Re: two ip with carp

[Igor V. Gubenko]

It's not completely clear -

4) - is the IP 10.1.1.2 on a separate interface? What did you configure
carp2 on?

Can you restate your question and/or describe how you want the traffic
to flow, as well as your network topology?

- Igor


On 2/27/17 6:07 AM, Frank White wrote:
> hi,
> I have 2 firewall in cluster with carp. The following is my configuration
> (8.x.x.x are examples for wan ip):
> first firewall
> 1) bnx0 8.8.8.7 (internet)
> 2) bge0 192.168.100.2 (lan)
> 3) bnx1 pfsync
> 4) 10.1.1.2 dmz
>
> carp0 8.8.8.8 (internet)
> carp1 192.168.100.1 (gateway for the lan)
> carp2 10.1.1.1 (gateway for the dmz)
>
> now I want add the ip 8.8.8.10 to redirect all traffic from it to the dmz...
> how should I configure it ?
> I know how to redirect the traffic with pf.. my question concern how to
> configure carp and the nic..
> for example should I create a new carp with ip 8.8.8.10 and an alias for
> the bnx0 with ip 8.8.8.11 ?

Re: two ip with carp

[Frank White]

ok.. I'll try.
I use the google dns ip as example for my static public ip address.
fw1 carp0 8.8.8.8  ## (internet shared ip <--  lan)
fw1 carp1 192.168.1.1  ## (lan shared ip default gw)
fw1 carp2 10.1.1.1  ## (dmz shared ip)
fw1 bnx0 8.8.8.7  ## (internet)
fw1 bge0 192.168.1.2  ## (lan)
fw1 bnx1 10.1.1.2  ## (dmz)
fw1 bge1 192.168.254.1 ## (pfsync)

fw2 carp0 8.8.8.8
fw2 carp1 192.168.1.1
fw2 carp2 10.1.1.1
fw2 bnx0 8.8.8.6
fw2 bge0 192.168.1.3
fw2 bnx1 10.1.1.3
fw2 bge1 192.168.1.254.2 # (pfsync)

Now I want add 8.8.8.10 static and public ip to flow the traffic to the dmz
because 8.8.8.8 flow traffic to the lan.
As I understand I have to add the following lines to IF configuration files:

fw1 hostname.carp0:  inet alias 8.8.8.10 255.255.255.255. NONE
fw1 hostname.bnx0: inet alias 8.8.8.11 255.255.255.255 NONE

fw2 hostname.carp0:  inet alias 8.8.8.10 255.255.255.255. NONE
fw2 hostname.bnx0: inet alias 8.8.8.12 255.255.255.255 NONE

is that right ?


2017-02-28 15:07 GMT+01:00 Igor V. Gubenko :

> It's not completely clear -
>
> 4) - is the IP 10.1.1.2 on a separate interface? What did you configure
> carp2 on?
>
> Can you restate your question and/or describe how you want the traffic
> to flow, as well as your network topology?
>
> - Igor
>
>
> On 2/27/17 6:07 AM, Frank White wrote:
> > hi,
> > I have 2 firewall in cluster with carp. The following is my configuration
> > (8.x.x.x are examples for wan ip):
> > first firewall
> > 1) bnx0 8.8.8.7 (internet)
> > 2) bge0 192.168.100.2 (lan)
> > 3) bnx1 pfsync
> > 4) 10.1.1.2 dmz
> >
> > carp0 8.8.8.8 (internet)
> > carp1 192.168.100.1 (gateway for the lan)
> > carp2 10.1.1.1 (gateway for the dmz)
> >
> > now I want add the ip 8.8.8.10 to redirect all traffic from it to the
> dmz...
> > how should I configure it ?
> > I know how to redirect the traffic with pf.. my question concern how to
> > configure carp and the nic..
> > for example should I create a new carp with ip 8.8.8.10 and an alias for
> > the bnx0 with ip 8.8.8.11 ?

Re: two ip with carp

[Igor V. Gubenko]

Much clearer.

I've never tried CARP on an alias, but it should probably work.

However, I don't think that it can be an existing carp* interface. Use
carp3; i.e a different carp interface. Create "inet alias" in the .bnx0
file, and a new .carpX file with a different "vhid" (different from carp2).

On a side note, I've found out that the physical interfaces on WAN do
not necessarily need to have actual WAN (globally routed) IP's. So, if
you are low on globally routed IP's, you can try using RFC1918 IP's on
bnx0 (and it's aliases for DMZ). These IP's are merely needed to send
multicast for CARP.

If any of the esteemed OpenBSD developers want to call BS on the above,
please, have a go :)

Please let us know of the results.

