Well that wasn't the problem. Although I am sure at some point it would have been a problem. Let me ask you this question though.
$carp1. Is that defined somewhere as a variable or is that a predefined variable that just works? I have multiple external ips and internal ips. So I would need to pass specific carp interfaces to specific internal addresses. Thanks, Fred -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fred Newtz Sent: Thursday, April 03, 2008 5:08 PM To: 'Calomel' Cc: pf@benzedrine.cx Subject: RE: CARP failover problem Calomel, Wow. Lots of stuff to look at! 1. state information is being transferred between machines. 2. AHHHH!!!! Thanks! I was just going through step three when I noticed something that I never thought to look at. For some reason I had bound all of the ips to one of my carp interfaces on the second box. I have no idea why I did that....... Who knows. Following so many different how-tos out there gets me in trouble. Let me try this and see if it works! Thanks, Fred -----Original Message----- From: Calomel [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2008 1:56 PM To: Fred Newtz Cc: pf@benzedrine.cx Subject: Re: CARP failover problem Fred, If you use "pftop" on both machines do you see the states from the MASTER firewall being transfered to the BACKUP? Are you binding all of your ip addresses to your physical interfaces? What do your carp hostname files contain? cat /etc/hostname.carp0 cat /etc/hostname.carp1 cat /etc/hostname.carp2 ....etc... If you are binding the ips to your physical interfaces then when the BACKUP firewall takes over the MAC address is different. This _might_ be the reason. Do you have a pass rule like so specifying a carp interface? pass in on $ext_iIf inet proto tcp from any to $carp1 port $web Take a look at the area on this page called "Writing Pf rules with carp devices" for more information. CARP Firewall Failover for OpenBSD http://calomel.org/pf_carp.html These are just some guesses. Hope this helps. -- Calomel @ http://calomel.org Open Source Research and Reference On Thu, Apr 03, 2008 at 11:09:39AM -0500, Fred Newtz wrote: >Calomel, > > Thanks for the response. Here is my sysctl.conf file showing the four > entries that are enabled on each machine: > >net.inet.ip.forwarding=1 # 1=Enable IP Forwarding >net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of IPv6 packets >net.inet.carp.preempt=1 # 1=Enable carp(4) preemption >net.inet.carp.log=1 # 1=Enable logging of carp(4) packets > > I have just double checked and both machines are setup with the same > four entries. > > The interfaces fail over properly. The problem is on the second >machine the traffic gets blocked. Maybe it is just a problem with the >second machine, but I have gone over all of the settings that I can >think of and where necessary (the second machine has different brands of network cards) all of the settings are the same. > > Here is the pf.conf on the machine that does work: > >ext_if="vr0" >int_if="xl0" >nat_p="{tcp, udp, icmp}" >carp_dev="{vr0,xl0}" >sync_if="rl0" > >NoRouteIPs="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" >web="{80,443}" > >rdr on $ext_if proto tcp from any to 64.244.168.194 port 80 -> >192.168.1.190 port 80 rdr on $ext_if proto tcp from any to >64.244.168.195 port 80 -> 192.168.1.191 port 80 rdr on $ext_if proto >tcp from any to 64.244.168.196 port 80 -> 192.168.1.192 port 80 rdr on >$ext_if proto tcp from any to 64.244.168.197 port 80 -> 192.168.1.193 >port 80 rdr on $ext_if proto tcp from any to 64.244.168.198 port 80 -> >192.168.1.194 port 80 rdr on $ext_if proto tcp from any to >64.244.168.199 port 80 -> 192.168.1.195 port 80 rdr on $ext_if proto >tcp from any to 64.244.168.194 port 443 -> 192.168.1.190 port 443 rdr >on $ext_if proto tcp from any to 64.244.168.195 port 443 -> >192.168.1.191 port 443 rdr on $ext_if proto tcp from any to >64.244.168.196 port 443 -> 192.168.1.192 port 443 rdr on $ext_if proto >tcp from any to 64.244.168.197 port 443 -> 192.168.1.193 port 443 rdr >on $ext_if proto tcp from any to 64.244.168.198 port 443 -> >192.168.1.194 port 443 rdr on $ext_if proto tcp from any