[00:02] hi [00:02] good evening [00:03] is there anyone? :) [00:03] pipponji: howdy [00:25] .i have ubuntu 9.10 on sofware raid md0-boot (raid1) , md1-swap (raid1), md2-system (raid 5), md3-home (raid 5), i have a crash and even though system appears to be working well i get the following screen at boot: http://imageshack.us/photo/my-images/215/20120116104650458.jpg/ [00:25] New bug: #917435 in apache2 (main) "Apache mod_rewrite doesn't work after most recent oneric update" [Undecided,New] https://launchpad.net/bugs/917435 [00:28] hi [00:28] hi patdk-lap [00:28] you remember me? [00:28] raid 10 mdadm....... [00:29] so i am trying to set up rails with unicorn. i have my unicorn config.rb file set up, and if i run unicorn_rails -c /path/to/config.rb as my user everything starts up fine and i can view the website. however, if i run the Upstart script, (and it basically exec sudo -u myuser -i `unicorn_rails -c 'path/to/config'` i get no error msg, but i cant view the website -- it redirects to 500 error page. in nginx logs it just says connect [00:29] what could Upstart be doing wrong that the unicorn fails to set up? [00:34] Unicorn? Is that anything like Manicorn? ;) [01:21] hello [01:21] I have a 10.04 server with an additional pci nic [01:22] it shows in lsmod but I cant get it to work, no dhcp no network communications nothing [01:22] any advice? Its realtek r8169 something [01:23] can some one help me debug some dns issue [01:24] for some reason my sites where up yesterday but they are down all of a sudden [01:26] You will never know, till you ask. [01:27] Any help on my nic issue? [01:31] metasansana: pastebin the output of lspci -nn and ip a [01:31] Also lsb_release -a and uname -a [01:32] ok [01:41] twb: http://pastebin.com/WGsf7349 [01:41] metasansana: how many NICs do you think you have in there? Two? [01:41] there are two at the moment [01:41] Well, they're both detected fine [01:42] twb: the machine is hung now [01:42] Just add the appropriate content to /etc/network/interfaces [01:42] i did, im starting to think this may be a hardware thing [01:43] i still have ssh access though [01:45] twb: ifup eth1 keeps saying the device is already configured even though ip a says its DOWN [01:49] pastebin your networks file [01:49] It should look something like this: http://paste.debian.net/152534/ [01:50] twb: I dont know what the help happened but everything is configured and working now [01:50] Obviously if using stating instead of dhcp you change that. Also, having two DHCP ifaces up at once will cause confusion. [01:50] s/stating/static/ [01:50] I had one dhcp and one static [01:50] Hey guys. Does anyone know what the best bonding mode would be for a cross connect between two servers? [01:51] I got unable to enumerate usb device on port 1 [01:51] and now it works [01:51] twb thanks === sixstringsg|away is now known as sixstringsg [02:09] jetole, round-robin, if that is an option === sixstringsg is now known as sixstringsg|away [02:13] Okay quick weird problem [02:13] Installed openjdk-6-jre-headless and was cool for awhile [02:14] Uninstalled and and installed default-jre-headless [02:14] Now /usr/bin/java and /etc/alternatives/java are gone [02:14] Is some post install script not firing? [02:14] Likely not the problem... [02:15] IIRC, default-jre-headless goes with GCJ. [02:15] It says it depends on openjdk-6-jre-headless in apt-cache [02:15] I uninstalled it anyway and reinstalled openjdk-6-jre-headless manually [02:15] Those symlinks are still gone [02:15] Ah. I forgot. [02:16] update-alternatives also doesn't know about java [02:17] I would just try purging and reinsatlling but I started a job directly via /usr/lib/jvm/java-6-openjdk/jre/bin/java so I need to wait for that to finish :p === pdtpatrick_ is now known as pdtpatrick [02:22] okay, purge and reinstall worked [02:22] weird [02:32] patdk-lap: well they are two nics bound together on two different servers that are just cross connected between the servers without a switch in the middle [02:32] patdk-lap: this is a dedicated link for state exchange between to Linux HA iptables systems [02:33] jetole, like I said, round robin [02:33] patdk-lap: so in that case, you think round robin? [02:33] bonding mode #0 [02:33] ok. thanks [02:33] thanks [02:33] that is the ONLY CASE you should ever use mode 0 [02:33] if there are any issues, you are going have to change it to something else [02:34] probably mode 3 [02:34] patdk-lap: why do I only want this mode? I was about to ask about say why not use 3/broadcast or was wondering if 4/802.3ad was an option [02:34] if you don't mind me asking [02:35] oh, mode 4 I mean [02:35] 3 would be well, anoying [02:35] 4 is hardly useful in a single server usage, the more ip's the better, or more mac addresses the better normally [02:36] 3 is like raid1 harddrives [02:36] ok but I'm just trying to understand why I would want these modes. and yeah I wasn't even sure if 802.3ad is an option without a switch and seems like more then I would need for just a cross connect but I just want to understand why I would prefer one to the other here [02:36] mode 0, roundrobin combines all the links into one large pipe [02:37] the issue with mode 0, and why you never use it (except in direct crossconnect links) [02:37] is cause of packet out of order issue [02:37] ah yes [02:37] you shouldn't have that issue in direct links, unless the nic is buffering horribly [02:37] actually I was just thinking if that would be an issue [02:37] mode 4 gets around out of order issue, by making each tcp session stick to a single nic [02:38] mode 5 is mostly useless in this case [02:38] same for mode 6 [02:38] they give you noting that mode 4 doesn't give you [02:39] mode 5 and 6 where made when you don't have support for mode 4 [02:39] and in direct connect, well, both sides can be made to support it :) [02:39] I see. You're referring to 4 == 802.3ad ? [02:39] yep [02:39] just want to make sure we're on the same page [02:39] cool [02:40] 3 / broadcast seems like it would be prone to causing problems [02:40] it can [02:40] but you can use it for other things too [02:40] like sending one of those connections to a IDS [02:41] ah good point [02:42] in my case the STP will be listening on switch monitor ports but I see what you mean and there are a lot of ways to do it @ IDS [02:42] er, I meant the IDS [02:42] not STP [02:43] patdk-lap: Thanks for the help [02:43] patdk-lap: so to confirm, I want to do round robin first choice and 802.3ad if RR fails? [02:44] yep [02:44] roundrobin will give you full speed [02:44] 802.3ad will only give you the speed of 1 cable, plus some [02:45] and plus some depends on how good it balances the tcp connections over your links [02:45] oh! [02:45] on average I would say, links /2 , is expected from it [02:45] these are two Gbps NICS on each machine, in fact identical machines with identical NICs installed. RR will give me 2Gbps? [02:45] yep [02:46] :-D [02:46] and 802.3ad will give you 2gb, in only ideal conditions :) [02:46] I honestly doubt I will ever need it but good to know [02:46] but will always give you atleast 1gb [02:46] yeah actually I thought 802.3ad would give me sum link speed [02:46] learn something new everyday [02:47] ok, something else I want to run by you here if you don't mind regarding bonding [02:47] I have two switches, only one supports 802.3ad so thats not an option. I am connecting about a dozen servers to each switch [02:48] my thoughts were to cross connect the switches and then use 1 / active-backup for those [02:48] what do you think? [02:48] depends on what all will be talking to your server [02:48] using mode 1, always works [02:49] but normally mode 5 works just as good, but only increases receive [02:49] mode 6 can work better, if your nics support it [02:49] my issue with mode 6 is normally, other things don't like it much [02:49] cause it's always changing the mac address [02:50] so if I attempt to manage my switch, or cable modem, from a machine using bonding mode 6, it won't happen [02:50] i.e. server1 has one NIC on switch1 and one NIC on switch2. switch1 and switch2 are cross connected so a packet sent to one switch is seen on the other switch and NIC1 and NIC2 on server1 are bonded in active-backup [02:50] cause they don't like the ip keeps changing mac's [02:50] how is your traffic? in and out of the server? [02:50] yeah I don't like that too [02:50] mosting outgoing? [02:51] in my case, I just