hi all,
i am relative new to openbsd (comming from linux) - and i am trying to
set up a openbsd firewall with carp/pfsync as described by this:
http://www.countersiege.com/doc/pfsync-carp/ very fine article.
I am also using the soekris 4801 hardware - so there should be any
hardware problems. I've installed the current openbsd snapshot with
flashdist (modifyied to get a kernel with carp enabled).
My Setup (for testing purpose at time) ist nearly the same as described
in the article - only my internal net is 172.16.0.0/24 instead of
192.168.0.0/24
my config for the machine A (Master) is:
-------------------rc---------------------
sysctl -w net.inet.carp.preempt=1
sysctl -w net.inet.carp.arpbalance=1
sysctl -w net.inet.carp.log=1
sysctl -w ddb.panic=0
ifconfig lo0 127.0.0.1 netmask 255.0.0.0
ifconfig sis0 10.0.0.254 netmask 255.255.255.0 broadcast 10.0.0.254
ifconfig sis1 172.16.0.254 netmask 255.255.255.0 broadcast 172.16.0.255
ifconfig sis2 192.168.254.254 netmask 255.255.255.0 broadcast \
192.168.254.255
ifconfig carp0 10.0.0.1 netmask 255.255.255.0 broadcast \
10.0.0.255 vhid 1 pass pass1
ifconfig carp1 172.16.0.1 netmask 255.255.255.0 broadcast \
172.16.0.255 vhid 2 pass pass2
ifconfig pfsync0 up syncif sis2
------------------------------------------
my config for the machine B (Backup) is:
-----------------rc-----------------------
sysctl -w net.inet.carp.preempt=1
sysctl -w net.inet.carp.arpbalance=1
sysctl -w net.inet.carp.log=1
sysctl -w ddb.panic=0
ifconfig lo0 127.0.0.1 netmask 255.0.0.0
ifconfig sis0 10.0.0.253 netmask 255.255.255.0 broadcast 10.0.0.255
ifconfig sis1 172.16.0.253 netmask 255.255.255.0 broadcast 172.16.0.255
ifconfig sis2 192.168.254.253 netmask 255.255.255.0 broadcast \
192.168.254.255
ifconfig carp0 10.0.0.1 netmask 255.255.255.0 broadcast \
10.0.0.255 vhid 1 advskew 100 pass pass1
ifconfig carp1 172.16.0.1 netmask 255.255.255.0 broadcast \
172.16.0.255 vhid 2 advskew 100 pass pass2
ifconfig pfsync0 up syncif sis2
------------------------------------------
my pf.conf on both machines is:
--------------pf.conf---------------------
ext_if="sis0"
int_if="sis1"
cross_if="sis2"
pass quick on { $cross_if } proto pfsync
pass on { $ext_if $int_if } proto carp keep state
------------------------------------------
which seems to be correctly (thats my point of view).
The two boxes are on one switch (there will be two switches in
production and a crossover cable). The are both starting correctly - i
can connect through the serial cable. I've also connected my linux box
to the switch (with the internal ip) so that i can test things.
The Problem now is - that nothing works.
I can't ping the machines from my linux box - neither i can ping from
machine A (254 address) to machine B (253) address.
When i try to see the arp cache then i first get some
"ether address is broadcast for IP address 10.0.0.2" messages - and then
i'll get:
? (10.0.0.2) at (incomplete) on sis0
? (10.0.0.253) at 00:00:24:c1:c7:48 on sis0 static
? (10.0.0.254) at (incomplete) on sis0
? (172.16.0.46) at (incomplete) on sis1
so it seems that it can't get the right hardware addresses.
here is now my ifconfig -a from machine A (not all cables are on)
--------------------------------------------------
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
inet 127.0.0.1 netmask 0xff000000
sis0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu
1500
address: 00:00:24:c1:c7:90
media: Ethernet autoselect (100baseTX)
status: active
inet 10.0.0.254 netmask 0xffffff00 broadcast 10.0.0.254
sis1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu
1500
address: 00:00:24:c1:c7:91
media: Ethernet autoselect (none)
status: no carrier
inet 172.16.0.254 netmask 0xffffff00 broadcast 172.16.0.255
sis2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
address: 00:00:24:c1:c7:92
media: Ethernet autoselect (none)
status: no carrier
inet 192.168.254.254 netmask 0xffffff00 broadcast
192.168.254.255
pflog0: flags=0<> mtu 33224
pfsync0: flags=41<UP,RUNNING> mtu 1348
pfsync: syncif: sis2 maxupd: 128
enc0: flags=0<> mtu 1536
carp0: flags=41<UP,RUNNING> mtu 1500
carp: MASTER vhid 1 advbase 1 advskew 0
inet 10.0.0.1 netmask 0xffffff00
carp1: flags=41<UP,RUNNING> mtu 1500
carp: MASTER vhid 2 advbase 1 advskew 0
inet 172.16.0.1 netmask 0xffffff00
-------------------------------------------------
and my ifconfig -a on the machine B (not all cables are on)
-------------------------------------------------
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
inet 127.0.0.1 netmask 0xff000000
sis0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu
1500
address: 00:00:24:c1:c7:48
media: Ethernet autoselect (100baseTX)
status: active
inet 10.0.0.253 netmask 0xffffff00 broadcast 10.0.0.255
sis1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu
1500
address: 00:00:24:c1:c7:49
media: Ethernet autoselect (none)
status: no carrier
inet 172.16.0.253 netmask 0xffffff00 broadcast 172.16.0.255
sis2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
address: 00:00:24:c1:c7:4a
media: Ethernet autoselect (none)
status: no carrier
inet 192.168.254.253 netmask 0xffffff00 broadcast
192.168.254.255
pflog0: flags=0<> mtu 33224
pfsync0: flags=41<UP,RUNNING> mtu 1348
pfsync: syncif: sis2 maxupd: 128
enc0: flags=0<> mtu 1536
carp0: flags=41<UP,RUNNING> mtu 1500
carp: MASTER vhid 1 advbase 1 advskew 100
inet 10.0.0.1 netmask 0xffffff00
carp1: flags=41<UP,RUNNING> mtu 1500
carp: MASTER vhid 2 advbase 1 advskew 100
inet 172.16.0.1 netmask 0xffffff00
----------------------------------------------------
so - can anyone tell me what i am doing wrong ?
best regards
Wolfgang
