CARP alias address issues

Luca Corti Tue, 04 Jul 2006 05:08:55 -0700

Hello,

I've two i386 boxes running 3.9-stable acting as redundant firewalls
with PF + CARP/pfsync behind a Cisco router.


   xDSL
    |
    |
  cisco
    |
    |
  -----
  |   |
 FW1 FW2
  |   |
  -----
    |
   DMZ

Public IP addresses used below are faked.

The router:
#sh ip int brief
Interface                  IP-Address      OK? Method Status
Protocol

...
FastEthernet0/0            172.16.0.6      YES NVRAM  up
up
FastEthernet0/0.1          172.16.31.6     YES NVRAM  up
up
...
Loopback0                  4.3.2.6         YES NVRAM  up
up


#sh ip route static
     172.16.0.0/16 is variably subnetted, 4 subnets, 4 masks
S       172.16.0.0/16 [1/0] via 172.16.0.1
     4.3.2.0/24 is variably subnetted, 23 subnets, 3 masks
S       4.3.2.0/29 is directly connected, FastEthernet0/0

The firewalls:

# sysctl -a | grep ^net.inet.carp
net.inet.carp.allow=1
net.inet.carp.preempt=1
net.inet.carp.log=0
net.inet.carp.arpbalance=0

On the external carp1 interface I have a private address (172.16.0.1,
used for routing) and a public IP address alias (let's say 4.3.2.1, used
for redirection of services to DMZ hosts).
On the internal carp11 interface I have the DMZ to which ports from the
public IP address alias are redirected.

# route -n show | grep default
default            172.16.0.6         UGS         0   180952      -
carp1
# ifconfig carp1
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        carp: MASTER carpdev fxp1 vhid 1 advbase 1 advskew 0
        groups: carp egress
        inet 172.16.0.1 netmask 0xfffffff8 broadcast 172.16.0.7
        inet 4.3.2.1 netmask 0xfffffff8 broadcast 1.2.3.7
[EMAIL PROTECTED]:~ # ifconfig carp11
carp11: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        carp: MASTER carpdev vlan11 vhid 11 advbase 1 advskew 0
        groups: carp
        inet 172.16.1.1 netmask 0xffffff00 broadcast 172.16.1.255

I'd like to add one more public ip address on the carp1 interface so I
do

# ifconfig carp1 vhid 1 carpdev fxp1 pass whatasecret alias 4.3.2.2
netmask 255.255.255.248

on the master firewall. Immediately after adding the alias the firewall
stops forwarding packets in both directions. I have to reboot the
firewall to have it working again, removing the alias is not sufficient.

My PF ruleset defaults to 'block drop log all' but tcpdump on pflog0
does not seem to be particularly useful. This is in production too, so I
cannot experiment a lot. I have a similar setup working (multiple public
ip addresses as aliases on the external interface mapped to internal
private addresses on 3.8-stable) but I'm not using CARP there.

Any idea why this happens?

thanks

CARP alias address issues

Reply via email to