we’re using LXC containers to host multiple workloads on the same physical servers. e.g. few instances of database servers running side-by-side. once in a while we end up with strange situation where tcp connections between containers running on the same physical server get torn down abruptly. in our case – this manifested e.g. by those ... Read More
UDP packets sent from specific source port, with public source IP address do not reach specific destination port of the public destination IP address. changing any of the parameters [ usually source port ] – fixes the issue. i’ve observed this phenomenon multiple times for long-running OpenVPN and Wireguard VPNs encapsulating encrypted traffic in UDP ... Read More
we’ve run out of the office space in one of the locations. in short term it was not possible to find a suitable and large enough place to rent so we had to split and relocate some of the staff to another building few kilometers away. it’s possible that we’ll shuffle people and servers between ... Read More
i’ve moved a linux router from 9yo physical box to a vm running under esxi 6.5. it’s a designated master in pair of master / slave managed by ucarp. it took me a while to figure out why it was not working – why didn’t the slave ‘see’ the master machine? as it turned out ... Read More
after upgrade to debian stretch i had to add the following firewall entries: for the FTP servers: for the nat-routers between FTP servers and FTP clients: for the FTP clients: related articles: https://home.regit.org/netfilter-en/secure-use-of-helpers/
i use this setup for few lxc servers. bonding provides me layer2 failover based on arp probes [ so it’ll work even if switch link stays up yet forwarding fails the mechanism will kick in ]. this is continuation of an earlier post, this time under debian stretch
at work i have openvpn between OVH dedicated server and our datacenter. due to varying bandwidth we sometimes use udp over ipv6 and sometimes over ipv4 as an encapsulation method. whenever we did the switch we always had to reconfigure both ends of the tunnel. it turns out that with recent openvpns and kernels it’s ... Read More
one day an openvpn that used to carry traffic for the last 7 years started to misbehave. openvpn’s own built in watchdog was restarting it every few minutes. one of the tunnels endpoints – a- is behind NAT that we don’t control, another – b – is a host with public ip address.
the idea: i’d like to run kvm/lxc on debian, have guests bridged to couple of vlans and handle the network failover on the host level. network failure should be detected using arp probes not just the link [ mii ] status. after few attempts i got it working in the test environment.
at work we rent a dedicated server from OVH; except unexplained openvpn throttling all is working pretty well for the price we pay. besides primary IPv4 address OVH can provide few additional ‘failover’ IPv4 addresses and /64 IPv6 subnet. in our setup some of IPv4s and IPv6s are routed to a KVM VM. below – ... Read More
for work we rent a dedicated server from OVH. it’s been 5 months now and i’m pretty satisfied with the service provided. at the initial stage we’ve bumped into a problem that was never really solved; i cannot be even 100% sure if it’s OVH’s fault. UDP-based OpenVPN connection established from OVH’s BHS datacenter to ... Read More
few days ago, after 19 weeks of waiting, i have finally received my raspberry pi.
this post inspired me to check how much performance can we gain by just upgrading to more recent kernel on the internet-facing proxy servers at work.
the lenny/squeeze way.
goal: layer-2 failover without any special features on the switch level. after recent hang of on of switches i’d like to improve reliability of connectivity within a server rack. i already have all servers connected to two different switches… now it’s time for automated failover.
some of my old notes i’ve prepared back in 2005 for network lab i supervised [ in polish… ]