deal with mode 6, cause I'm sending craploads of traffic [02:51] I'm on a crap lousy connection at the moment. Luckily my IRC client is running on a server in the data center and I am ssh'ing to that server but about every 10 minutes my connection keeps dropping [02:51] agh [02:52] It's a web farm. Most the servers are hypervisor hosts and there is web servers, sql but they only talk to other web servers. same thing for file servers, etc [02:52] doesn't explain much [02:53] so I'm thinking active-backup. I want to avoid the changing MAC's as much as possible [02:53] yeah not sure what you need to know [02:53] ratio of data in vs out [02:53] sorry. what is it you're wondering [02:53] ah [02:54] well, I'd say 5 to 1 on in vs. out but the firewalls (HA/redundant) are also using these same two switches, again with the bonding [02:54] er, I meant to say 5 to 1 on out vs. in [02:54] i.e. we transmit about 5 times what we receive [02:54] that is on your firewall? [02:55] what system are you asking about for bonding? [02:58] well the firewall is transparent, bridged mode, it connects to each of the switches in bonding mode, basically I'm just double checking my proposed setup which is net to switches, the data center provides us two Ethernet cables and uses RSTP to decide which cable is active. The firewalls and the net are on their own private vlan and each firewall is on both switches, then two other vlans exist, one for the net for the public IP's and one for the ... [02:58] ... private 10.x.x.x net. the firewall bridges to the public IP's vlan with filtering done in the FORWARD chain and provides NAT for the 10.x.x.x IP's. Each firewall and each server is connected to both of two different switches through seperate NIC's so I guess what I am asking is do you think active-backup is the best bond to use for this scenario? [03:02] for a firewall, ative-backup is fine [03:02] also the point is to avoid a single point of failure. If the one of the inet links dies then the other one is used, if a single NIC dies on any server then it uses the other one and with the cross connect between the two switches so if a packet appears on switch then it's sent to the second one and if a switch dies then all traffic migrates to the next one [03:03] and ideally I can take either firewall and throw it out the window and nothing is interupted [03:03] so for all other servers, do you think active-backup sounds best? [03:04] hmm, I don't get the rstp active network cable thing [03:04] but then, I run bgp, so I just expect both cables to be fully active and usable all the time [03:05] well that actually comes from the data center where they provide a primary gateway. I believe routing ourselves was/is an option but we're not going to implement that at this time [03:06] rstp seems to be a great protocol IMHO and it's a shame that (at least afaik) that it can't be implemented in Linux [03:06] jetole: it can't? I remember setting up rtsp on linux years ago [03:07] trevorj: can you tell me how? I've googled and googled. I know it supports STP and has forever but I can't find anything on RSTP [03:07] jetole: lol, I misread rstp for rtsp [03:08] jetole: sorry! [03:08] jetole: I assume rstp is something like stp [03:08] oh, yeah, rapid spanning tree protocol. not real time streaming protocol [03:08] I'm not positive it can't [03:08] I just can't find out how it can [03:08] jetole: http://git.kernel.org/?p=linux/kernel/git/shemminger/rstp.git;a=summary [03:08] and coincidently I setup a RTSP server years ago too. Used to own a inet radio station company [03:09] jetole: nice, I just ran my own crappy radio [03:09] I didn't say mine wasn't crappy [03:09] jetole: played a bunch of wallflowers and marcy playground on it (ugh) [03:09] if it wasn't then I would still be running it ;) [03:09] jetole: hehe [03:10] * jetole reads the git page. give me a minute [03:10] coincidently I was also reading a page earlier about github load balancing through ldirectord where the author of haproxy became the first person to comment [03:10] http://www.anchor.com.au/blog/2009/10/load-balancing-at-github-why-ldirectord/ [03:11] last I knew, ldiretord didn't balance anything [03:11] ipvs did [03:12] it's mentioned on the