my PF ICMP Issues

[keith]

I have two Firewalls running OBSD 5.4 x64 that are both live and working 
fine except that they are unable to ping each others IP address or the 
gateway address while PF is enabled. If I quickly disable PF on the 
FW-D=Backup then I am able to ping everything from that machine. I've 
gone over everything I can think of but haven’t been able to figure this 
out so thought I'd ask here.



FW-C = 192.168.xx.67 255.255.252.0 = Carp Master
FW-D = 192.168.xx.65 255.255.252.0 = Carp Backup

carp1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:03
description: Carp 1 - Outside Iface
priority: 0
carp: BACKUP carpdev vlanxx vhid 3 advbase 1 advskew 10
groups: carp
status: backup
inet6 fe80::200:5eff:fe00:103%carp1 prefixlen 64 scopeid 0xa
inet 192.168.xx.62 netmask 0xfc00 broadcast 192.168.23.255
inet 192.168.xx.63 netmask 0xfc00 broadcast 192.168.23.255 = alias
inet 192.168.xx.64 netmask 0xfc00 broadcast 192.168.23.255 = alias
inet 192.168.xx.66 netmask 0xfc00 broadcast 192.168.23.255 = alias
inet 192.168.xx.70 netmask 0xfc00 broadcast 192.168.23.255 = alias
inet 192.168.xx.52 netmask 0xfc00 broadcast 192.168.23.255 = alias

Gateway = 192.168.xx.1

FW-C is active I can't disable PF on this server.

Neither FW-C or FW-D can ping the gateway when PF is enabled... If I 
disable PF on FW-D then I can ping the gateway from FW-D.


Neither FW-C or FW-D can ping each others main IP (.67 or .65), If I 
disable PF on FW-D then I can ping .65  .67 from FW-D !!!


Neither firewall can ping main carp IP .62 but can ping all the aliases, 
unless PF is disabled then it is ping able.


There are other machines on the 192.168.xx.x network and they can ping 
all the IP's that FW-C  D have all the time...



Both firewalls have three nic's, one is dedicated for pfsync, the other 
two are trunked and then there are two vlans on top of the trunk.


I stripped the PF.conf file on the down to as little as possible on the 
backup firewall this afternoon figuring that it must be the PF file that 
was wrong but I couldn't get it so that ping was replying. I've run 
tcpdump on all the interfaces and have checked pflog0 for blocked 
packets to no-avail :(


If I am on FW-C and run ping 192.168.xx.65 then all I see on FW-D is the 
echo request over and over again


tcpdump -n -e -ttt -i vlan40
Jan 22 00:31:49.334032 00:0a:f7:3a:44:c4 00:0a:f7:3a:45:0c 0800 98: 
192.168.xx.67  192.168.xx.65: icmp: echo request



If anyone can help then it would really be appreciated.

Thanks
Keith.

Re: my PF ICMP Issues

[Christopher Ahrens]

keith wrote:

I have two Firewalls running OBSD 5.4 x64 that are both live and working
fine except that they are unable to ping each others IP address or the
gateway address while PF is enabled. If I quickly disable PF on the
FW-D=Backup then I am able to ping everything from that machine. I've
gone over everything I can think of but haven’t been able to figure this
out so thought I'd ask here.


FW-C = 192.168.xx.67 255.255.252.0 = Carp Master
FW-D = 192.168.xx.65 255.255.252.0 = Carp Backup

carp1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:03
description: Carp 1 - Outside Iface
priority: 0
carp: BACKUP carpdev vlanxx vhid 3 advbase 1 advskew 10
groups: carp
status: backup
inet6 fe80::200:5eff:fe00:103%carp1 prefixlen 64 scopeid 0xa
inet 192.168.xx.62 netmask 0xfc00 broadcast 192.168.23.255
inet 192.168.xx.63 netmask 0xfc00 broadcast 192.168.23.255 = alias
inet 192.168.xx.64 netmask 0xfc00 broadcast 192.168.23.255 = alias
inet 192.168.xx.66 netmask 0xfc00 broadcast 192.168.23.255 = alias
inet 192.168.xx.70 netmask 0xfc00 broadcast 192.168.23.255 = alias
inet 192.168.xx.52 netmask 0xfc00 broadcast 192.168.23.255 = alias

Gateway = 192.168.xx.1

FW-C is active I can't disable PF on this server.

Neither FW-C or FW-D can ping the gateway when PF is enabled... If I
disable PF on FW-D then I can ping the gateway from FW-D.

Neither FW-C or FW-D can ping each others main IP (.67 or .65), If I
disable PF on FW-D then I can ping .65  .67 from FW-D !!!

Neither firewall can ping main carp IP .62 but can ping all the aliases,
unless PF is disabled then it is ping able.

There are other machines on the 192.168.xx.x network and they can ping
all the IP's that FW-C  D have all the time...


Both firewalls have three nic's, one is dedicated for pfsync, the other
two are trunked and then there are two vlans on top of the trunk.

I stripped the PF.conf file on the down to as little as possible on the
backup firewall this afternoon figuring that it must be the PF file that
was wrong but I couldn't get it so that ping was replying. I've run
tcpdump on all the interfaces and have checked pflog0 for blocked
packets to no-avail :(

If I am on FW-C and run ping 192.168.xx.65 then all I see on FW-D is the
echo request over and over again

tcpdump -n -e -ttt -i vlan40
Jan 22 00:31:49.334032 00:0a:f7:3a:44:c4 00:0a:f7:3a:45:0c 0800 98:
192.168.xx.67  192.168.xx.65: icmp: echo request


If anyone can help then it would really be appreciated.

Thanks
Keith.





Please post your pf.conf file, otherwise we can't help you.