to >64.244.168.199 port 443 -> 192.168.1.195 port 443 rdr on $ext_if proto >tcp from any to 64.244.168.199 port 22 -> 192.168.1.190 port 22 nat on >$ext_if proto $nat_p from 192.168.1.0/24 to any -> 64.244.168.220 > >block in quick on $ext_if from $NoRouteIPs to any block out quick on >$ext_if from any to $NoRouteIPs pass out on $carp_dev proto carp keep >state pass in on $ext_if proto tcp to ($ext_if) port ssh pass on >$sync_if proto pfsync > > > > >Here is the pf.conf on the machine that does not work: > >ext_if="vr0" >int_if="xl0" >nat_p="{tcp, udp, icmp}" >sync_if="rl1" >carp_dev="{vr0,rl1}" > >NoRouteIPs="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" >web="{80,443}" > >rdr on $ext_if proto tcp from any to 64.244.168.194 port 80 -> >192.168.1.190 port 80 rdr on $ext_if proto tcp from any to >64.244.168.195 port 80 -> 192.168.1.191 port 80 rdr on $ext_if proto >tcp from any to 64.244.168.196 port 80 -> 192.168.1.192 port 80 rdr on >$ext_if proto tcp from any to 64.244.168.197 port 80 -> 192.168.1.193 >port 80 rdr on $ext_if proto tcp from any to 64.244.168.198 port 80 -> >192.168.1.194 port 80 rdr on $ext_if proto tcp from any to >64.244.168.199 port 80 -> 192.168.1.195 port 80 rdr on $ext_if proto >tcp from any to 64.244.168.194 port 443 -> 192.168.1.190 port 443 rdr >on $ext_if proto tcp from any to 64.244.168.195 port 443 -> >192.168.1.191 port 443 rdr on $ext_if proto tcp from any to >64.244.168.196 port 443 -> 192.168.1.192 port 443 rdr on $ext_if proto >tcp from any to 64.244.168.197 port 443 -> 192.168.1.193 port 443 rdr >on $ext_if proto tcp from any to 64.244.168.198 port 443 -> >192.168.1.194 port 443 rdr on $ext_if proto tcp from any to >64.244.168.199 port 443 -> 192.168.1.195 port 443 rdr on $ext_if proto >tcp from any to 64.244.168.199 port 22 -> 192.168.1.190 port 22 nat on >$ext_if proto $nat_p from 192.168.1.0/24 to any -> 64.244.168.221 > >block in quick on $ext_if from $NoRouteIPs to any block out quick on >$ext_if from any to $NoRouteIPs pass out on $carp_dev proto carp keep >state pass in on $ext_if proto tcp to ($ext_if) port ssh pass on >$sync_if proto pfsync > > >pfctl -nf /etc/pf.conf comes back with no errors on both machines. > >Here is my rc.conf.local file on both machines as well: > >pf=YES >pf_rules="/etc/pf.conf" >pflog_enable=YES >pflog_logfile="/var/log/pflog" > > > >If there is anything else I am missing please let me know! > > >Thanks! > >Fred > > > > >-----Original Message----- >From: Calomel [mailto:[EMAIL PROTECTED] >Sent: Thursday, April 03, 2008 10:43 AM >To: Fred Newtz >Cc: pf@benzedrine.cx >Subject: Re: CARP failover problem > >Fred, > >Did you also enable net.inet.carp.preempt? > >net.inet.carp.preempt equaling one(1) allows hosts within a redundancy >group that have a better advbase and advskew to preempt the master. In >addition, this option also enables failing over all interfaces in the >event that one interface goes down. If one physical CARP-enabled >interface goes down, CARP will change advskew to 240 on all other CARP-enabled interfaces, in essence, failing itself over. > > CARP Firewall Failover for OpenBSD > http://calomel.org/pf_carp.html > >-- > Calomel @ http://calomel.org > Open Source Research and Reference > > >On Wed, Apr 02, 2008 at 12:06:34PM -0500, Fred Newtz wrote: >>I have two machines configured with OpenBSD carp pf and pfsync. The state >>table is syncing properly. I have one webserver behind >>the two firewall machines. For some reason my master machine (which >>is >>working) will freeze up. The interfaces all failover properly but no >>traffic will pass through the backup machine. I am pretty new at this >>so please tell me if I can provide any configuration information to >>help determine what is going on here. I can pass traffic >between the fw2 (backup firewall) and my webserver just fine. >> >>I have 6 carp interfaces setup. One of them is my gateway interface >>for the webserver to get back out of the network. During testing I am >>only ifconfig carp2 down for one of my interfaces. Do I need to fail >>the gateway carp interface as well for this to work properly? >> >>Thanks, >> >>Fred