page [03:13] I think they mentioned that ipvs did the balancing and ldirectord is used for health management/monitoring, aids in failover, etc [03:13] all ldirectord does is select what backend servers are working [03:13] that is all, no balancing logic, nothing [03:13] ldirectord is hardly a loadblaancer [03:13] that page is actually a good read but I'm not implementing it, we already use a proxy based load balancer but changing to another one but I can't implement a one leg'd balancer since most our servers are private IP only [03:14] patdk-lap: I'll take your word for it. I know of it but I have never used it so I'm hardly the person to comment [03:14] I'm heavily using it [03:14] cool [03:14] it's kind of like saying, cacti is a webserver [03:14] man cacti is the best web server out there [03:14] j/k [03:15] patdk-lap: checkout the link though cause I am speaking out of context and that was a blog post from one of the architects at github [03:15] I'm reading it [03:16] but it's like he doesn't understand what he is doing [03:17] kind of like someone that uses webmin [03:31] New bug: #917471 in bacula (main) "Please upgrade to the latest upstream bug fix release for precise" [Undecided,New] https://launchpad.net/bugs/917471 [03:43] lol @ webmin [03:44] I couldn't take this crappy dropping connection anymore so when I came back from my smoke break, I set my phone to act as a wifi hotspot [03:44] patdk-lap: anyways, again, I will take your word for it cause I haven't used ldirectord or keepalived [03:46] neither one really is an option for me cause our servers have private IP addresses so we can't just relay the original source packet to one of the hosts [03:46] sure you can [03:46] atleast the way I do it, I use private ip addresses on all the servers [03:47] then you piggyback the real ip's [03:51] broder: choose a better irc provider [03:51] :/ === dendrobates is now known as dendro-afk === dendro-afk is now known as dendrobates [04:02] patdk-lap: what do you mean piggy back the real IP? === dendrobates is now known as dendro-afk === dendro-afk is now known as dendrobates [04:59] does using full disk LVM encryption have a performance impact? [05:37] yes, full disk encryption uses notable CPU time and reduces data rates [05:38] for most purposes it's not a big deal but if disk performance is key in your application it may be an issue [05:47] ok [05:47] thx qman__ [07:15] hey soren i noticed your the virt-manager package maintainer I need some help as I am encountering some really annoying issues which im at a total loss on how to solve [07:23] * SpamapS tests upgrading lucid -> precise in an EC2 instance... [07:25] weird.. I wonder why I was prompted for the mysql root pw again.. [08:04] eagles0513875: I've not actually been involved in maintaining it for a quite a while. [08:04] eagles0513875: Id' suggest just filing bugs. [08:04] soren: ok :( im just at my wits end with it at least for me alot of the virtualization stuff isnt working with xen :( [08:05] what doesnt make sense to me soren is that virt-manager in 11.10 connects to xen local host but not a remot host even using ssh keys [08:07] Why doesn't that make sense? [08:07] They're completely different operations. [08:26] morning [08:28] eagles0513875, soren And just adding that this is not always true. I can connect to a remote host. We just have not found out what I did different [08:33] SpamapS, I fail to remember but wasn't there someone at the ralley saying something about endlessly (or so it seemed) being asked for it. Heck if I could remember who and when... :/ [08:36] smb: might be some weird problem with the config script. I just hit it, so probably worth opening a bug. [08:36] SpamapS: smb you talking about the same issue I am having [08:37] eagles0513875, No, that about the mysql password re-entry SpamapS has [08:38] ahh ok [08:38] off to breakfast for now [09:27] smb: mdeslaur, perhaps? [09:28] smb: Oh, never mind. Thought you were talking about eagles0513875's virt-manager problem. [09:28] soren, In a sense we are, too [09:28] :) [09:28] And I got some issues as well, just different [09:31] eagles0513875: can you use virsh -c xen+ssh://whatever/ ? [09:31] eagles0513875: I.e. is it just