relayd for lan servers with carp and pfsync
Hi misc,
I have 2 OpenBSD 5.1 64bit boxes. I want to setup relayd for lan servers
with carp and pfsync for LAN USERS.
What I want to achieve is that LAN USERS connect to carp1 ip address ( lan
shared ip - 192.168.0.100 ). then, relayd will redirect that traffic to 2
lan servers running services http, smtp and pop. If one server goes down,
relayd will remove it from the table.
*This is What I did. *
let's assume 2 OpenBSD 5.1 64bit boxes are fw1 and fw2
fw1
em0 - 192.168.0.10 (and carp1 - LAN shared IP - 192.168.0.100 )
em1 - 192.168.9.67 ( for pfsync )
fw2
em0 - 192.168.0.11 (and carp1 - LAN shared IP - 192.168.0.100 )
em1 - 192.168.9.68 ( for pfsync )
LAN shared IP: 192.168.0.100 ( carp1 ip address on both nodes fw1 and fw2 )
net.inet.ip.forwarding=1 in /etc/sysctl.conf on both fw1 and fw2
Configure fw1:
! enable preemption and group interface failover
# sysctl -w net.inet.carp.preempt=1
! configure pfsync
# ifconfig em1 192.168.9.67 netmask 255.255.255.0
# ifconfig pfsync0 syncdev em1
# ifconfig pfsync0 up
! configure CARP on the LAN side
# ifconfig carp1 create
# ifconfig carp1 vhid 1 carpdev em0 pass lanpasswd \
192.168.0.100 netmask 255.255.255.0
Configure fw2:
! enable preemption and group interface failover
# sysctl -w net.inet.carp.preempt=1
! configure pfsync
# ifconfig em1 192.168.9.68 netmask 255.255.255.0
# ifconfig pfsync0 syncdev em1
# ifconfig pfsync0 up
! configure CARP on the LAN side
# ifconfig carp1 create
# ifconfig carp1 vhid 1 carpdev em0 pass lanpasswd \
advskew 128 192.168.0.100 netmask 255.255.255.0
*/etc/pf.conf * looks like this on both nodes ( fw1 and fw2 )
# cat
/etc/pf.conf
# $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if=em0
pfsync_if=em1
servers = { 192.168.0.66, 192.168.0.67 }
set skip on lo
# filter rules and anchor for ftp-proxy(8)
#anchor ftp-proxy/*
#pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
# anchor for relayd(8)
#anchor relayd/*
pass quick on { em1 } proto pfsync keep state (no-sync)
pass on { em0 em1 } proto carp keep state
##END
pass log# to establish keep-state
# rules for spamd(8)
#table spamd-white persist
#table nospamd persist file /etc/mail/nospamd
#pass in on egress proto tcp from any to any port smtp \
#rdr-to 127.0.0.1 port spamd
#pass in on egress proto tcp from nospamd to any port smtp
#pass in log on egress proto tcp from spamd-white to any port smtp
#pass out log on egress proto tcp to any port smtp
#block in quick from urpf-failed to any # use with care
# By default, do not permit remote connections to X11
#block in on ! lo0 proto tcp to port 6000:6010
*
/etc/relayd.conf* is like this on both nodes ( fw1 and fw2 )
# cat
/etc/relayd.conf
# $OpenBSD: relayd.conf,v 1.14 2011/04/07 13:33:52 reyk Exp $
#
# Macros
#
ext_addr=192.168.0.100
webhost1=192.168.0.66
webhost2=192.168.0.67
table servers { $webhost1 $webhost2 }
redirect www {
listen on $ext_addr port 80
#forward to servers port 80 mode loadbalance check tcp
forward to servers port 80 mode roundrobin check tcp
}
redirect smtp {
listen on $ext_addr port 25
#forward to servers port 25 mode loadbalance check tcp
forward to servers port 25 mode roundrobin check tcp
}
redirect pop {
listen on $ext_addr port 110
#forward to servers port 110 mode loadbalance check tcp
forward to servers port 110 mode roundrobin check tcp
}
then I issued below 2 commands on both nodes (fw1 and fw2 )
# pfctl -f /etc/pf.conf
# relayd
then, from a lan PC ( actually my fedora 12 desktop), I executed below 2
commands
telnet 192.168.0.100 80 and telnet 192.168.0.100 25
*Both worked round ribbon manner as I expected. *
then, I added these on both nodes ( fw1 and fw2 )
/etc/hostname.carp1
inet 192.168.0.100 255.255.255.0 192.168.0.255 vhid 1 carpdev em0 \
pass lanpasswd
/etc/hostname.pfsync0
up syncdev em1
Then, I rebooted both hosts (first fw1 and then fw2 )
Then, I run telnet command again to carp1 ip address ( 192.168.0.100 ) in
following way,
telnet 192.168.0.100 80 and telnet 192.168.0.100 25
It does NOT work.