- Igor


On 2/28/17 10:01 AM, Frank White wrote:
> ok.. I'll try.
> I use the google dns ip as example for my static public ip address.
> fw1 carp0 8.8.8.8  ## (internet shared ip <--  lan)
> fw1 carp1 192.168.1.1  ## (lan shared ip default gw)
> fw1 carp2 10.1.1.1  ## (dmz shared ip)
> fw1 bnx0 8.8.8.7  ## (internet)
> fw1 bge0 192.168.1.2  ## (lan)
> fw1 bnx1 10.1.1.2  ## (dmz)
> fw1 bge1 192.168.254.1 ## (pfsync)
>
> fw2 carp0 8.8.8.8
> fw2 carp1 192.168.1.1
> fw2 carp2 10.1.1.1
> fw2 bnx0 8.8.8.6
> fw2 bge0 192.168.1.3
> fw2 bnx1 10.1.1.3
> fw2 bge1 192.168.1.254.2 # (pfsync)
>
> Now I want add 8.8.8.10 static and public ip to flow the traffic to
> the dmz because 8.8.8.8 flow traffic to the lan.
> As I understand I have to add the following lines to IF configuration
> files:
>
> fw1 hostname.carp0:  inet alias 8.8.8.10 255.255.255.255. NONE
> fw1 hostname.bnx0: inet alias 8.8.8.11 255.255.255.255 NONE
>
> fw2 hostname.carp0:  inet alias 8.8.8.10 255.255.255.255. NONE
> fw2 hostname.bnx0: inet alias 8.8.8.12 255.255.255.255 NONE
>
> is that right ?
>
>
> 2017-02-28 15:07 GMT+01:00 Igor V. Gubenko  >:
>
> It's not completely clear -
>
> 4) - is the IP 10.1.1.2 on a separate interface? What did you
> configure
> carp2 on?
>
> Can you restate your question and/or describe how you want the traffic
> to flow, as well as your network topology?
>
> - Igor
>
>
> On 2/27/17 6:07 AM, Frank White wrote:
> > hi,
> > I have 2 firewall in cluster with carp. The following is my
> configuration
> > (8.x.x.x are examples for wan ip):
> > first firewall
> > 1) bnx0 8.8.8.7 (internet)
> > 2) bge0 192.168.100.2 (lan)
> > 3) bnx1 pfsync
> > 4) 10.1.1.2 dmz
> >
> > carp0 8.8.8.8 (internet)
> > carp1 192.168.100.1 (gateway for the lan)
> > carp2 10.1.1.1 (gateway for the dmz)
> >
> > now I want add the ip 8.8.8.10 to redirect all traffic from it
> to the dmz...
> > how should I configure it ?
> > I know how to redirect the traffic with pf.. my question concern
> how to
> > configure carp and the nic..
> > for example should I create a new carp with ip 8.8.8.10 and an
> alias for
> > the bnx0 with ip 8.8.8.11 ?

Re: two ip with carp

[Maxim Bourmistrov]

Just create carp3 and configure it the same way as carp0, except for the
password.
No aliases what so ever. Later in pf.conf do a nat-to from dnz to carp3.

fw1# ifconfig trunk0
trunk0: flags=8943 mtu 1500
lladdr 00:25:90:f9:74:b0
index 7 priority 0 llprio 3
trunk: trunkproto lacp
trunk id: [(8000,00:25:90:f9:74:b0,403C,,),
 (0001,1c:aa:07:01:9b:80,0001,,)]
trunkport ix3 active,collecting,distributing
trunkport ix0 active,collecting,distributing
groups: trunk egress
media: Ethernet autoselect
status: active
inet 155.4.x.121 netmask 0xff80 broadcast 155.4.x.127

fw1# ifconfig carp165
carp165: flags=8843 mtu 1500
lladdr 00:00:5e:00:01:a5
description: VIP65
index 53 priority 15 llprio 3
carp: MASTER carpdev trunk0 vhid 165 advbase 1 advskew 0
groups: carp
status: master
inet 155.4.x.65 netmask 0xff80 broadcast 155.4.x.127

fw1# ifconfig carp167
carp167: flags=8843 mtu 1500
lladdr 00:00:5e:00:01:a7
description: VIP67
index 75 priority 15 llprio 3
carp: MASTER carpdev trunk0 vhid 167 advbase 1 advskew 0
groups: carp
status: master
inet 155.4.x.67 netmask 0xff80 broadcast 155.4.x.127

fw1# cat /etc/hostname.carp165
inet 155.4.x.65 255.255.255.128 155.4.x.127 -inet6 vhid 165 advbase 1 advskew
0 carpdev trunk0 pass abc1234 description VIP65

fw1# cat /etc/hostname.carp167
inet 155.4.x.67 255.255.255.128 155.4.x.127 -inet6 vhid 167 advbase 1 advskew
0 carpdev trunk0 pass 1234abc description VIP67



> 27 feb. 2017 kl. 12:07 skrev Frank White :
>
> hi,
> I have 2 firewall in cluster with carp. The following is my configuration
> (8.x.x.x are examples for wan ip):
> first firewall
> 1) bnx0 8.8.8.7 (internet)
> 2) bge0 192.168.100.2 (lan)
> 3) bnx1 pfsync
> 4) 10.1.1.2 dmz
>
> carp0 8.8.8.8 (internet)
> carp1 192.168.100.1 (gateway for the lan)
> carp2 10.1.1.1 (gateway for the dmz)
>
> now I want add the ip 8.8.8.10 to redirect all traffic from it to the
dmz...
> how should I configure it ?
> I know how to redirect the traffic with pf.. my question concern how to
> configure carp and the nic..
> for example should I create a new carp with ip 8.8.8.10 and an alias for
> the bnx0 with ip 8.8.8.11 ?