virt-manageR? [09:31] Or all libvirt tools? [09:32] soren: its just virt-manager connecting to a remote host localhost works fine [09:32] eagles0513875: That's not what I'm asking. [09:32] eagles0513875: Read it again. [09:32] soren: we've done that test, it worked [09:32] And how are you attempting to do this with virt-manager? [09:33] no idea, he wasn't using virt-manager last time this problem occured for emir [09:33] eagles0513875 even [09:33] me? [09:33] ikonia: Now you're not making sense anymore. [09:33] ikonia: You said you've tested it with virsh, and it worked. [09:33] ikonia: Then you say that the problem last time wasn't with virt-manager. [09:34] ikonia, ah i am trying to install mac os on virtual box.... [09:34] ikonia: Which is it? [09:34] ikonia, and without suceed [09:34] emir: i was told you can only do that on native mac hardware [09:35] eagles0513875, i want it on virtual device [09:35] you can only virtualize it if your running a mac device is what i mean [09:35] eagles0513875, ok than, [09:35] <_ruben> running (virtual or not) osx on non-apple hardware is illegal [09:36] _ruben, so what? [09:41] soren: was was just having a real world conversation [09:42] soren: quick question by default virt-manager will automatically look for the id_rsa key correct [09:42] soren: we connected to the remove virtd daemon with virsh over ssh [09:48] seems like the issue is with virt-manager and public keys now that im using keys [09:49] well ill be damned [09:49] ikonia: its working [09:49] eagles0513875, It is not really virt-manager doing things. I assume you access via ssh and then its all ssh [09:49] for sure virt-manager wont work if u dont use an id_rsa key name [09:50] There should be no difference whether you can use virt-manager or ssh user@host [09:51] smb: for my normal user i didnt name the key a standard name [09:51] Then you'd need to define it in .ssh/config [09:52] humm ok [09:52] like identity file for the host [09:52] i get ya [09:58] you've got to use the standard key names that are specificed in the ssh config file [09:59] Not necessarily, but one needs to tell ssh about it in the config [10:00] exactly, so you have to use the key names in the config, that can be the default ones, or your own as long as it's named in the config [10:00] right [10:01] burp [10:07] ikonia: my next question i have a physical volume setup for use with lvm how do i get virtmanager when creating a guest use that volume group i have setup [10:08] you need to create a disk pool [10:08] then virt manager uses space on that disk pool [10:09] (that's the most clean/simple way) [10:09] ok even if its LVM [10:09] yes [10:09] lvm is just a "disk" to the OS [10:09] is there a way to re-configure cpan settings, like the prompts you go through when installing ? [10:09] ok [10:09] well that just crashed virt-manager trying to set that up [10:13] eagles0513875: are you trying to do 1 logical volume per machine, or a large logical volume / file system as a pool and then let libvirt manage the images on that ? [10:13] one large logical partition [10:14] ok, that for me is the best approach for you [10:14] here is the partition setup i have [10:14] I don't need to see it [10:14] ok wasnt goign to show just explain [10:14] sure, go on [10:14] 40gb for host os then appropriate swap partition then rest as lvm [10:15] you're running an lvm partition on the same disk as your root disks [10:15] ? [10:15] correct [10:15] we only have a single disk on this server [10:16] yup [10:16] we only have 1 hard drive [10:17] that is a very VERY VERY bad ideda [10:17] idea [10:18] i know i would have liked a 2nd drive to setup raid 1 at least but Deathvalley122 cant afford it [10:18] you've got a massive risk putting paying customers on this [10:19] ikonia: tell this to Deathvalley122 i am well aware of the risks involved here [10:19] yes, but also the implications of running an lvm partition on the same disk as your OS too [10:19] that's up to you guys though [10:20] we had the samething on the other server we had [10:20] it was set up the same way [10:20] but we had raid 1 on it [10:20] correct which was no being used [10:20] Deathvalley122: just because you've done it that way before does not mean