serv1.centos7g.com serv2.XXX.com
Resources:
Resource: vip (class=ocf provider=heartbeat type=IPaddr2)
Attributes: cidr_netmask=24 ip=192.168.119.200 nic=YOUR_NIC_HERE
You can update nic for an existing resource. Worked for me (CentOS 7.2)
pcs resource update RESOURCE_NAME nic=NIC_NAME
pcs resource cleanup
# check if IP address was created on your NIC interface
ip a s
pcs status
pcs resource create MyVip ocf:heartbeat:IPaddr2 ip=10.215.208.164/24 cidr_netmask=24 nic=ens32 op monitor interval=3s
ip not to have cidr mask.
Correct defnitionw will be ::
ocf:heartbeat:IPaddr2 ip=10.215.208.164 cidr_netmask=24 nic=ens32 op monitor interval=3s
Got this error message with command
pcs resource create ClusterIP ocf:heartbeat:IPaddr2 ip=1.2.3.4 cidr_netmask=32 op monitor interval=30s
I guess script findif tries to find an interface with appropriate network address for given ip. I have no any similar, so specifying an ip from my interfaces subnets solves the problem:
pcs resource create ClusterIP ocf:heartbeat:IPaddr2 ip=192.168.243.123 cidr_netmask=32 op monitor interval=30s
Specifying interface manually also solves the problem:
pcs resource create ClusterIP ocf:heartbeat:IPaddr2 ip=1.2.3.4 cidr_netmask=32 nic=lo op monitor interval=30s
I want configure the system as following:
There are several web app servers, each of which have global IP addresses.
The web app servers make HTTP and HTTPS requests to several (unidentified) external services. The source IP address of packets (thus destination port 80/tcp or 443/tcp) need to be fixed to a global IP address, so actually I need transparent proxy for HTTP/HTTPS, not affecting other traffic.
Other packets should not use the global IP address above, but should use global IP addresses that the server is each assigned.
The web application is very old and it's impossible to modify it to use proxy (CONNECT) protocol.
So I tried to use iptables to DNAT from 80/tcp and 443/tcp to the squid proxy on all web servers, and configured squid as an interception proxy.
However I failed it by redirection loop error.
I investigated what squid is doing by strace and found that it tries to connect to 10.0.0.252:80 after receiving a request, and therefore forwarding loop is detected.
I believe it is because of misconfiguration but I have no idea which should be fixed, or maybe totally I misunderstand what I should do.
(I googled but couldn't find the examples that NAT on each server.)
Hope could someone help solve the problem, or suggest another better way (not limited to using squid proxy)
All servers are on Amazon EC2, so it is a choice to use a vyos for a router...
ip a result on squid proxy
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
link/ether 0a:1c:ba:c3:9c:1d brd ff:ff:ff:ff:ff:ff
inet 10.0.0.211/24 brd 10.0.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::81c:baff:fec3:9c1d/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
link/ether 0a:a9:2c:5e:eb:d7 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.252/24 brd 10.0.0.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::8a9:2cff:fe5e:ebd7/64 scope link
valid_lft forever preferred_lft forever
iptables on squid proxy
iptables -t nat -A PREROUTING -s 10.0.0.252 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.0.0.252:3129
iptables on web servers
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 10.0.0.252:80
cache.log
2016/06/22 06:15:22 kid1| WARNING: Forwarding loop detected for:
GET / HTTP/1.1
User-Agent: squidclient/3.5.19
Accept: */*
Via: 1.0 unknown (squid/3.5.19)
X-Forwarded-For: 10.0.0.211
Cache-Control: max-age=259200
Connection: keep-alive
Host: ifconfig.moe
Full squid.conf
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl Safe_ports port 1025-65535 # unregistered ports
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
#http_access deny to_localhost
http_access allow localnet
http_access allow localhost
cache_dir ufs /var/spool/squid 100 16 256
coredump_dir /var/spool/squid
visible_hostname unknown
# Squid normally listens to port 3128
http_port 3128
http_port 3129 intercept
http_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem
always_direct allow all
ssl_bump none localhost
ssl_bump server-first all
# temporary: just test
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
http_access deny all
If you DNAT to the proxy, you're changing the destination to the IP of the proxy. In this case, the proxy will lose the information about the original destination.
For http this is ok, since the host header can be used to resolve the target, but for https the proxy would need to rely on SNI in the TLS ClientHello packet to learn the target and connect to it, bootstrap the TLS layer and go from there.