Re: carp / routing question (multiple lines)
On 2008-06-26, openbsd misc [EMAIL PROTECTED] wrote: - how must I read the route-to / reply-to syntax? for example: pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any Outbound packet - normal routing table lookup based on the *destination* address - if the routing table says it should use $ext_if1, this rule will examine the *source* address, if the address is that of $ext_if2 it will not actually leave on $ext_if1 but will instead leave on $ext_if2 with the nexthop set to $ext_gw2. pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any Same as above with different addresses/interfaces. You also need NAT rules, such that traffic to certain ports is rewritten with the source address of one or other connection. This is where you do the classification, and this is what you need to change when one of the connections is down. - the other line should be used if one is down (how to do that with pf?) You need more than just PF for that; you could use ifstated to monitor the connections and use pfctl(8) to load the correct rules. One option is to maintain two complete pf.conf and switch between them, but it's inevitable that sometime they will get out of sync. It's better to use an anchor - search for the word anchor in pf.conf(5) and pfctl(8) to read about them. That way, you can use a single main ruleset, and use a separate file holding the NAT rules; using pfctl -a somename -f somefile you can switch between one and another file depending on which link is up.
carp / routing question (multiple lines)
Hello, I hope I can avoid try'n error this way ;-) I have two firewall systems with carp enabled (running obsd 4.3). These gateways have two internet connections (dsl 6000 and symmetric 4000 provided by a router with an /29 transport net). The symmetric line should be used for vpn and vor mail and http(s) if the dsl line is not available. I tried to google about this topic, but I didn't find much helpful. Someone mentioned http://marc.info/?l=openbsd-miscm=120665186412690w=2 yesterday. Looks like a good starting point because the pf.conf manpage doesn't say much about route-to and reply-to syntax. Every connect should find his way back the same way (same route, using the ip-address the SYN came to). Does someone have a link for me how to set the correct routes and pf-rules? The symmetric line should be set as default route with a higher metric but the source ip should be the carp ip if used. I think my biggest problem is carp, because I don't know how to set up pf corretly with carp in use. As you know pf uses the phisical interface, not the virtual interface, so I think I have to define the source ip, too? I hope someone understand my english ;-) and can give me some links / documentation / examples ... Thanks and regards Hagen Volpers
Re: carp / routing question (multiple lines)
On 2008-06-25, openbsd misc [EMAIL PROTECTED] wrote: I hope I can avoid try'n error this way ;-) I have two firewall systems with carp enabled (running obsd 4.3). These gateways have two internet connections (dsl 6000 and symmetric 4000 provided by a router with an /29 transport net). The symmetric line should be used for vpn and vor mail and http(s) if the dsl line is not available. I tried to google about this topic, but I didn't find much helpful. Someone mentioned http://marc.info/?l=openbsd-miscm=120665186412690w=2 yesterday. Looks like a good starting point because the pf.conf manpage doesn't say much about route-to and reply-to syntax. Try http://www.openbsd.org/faq/pf/pools.html#outgoing for an introduction, the syntax of route-to and reply-to is given in the BNF section at the bottom of pf.conf(5) - everyone writing PF configuration files should learn how to read this section. Everyone copying-and-pasting PF configs from samples really should too... You should also get acquainted with running tcpdump on different interfaces, including pflog0 (with the relevant log in PF rules), it's very useful when you need to debug PF and in particular any complicated NAT/route-to configuration. Does someone have a link for me how to set the correct routes and pf-rules? The symmetric line should be set as default route with a higher metric but the source ip should be the carp ip if used. You set the source address of outgoing packets with NAT rules. You direct packets out the relevant interface with route-to. And you direct return packets for an *incoming* connection with reply-to. Forget metrics/route priority for now, that won't help you direct packets out of one or other connection based on port number, you need PF rules to classify traffic if you want that. I think my biggest problem is carp, because I don't know how to set up pf corretly with carp in use. As you know pf uses the phisical interface, not the virtual interface, so I think I have to define the source ip, too? Where you have to define an interface, use the physical interface (vlan/trunk count as physical interface for this purpose). Where you have to specify an address, use whichever is correct for what you're trying to do, carp/physical/both.
Re: carp / routing question (multiple lines)
Hello, I totally agree, that's why I wrote to mailing list and not copied the example ;-) It's not the first time I'm working with pf, but the first time with two external connections. Thanks for the link, I missed that because of the topic (I'm not looking for load balancing). But I didn't find out how to set this up correctly: - normaly the choosen link is rule (pf) based - the other line should be used if one is down (how to do that with pf?) - how must I read the route-to / reply-to syntax? for example: pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any Till now I wasn't able to get into that, still looking for the click-aha-effect ;-) Thanks for your help. Regards Hagen Volpers -Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Stuart Henderson Gesendet: Donnerstag, 26. Juni 2008 01:47 An: misc@openbsd.org Betreff: Re: carp / routing question (multiple lines) On 2008-06-25, openbsd misc [EMAIL PROTECTED] wrote: I hope I can avoid try'n error this way ;-) I have two firewall systems with carp enabled (running obsd 4.3). These gateways have two internet connections (dsl 6000 and symmetric 4000 provided by a router with an /29 transport net). The symmetric line should be used for vpn and vor mail and http(s) if the dsl line is not available. I tried to google about this topic, but I didn't find much helpful. Someone mentioned http://marc.info/?l=openbsd-miscm=120665186412690w=2 yesterday. Looks like a good starting point because the pf.conf manpage doesn't say much about route-to and reply-to syntax. Try http://www.openbsd.org/faq/pf/pools.html#outgoing for an introduction, the syntax of route-to and reply-to is given in the BNF section at the bottom of pf.conf(5) - everyone writing PF configuration files should learn how to read this section. Everyone copying-and-pasting PF configs from samples really should too... You should also get acquainted with running tcpdump on different interfaces, including pflog0 (with the relevant log in PF rules), it's very useful when you need to debug PF and in particular any complicated NAT/route-to configuration. Does someone have a link for me how to set the correct routes and pf-rules? The symmetric line should be set as default route with a higher metric but the source ip should be the carp ip if used. You set the source address of outgoing packets with NAT rules. You direct packets out the relevant interface with route-to. And you direct return packets for an *incoming* connection with reply-to. Forget metrics/route priority for now, that won't help you direct packets out of one or other connection based on port number, you need PF rules to classify traffic if you want that. I think my biggest problem is carp, because I don't know how to set up pf corretly with carp in use. As you know pf uses the phisical interface, not the virtual interface, so I think I have to define the source ip, too? Where you have to define an interface, use the physical interface (vlan/trunk count as physical interface for this purpose). Where you have to specify an address, use whichever is correct for what you're trying to do, carp/physical/both.