it's a good idea [10:20] Deathvalley122: raid1 wasn't being used ??? [10:20] if you have raid1, it's being used [10:21] every write to disk....it's being used [10:21] nope [10:21] errr yes [10:21] it wasn't being used [10:21] that's how disk mirroring works [10:21] no data was stored on it [10:21] what do you mean it wasn't being used ??? [10:21] did you have raid 1 enabled yes/no [10:21] do not remember exactly [10:22] ....right [10:22] that server is long gone now [10:22] we did on the previous server [10:22] thats what I am saying eagles0513875 [10:22] ok - if you had raid1 enabled, that disk was being used as a mirror, if you didn't have raid1 enabled, that disk was probably not used [10:22] if you are confident the disk had no data on it, then either raid1 was not enabled or it was not setup correctly [10:24] for another HDD for this server would cost me 15 dollars a month extra [10:24] and I am already paying 239 a month [10:25] and 40 dollars a month to make them hot swappable [10:25] pat it will be worth it though [10:25] forget the hot swap at least with the 2nd drive we have some redundancy [10:25] I have no money eagles0513875 === kklimonda_ is now known as kklimonda [10:47] <_ruben> how many vms you expect to run on a single spindle? :P [10:53] I dunno [10:53] <_ruben> if it's more than "just a few", then i hope they won't expect decent disk performance [10:54] we'll see what happens just found out I can afford another drive next month but this month I can't [10:54] yeah they are 7200 RPM drives [10:54] <_ruben> ouch [10:54] <_ruben> and going from single disk to raid1 would only help a bit for read performance [10:55] ya [10:55] I can get another drive next month [10:55] but this month I can't [10:55] I am packed with ... bills ... [10:57] if my contract would ever end with my cell phone [10:57] I could be ... [10:57] saving tons of money [11:11] Anyone have experience with hardware raids and ubuntu server? Looks like support is shoddy, and kinda kills some of the perks of hot swapping and such even if I CAN get it working on a software level.. [11:12] And would a RAID error in ubuntu server installer cause black / blank screen? [11:41] <_ruben> thinkclay: never really had any issues with hardware raid and ubuntu .. used various dell (lsi based) raidcontrollers as well as a number of adaptec ones [11:47] thinkclay: I've used hardware raid many times with zero issue, there is excellent support [11:47] thinkclay: infact support isn't required for a lot of things as the raid is controlled on the card, not the OS, so the OS just see's a disk, support is only required if the vendor has things like raid tools to infom you of device failure [11:47] if you are talking about the installer causing a black screen, make sure that you have all the deps covered [11:48] hardware.raid++ [11:49] ya, Im thinking raid isnt the issue anymore [11:49] everyone's favourite [11:50] ubuntu 10.04 is working.. seems its just isolated to 11.10 with support for my video or something [11:50] So software raid works as well or better than fakeRaid and low end raid controllers? [11:52] <_ruben> usually, yes [11:53] fakeraid = poor [11:53] software raid = fine if you have an acceptable spec machine [11:54] 12 core xeon 5500 with 192G of ram sufficient? [11:54] no [11:54] ......kidding [11:54] haha, figured I'd be covered there [11:54] although that spec machine would normally come with a raid card [11:54] it did [11:54] Had issue after issue getting it to work with Ubuntu [11:55] HP/Dell/IBM all ship that sort of thing with a pretty solid raid card, with battery backup etc [11:55] what make is the server ? [11:55] well this is a 1U so it's not as high end nor does it have much space with all the ram bays [11:55] that's fine, I've got DL120's that are 1U with quality raid cards and battery backup in [11:56] I've got a decent raid in it from what I understand (though I havent dealt with raid controllers much) but dont think it has the battery backup [11:56] thinkclay: what make is the server ? [11:57] http://www.newegg.com/Product/Product.aspx?Item=N82E16816101261 === TREllis_ is now known as TREllis [11:57] ahhh supermicro [11:57] no raid card in there [11:57] on board motherboard raid [11:57] fakeraid [11:58] ya, just learned about that concept after wasting 4 hours :) [11:58] why are these guys even bothering with fakeraid? [11:58] not sure how you think you've got 12 cores [11:58] the board only supports 2 cpu's with 4 cores each [11:58] It's not that exact model [11:59] because on technologies that support it, such as windows, it's not so bad [11:59] I personally don't rate the supermicro stuff, lots of corner cutting [12:00] which is why they seem capable of doing reasonable prices [12:00] ya, it's not bad for an entry level server [12:01] largest website of this country ran on a bunch of supermicro servers [12:01] onre: which one is that ? [12:02] ikonia, virtually unheard of outside .fi, but had ~2000-3000 page loads per second on rush hours. it was basically a sort of "social media" before social media, started in 1999. [12:02] oh, 2000, not '99 [12:03] possibly where a multi node setup is required they may be a good choice, cheap and non-ressilient, so if one goes, pop another in [12:03] yes, that's exactly how it was run [12:03] and for price of one "real" name-brand server you could get four supermicros :p [12:04] which for a low spec farm makes possibly a better model [12:05] i've run databases on them, too. just pop in a 3rd-party raid controller (i used areca) [12:16] Hey guys. I just created a ID10T error but I think I may need a hand in solving it. Thank god I disconnected these two from the main switch before I tested the hardware but this is basically what I have. Two servers with two nics where each nic is connected to a different switch. the switches are cross connected with a cross over cable (well technically it's not a cross over cable since the switch has MDI-X but you get the point). The NIC's on ... [12:17] ... both servers are bonded in active-backup mode so ideally only one of the NIC's should be active at any time and it fails over to the other nic if the primary fails and as far as I can tell, this is working. Then on the bonding there are three vlans defined which are also configured on the switch. on these servers which will primarily be used as firewalls, vlan2 and vlan3 ( VID 2 and 3 ) are bridged in a STP enabled bridge. Somehow I have ... [12:17] ... hit/created a broadcast storm by bridging these two VLANS however I don't understand how. If a packet leaves the server tagged as either VID 2, 3 or 4 then the switch should be isolating this packet in the bridge... however because it's a bridge and both VLAN's have the same MAC address, perhaps that's why... I'm still not sure here and actually rather lost on this if anyone could provide some insight I would appreciate it [12:22] just as a heads up, vlan4 (VID 4) isn't on the bridge because that will be NAT'd (however that's not setup yet but vlan4 does have a private IP. vlan2 is isolated between the data center and the two firewalls (these will be redundant firewalls using conntrackd for sharing state info about connections and this already setup but no iptables rules yet). vlan3 will be where any servers using publically assigned IP's are located. The bridge between ... [12:22] ... vlan2 and vlan3 creates a transparent firewall (which I've actually done this part many times throughout my life and maintain 3 others of this now) where nothing on either end of the firewall should see that the traffic is going through the firewall (though the MAC address is still visible) but all traffic passing through the bridge is audited against the rules in the FORWARD chain (or perhaps rules in say PREROUTING chain in the raw table ... [12:22] ... or other odd spots like that but those are the exceptions to the rule) [12:22] Anyways, yeah. ...not sure how to handle this broadcast storm [12:23] maybe your switchs don't support vlans correctly? [12:23] I have seen switchs that dont isolate mac's per vlan correctly before [12:25] I hope that's not the case. Though they are not Cisco they are still pretty decent Gbps rack mounted enterprise netgear switches [12:25] I'll be pretty disappointed if that's the case since on of the other VLAN setup's I run elsewhere uses crap lousy shit linksys switches [12:25] netgear has that issue [12:25] make sure you update the firmware [12:25]