So any resolution on the apache redirection? When I go to the website, I get the "Connection Interrupted" error. This only occurs when both routers are on. Oddly enough, when I ssh into the virtual IP, ssh traffic doesn't get jumbled up because of the ip balancing. I suspect I may have to up the advskew values to allow for the length of the polling rate to increase. May be apache traffic needs every part of a page to come from the same source IP. Should I try changing the advskew value on the routers? I can only get to the website, when one router is one, which really defeats the purpose of high availability and redundancy.
Thanks, Vivek On Thu, Nov 13, 2008 at 6:39 PM, Vivek Ayer <[EMAIL PROTECTED]> wrote: > Confirmed. If I have both routers on, the http redirection on the CARP > interface doesn't work. But when I only have one on, then the > redirection works just fine. Is CARP getting confused with the > packets? > > On Thu, Nov 13, 2008 at 5:51 PM, Vivek Ayer <[EMAIL PROTECTED]> wrote: >> Yay! I got ssh and http to work on the CARP interface. Thanks. >> >> However, the httpd redirect is not working just yet on the CARP >> interface for one of the computers. Does IP balancing mess up >> redirect? >> >> When I only have one router up doing the redirect, the CARP interface >> works, but when I have both routers on, the CARP interface defaults to >> the one that doesn't apparently do redirection. I'm going to >> troubleshoot and turn off the one that works and turn on the computer >> that doesn't "redirect." >> >> Any other suggestions for troubleshooting this weird setup I have? Has >> anyone ever done this before having CARP'd web servers behind CARP'd >> routers? >> >> Here's my current pf.conf: >> >> # $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $ >> # >> # See pf.conf(5) and /usr/share/pf for syntax and examples. >> # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 >> # in /etc/sysctl.conf if packets are to be forwarded between interfaces. >> >> # macros >> ext_if = "re0" # External Interface (169.229.158.0/24) >> int_if = "xl0" # Internal Interface (192.168.1.0/24) >> localnet = $int_if:network >> webserver = "192.168.1.50" # Redundant Sun Servers >> nameserver = "192.168.1.101" # Dell L400 Celeron >> webports = "{ http , https }" >> domainport = "{ domain }" >> tcp_services = "{ ssh }" >> icmp_types = "echoreq" >> carpdevs = "{ carp0 , carp1 }" >> syncdev = "{ re1 }" >> carp_mcast = "224.0.0.18" >> >> # extra tweaks >> set skip on lo >> set block-policy return >> set loginterface $ext_if >> scrub in all >> >> # nat >> nat on $ext_if from $localnet to any -> ($ext_if) >> no nat on $int_if proto tcp from $int_if to $localnet >> nat on $int_if proto tcp from $localnet to $webserver port $webports -> >> $int_if >> >> # rdr for http >> rdr on $ext_if proto tcp from any to any port $webports -> $webserver >> rdr on $int_if proto tcp from $localnet to $ext_if port $webports -> >> $webserver >> rdr on $int_if proto tcp from $localnet to $int_if port $webports -> >> $webserver >> >> # rdr for domain (tcp) >> rdr on $ext_if proto tcp from any to any port $domainport -> $nameserver >> rdr on $int_if proto tcp from $localnet to $ext_if port $domainport -> >> $nameserver >> rdr on $int_if proto tcp from $localnet to $int_if port $domainport -> >> $nameserver >> >> # rdr for domain (udp) >> rdr on $ext_if proto udp from any to any port $domainport -> $nameserver >> rdr on $int_if proto udp from $localnet to $ext_if port $domainport -> >> $nameserver >> rdr on $int_if proto udp from $localnet to $int_if port $domainport -> >> $nameserver >> >> # pass rules >> block in # Default Deny >> pass out keep state >> antispoof quick for { lo } >> pass in inet proto icmp all icmp-type $icmp_types keep state # Let Ping In >> pass in quick on $int_if >> pass in on $ext_if inet proto tcp from any to ($ext_if) \ >> port $tcp_services flags S/SA keep state # Allow SSH Access from Outside >> pass in on $ext_if inet proto tcp from any to $webserver port $webports \ >> flags S/SA synproxy state >> pass in on $ext_if inet proto udp from any to $nameserver port $domainport >> pass in on $ext_if inet proto tcp from any to $nameserver port $domainport \ >> flags S/SA synproxy state >> >> # Basic CARP/pfsync pass rules >> pass on $carpdevs proto carp keep state >> pass quick on $ext_if proto carp \ >> from $ext_if:network to $carp_mcast keep state >> pass on $syncdev proto pfsync >> >> # Internet-Facing CARP rules >> pass in on $ext_if inet proto tcp from any to (carp0) \ >> port $tcp_services flags S/SA keep state # Allow SSH Access from Outside >> pass in on $ext_if inet proto tcp from any to (carp0) \ >> port $webports flags S/SA synproxy state >> pass in on $ext_if inet proto udp from any to (carp0) \ >> port $domainport >> pass in on $ext_if inet proto tcp from any to (carp0) \ >> port $domainport flags S/SA synproxy state >> >> # LAN-Facing CARP rules >> pass in on $int_if inet proto tcp from $localnet to (carp1) \ >> port $tcp_services flags S/SA keep state # Allow SSH Access from Inside >> pass in on $int_if inet proto tcp from $localnet to (carp1) \ >> port $webports flags S/SA synproxy state >> pass in on $int_if inet proto udp from $localnet to (carp1) \ >> port $domainport >> pass in on $int_if inet proto tcp from $localnet to (carp1) \ >> port $domainport flags S/SA synproxy state >> >> Thanks >> >> On Thu, Nov 13, 2008 at 12:27 PM, Vivek Ayer <[EMAIL PROTECTED]> wrote: >>> Oh ok. That kind of makes sense. >>> >>> Thanks >>> >>> On Thu, Nov 13, 2008 at 2:11 AM, Marco Pfatschbacher <[EMAIL PROTECTED]> >>> wrote: >>>> On Wed, Nov 12, 2008 at 11:40:36AM -0800, Vivek Ayer wrote: >>>>> i don't think I understand. Clarify. you mean carpdev is like your >>>>> physical interface..eth0, re0, etc.? >>>> >>>> say you have a carp configured like: >>>> >>>> carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 >>>> lladdr 00:00:5e:00:01:04 >>>> carp: MASTER carpdev em0 vhid 4 advbase 1 advskew 0 >>>> groups: carp >>>> inet 1.2.3.4 netmask 0xff000000 broadcast 1.255.255.255 >>>> >>>> As you can see, carp0 is using em0 as its carpdev. >>>> A pf rule to pass ssh to the carp address would be: >>>> >>>> pass in on em0 inet proto tcp to (carp0) port 22 >>>> >>>> and NOT: >>>> >>>> pass in on carp0 inet proto tcp to (carp0) port 22 >>>> >>>> HTH, >>>> >>>> Marco