Change 'syncif' to 'syncdev' in your hostname.pfsync files. Also, out of curiosity, why are there two CARP addresses between the workstation and firewalls?
Kian On 9/20/06, Tim Pushor <[EMAIL PROTECTED]> wrote: > > Hi friends, > > I am trying to setup my first firewall w/failover via carp & pfsync. I > have it almost working, but am having a couple issues. I am hoping > someone will be able to help :) > > First, before I enabled preemption I almost always had one machine being > master for one of the carp interfaces, and slave for the other two. It > seemed to work, but just looked troublesome. Enabling preemption seemed > to solve this. Does this point to a bigger problem somewhere? > > Second, and what I am really trying to fix - is to have an in progress > TCP session fail over to the second firewall. The connection stalls and > eventually times out when failing over, but attempting to re-establish > after the failover works (through the second firewall). I've confirmed > (at least in my mind) that state updates are being properly propagated > to the second firewall by watching the pfsync interface, and noting the > state via pfctl -s state. I've watched syslog with pfctl -x loud and > didn't see anything. > > Any hints on how I can go about troubleshooting this further? I've > included as much info as I can think of. The included PF ruleset is > just a proof of concept - I realize theres quite a bit more to be done, > I'm just trying to get the failover working. > > Thanks!, > Tim > > BTW If there is any OpenBSD guru in Calgary thats looking for a few > hours of consultancy I'd love to hear from you :) > > Details: > > Both systems are Dell 850 servers w/added Intel Etherexpress Pro 10/100 > cards as the pfsync interface, with a crossover cable between them. OS > is OpenBSD 3.9, GENERIC Kernel. > > 192.168.1.246 > +------------------+ > | Test Workstation | > +------------------| > | > +----|---- carp1 ----|----+ > | 192.168.1.22 | > | | > +----|---- carp2 ----|----+ > | 192.168.1.23 | > | | > 192.168.1.20 bge0| |bge0 192.168.1.21 > +-----+ +-----+ > | fw1 |-fxp0--------fxp0-| fw2 | > +-----+ +-----+ > 10.0.10.253 bge1| |bge1 10.0.10.254 > | | > ---+------- carp0 -------+--- > 10.0.10.1 > | > | > +-------------+ > | Test Server | > +-------------+ > 10.0.10.42 > > (fw1 fxp0 - 192.168.254.253) > (fs2 fxp0 - 192.168.254.254) > > > ---- fw1: > > # cat hostname.bge0 > inet 192.168.1.20 255.255.255.0 NONE > > # cat hostname.bge1 > inet 10.0.10.253 255.255.255.0 NONE > > # cat hostname.fxp0 > inet 192.168.254.253 255.255.255.0 NONE > > # cat hostname.carp0 > inet 10.0.10.1 255.255.255.0 10.0.10.255 vhid 1 pass foo1 carpdev bge1 > > # cat hostname.carp1 > inet 192.168.1.22 255.255.255.0 192.168.1.255 vhid 2 pass foo2 carpdev > bge0 > > # cat hostname.carp2 > inet 192.168.1.23 255.255.255.0 192.168.1.255 vhid 3 pass foo3 carpdev > bge0 > > # cat hostname.pfsync0 > up syncif fxp0 > > # sysctl -a | grep carp > net.inet.carp.allow=1 > net.inet.carp.preempt=1 > net.inet.carp.log=0 > net.inet.carp.arpbalance=0 > > ---- fw2: > > # cat hostname.bge0 > inet 192.168.1.21 255.255.255.0 NONE > > # cat hostname.bge1 > inet 10.0.10.254 255.255.255.0 NONE > > # cat hostname.fxp0 > inet 192.168.254.254 255.255.255.0 NONE > > # cat hostname.carp0 > inet 10.0.10.1 255.255.255.0 10.0.10.255 vhid 1 pass foo1 advskew 128 > carpdev bge1 > > # cat hostname.carp1 > inet 192.168.1.22 255.255.255.0 192.168.1.255 vhid 2 pass foo2 advskew > 128 carpdev bge0 > > # cat hostname.carp2 > 192.168.1.23 255.255.255.0 192.168.1.255 vhid 3 pass foo3 advskew 128 > carpdev bge0 > > # cat hostname.pfsync0 > up syncif fxp0 > > # sysctl -a | grep carp > net.inet.carp.allow=1 > net.inet.carp.preempt=1 > net.inet.carp.log=0 > net.inet.carp.arpbalance=0 > > > ---- PF Rules (identical on both machines) > > # cat /etc/pf.conf > ext_if="bge0" > int_if="bge1" > pfsync_if="fxp0" > > # All interfaces (real + virtual via carp) thought of as external > ext_ifs="{ bge0, carp1, carp2 }" > > # Our internal network(s). Used for access rules and NAT > internal_nets="10.0.10.0/24" > > # Define NAT source port range (all source ports will be rewritten to use > # this range) > nat_port_range="20001:65535" > > # Define virtual carp interface that should be used as NAT source > # (i.e. outbound hide nat will appear to come from this virtual interface) > nat_carp="carp1" > > # real interfaces that have virtual carp addresses associated with them > carp_interfaces="{ bge0, bge1 }" > > # Test internal HTTP server > tstsrv_ext=192.168.1.22 > tstsrv_int=10.0.10.42 > tstsrv_port=80 > > ### > ### NAT > ### > > # Provide 'hide mode' nat for the entire subnet > > nat on $ext_if from $internal_nets to any -> $nat_carp port > $nat_port_range > > # Test HTTP access > > rdr on $ext_if proto tcp from any to $tstsrv_ext port $tstsrv_port -> > $tstsrv_int > > ### > ### Access Rules > ### > > # Block and log everything by default > > block log all > > # Allow all localhost traffic > > pass quick on lo0 > > # Allow pfsync traffic on pfsync interface > > pass quick on $pfsync_if proto pfsync > > # Allow carp traffic on all interfaces that have virtual carp addresses > # associated with them > > pass quick on $carp_interfaces proto carp > > # Allow communication to/from internal networks > > pass in on $int_if from $internal_nets to any > pass out on $int_if from any to $internal_nets > > # Allow firewall to communicate outbound > > pass out on $ext_if from $ext_ifs to any keep state > > # Allow HTTP test > > pass in on $ext_if proto tcp from any to $tstsrv_int port $tstsrv_port