Sorry I forgot to do reply to all!
-----Original Message-----
From: Fred Newtz [mailto:[EMAIL PROTECTED]
Sent: Thursday, April 03, 2008 11:10 AM
To: 'Calomel'
Cc: 'pf@benzedrine.cx'
Subject: RE: CARP failover problem
Calomel,
Thanks for the response. Here is my sysctl.conf file showing the four
entries that are enabled on each machine:
net.inet.ip.forwarding=1 # 1=Enable IP Forwarding
net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of IPv6 packets
net.inet.carp.preempt=1 # 1=Enable carp(4) preemption
net.inet.carp.log=1 # 1=Enable logging of carp(4) packets
I have just double checked and both machines are setup with the same
four entries.
The interfaces fail over properly. The problem is on the second
machine the traffic gets blocked. Maybe it is just a
problem with the second machine, but I have gone over all of the settings that
I can think of and where necessary (the second
machine has different brands of network cards) all of the settings are the
same.
Here is the pf.conf on the machine that does work:
ext_if="vr0"
int_if="xl0"
nat_p="{tcp, udp, icmp}"
carp_dev="{vr0,xl0}"
sync_if="rl0"
NoRouteIPs="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
web="{80,443}"
rdr on $ext_if proto tcp from any to 64.244.168.194 port 80 -> 192.168.1.190
port 80 rdr on $ext_if proto tcp from any to
64.244.168.195 port 80 -> 192.168.1.191 port 80 rdr on $ext_if proto tcp from
any to 64.244.168.196 port 80 -> 192.168.1.192 port 80
rdr on $ext_if proto tcp from any to 64.244.168.197 port 80 -> 192.168.1.193
port 80 rdr on $ext_if proto tcp from any to
64.244.168.198 port 80 -> 192.168.1.194 port 80 rdr on $ext_if proto tcp from
any to 64.244.168.199 port 80 -> 192.168.1.195 port 80
rdr on $ext_if proto tcp from any to 64.244.168.194 port 443 -> 192.168.1.190
port 443 rdr on $ext_if proto tcp from any to
64.244.168.195 port 443 -> 192.168.1.191 port 443 rdr on $ext_if proto tcp from
any to 64.244.168.196 port 443 -> 192.168.1.192 port
443 rdr on $ext_if proto tcp from any to 64.244.168.197 port 443 ->
192.168.1.193 port 443 rdr on $ext_if proto tcp from any to
64.244.168.198 port 443 -> 192.168.1.194 port 443 rdr on $ext_if proto tcp from
any to 64.244.168.199 port 443 -> 192.168.1.195 port
443 rdr on $ext_if proto tcp from any to 64.244.168.199 port 22 ->
192.168.1.190 port 22 nat on $ext_if proto $nat_p from
192.168.1.0/24 to any -> 64.244.168.220
block in quick on $ext_if from $NoRouteIPs to any block out quick on $ext_if
from any to $NoRouteIPs pass out on $carp_dev proto
carp keep state pass in on $ext_if proto tcp to ($ext_if) port ssh pass on
$sync_if proto pfsync
Here is the pf.conf on the machine that does not work:
ext_if="vr0"
int_if="xl0"
nat_p="{tcp, udp, icmp}"
sync_if="rl1"
carp_dev="{vr0,rl1}"
NoRouteIPs="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
web="{80,443}"
rdr on $ext_if proto tcp from any to 64.244.168.194 port 80 -> 192.168.1.190
port 80 rdr on $ext_if proto tcp from any to
64.244.168.195 port 80 -> 192.168.1.191 port 80 rdr on $ext_if proto tcp from
any to 64.244.168.196 port 80 -> 192.168.1.192 port 80
rdr on $ext_if proto tcp from any to 64.244.168.197 port 80 -> 192.168.1.193
port 80 rdr on $ext_if proto tcp from any to
64.244.168.198 port 80 -> 192.168.1.194 port 80 rdr on $ext_if proto tcp from
any to 64.244.168.199 port 80 -> 192.168.1.195 port 80
rdr on $ext_if proto tcp from any to 64.244.168.194 port 443 -> 192.168.1.190
port 443 rdr on $ext_if proto tcp from any to
64.244.168.195 port 443 -> 192.168.1.191 port 443 rdr on $ext_if proto tcp from
any to 64.244.168.196 port 443 -> 192.168.1.192 port
443 rdr on $ext_if proto tcp from any to 64.244.168.197 port 443 ->
192.168.1.193 port 443 rdr on $ext_if proto tcp from any to
64.244.168.198 port 443 -> 192.168.1.194 port 443 rdr on $ext_if proto tcp from
any to 64.244.168.199 port 443 -> 192.168.1.195 port
443 rdr on $ext_if proto tcp from any to 64.244.168.199 port 22 ->
192.168.1.190 port 22 nat on $ext_if proto $nat_p from
192.168.1.0/24 to any -> 64.244.168.221
block in quick on $ext_if from $NoRouteIPs to any block out quick on $ext_if
from any to $NoRouteIPs pass out on $carp_dev proto
carp keep state pass in on $ext_if proto tcp to ($ext_if) port ssh pass on
$sync_if proto pfsync
pfctl -nf /etc/pf.conf comes back with no errors on both machines.
Here is my rc.conf.local file on both machines as well:
pf=YES
pf_rules="/etc/pf.conf"
pflog_enable=YES
pflog_logfile="/var/log/pflog"
If there is anything else I am missing please let me know!
Thanks!
Fred
-----Original Message-----
From: Calomel [mailto:[EMAIL PROTECTED]
Sent: Thursday, April 03, 2008 10:43 AM
To: Fred Newtz
Cc: pf@benzedrine.cx
Subject: Re: CARP failover problem
Fred,
Did you also enable net.inet.carp.preempt?
net.inet.carp.preempt equaling one(1) allows hosts within a redundancy group
that have a better advbase and advskew to preempt the
master. In addition, this option also enables failing over all interfaces in
the event that one interface goes down. If one physical
CARP-enabled interface goes down, CARP will change advskew to 240 on all other
CARP-enabled interfaces, in essence, failing itself
over.
CARP Firewall Failover for OpenBSD
http://calomel.org/pf_carp.html
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Wed, Apr 02, 2008 at 12:06:34PM -0500, Fred Newtz wrote:
>I have two machines configured with OpenBSD carp pf and pfsync. The state
>table is syncing properly. I have one webserver behind
>the two firewall machines. For some reason my master machine (which is
>working) will freeze up. The interfaces all failover properly but no
>traffic will pass through the backup machine. I am pretty new at this
>so please tell me if I can provide any configuration information to help
>determine what is going on here. I can pass traffic
between the fw2 (backup firewall) and my webserver just fine.
>
>I have 6 carp interfaces setup. One of them is my gateway interface
>for the webserver to get back out of the network. During testing I am
>only ifconfig carp2 down for one of my interfaces. Do I need to fail the
>gateway carp interface as well for this to work properly?
>
>Thanks,
>
>Fred