Could you pls let me know why?
since fw2 is backup, I think /etc/hostname.carp1 should be diffrent. ( with
advskew 128 ) in following way?
/etc/hostname.carp1
inet 192.168.0.100 255.255.255.0 192.168.0.255 vhid 1 carpdev em0 \
pass lanpasswd advskew 128
*relayctl show summary* gives in this way on both nodes ( Pls note that
port *pop3 is NOT yet configured* )
# relayctl show
summary
Id TypeNameAvlblty Status
1 redirectwww active
1 table servers:80 active (2
Re: relayd for lan servers with carp and pfsync
Hi ALL,
I myself got it working after changing pf.conf file and relayd.conf files
here are the new working ones
*
in /etc/pf.conf file* *( on both nodes - fw1 and fw2 )*
# cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if=em0
pfsync_if=em1
servers = { 192.168.0.66, 192.168.0.67 }
set skip on lo
# filter rules and anchor for ftp-proxy(8)
#anchor ftp-proxy/*
#pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
# anchor for relayd(8)
*anchor relayd/*
pass on em1 proto pfsync
pass on { em0 em1 } proto carp *
##END
*pass log * # to establish keep-state
# rules for spamd(8)
#table spamd-white persist
#table nospamd persist file /etc/mail/nospamd
#pass in on egress proto tcp from any to any port smtp \
#rdr-to 127.0.0.1 port spamd
#pass in on egress proto tcp from nospamd to any port smtp
#pass in log on egress proto tcp from spamd-white to any port smtp
#pass out log on egress proto tcp to any port smtp
#block in quick from urpf-failed to any # use with care
# By default, do not permit remote connections to X11
#block in on ! lo0 proto tcp to port 6000:6010
*in /etc/relayd.conf file* *( on both nodes - fw1 and fw2 )*
# cat
/etc/relayd.conf
# $OpenBSD: relayd.conf,v 1.14 2011/04/07 13:33:52 reyk Exp $
#
# Macros
#
ext_addr=192.168.0.100
webhost1=192.168.0.66
webhost2=192.168.0.67
#ext_if=em0
table servers { $webhost1 $webhost2 }
*relay www* {
listen on $ext_addr port 80
#forward to servers port 80 mode loadbalance check tcp
forward to servers port 80 mode roundrobin check tcp
}
*relay smtp* {
listen on $ext_addr port 25
#forward to servers port 25 mode loadbalance check tcp
forward to servers port 25 mode roundrobin check tcp
}
anyway, I had to add below lines in /etc/rc.local files
/etc/rc.local (*on fw1*)
# cat
/etc/rc.local
# $OpenBSD: rc.local,v 1.44 2011/04/22 06:08:14 ajacoutot Exp $
# Site-specific startup actions, daemons, and other things which
# can be done AFTER your system goes into securemode. For actions
# which should be done BEFORE your system has gone into securemode
# please see /etc/rc.securelevel.
#configure pfsync
*ifconfig em1 192.168.9.67 netmask 255.255.255.0
ifconfig pfsync0 syncdev em1
ifconfig pfsync0 up*
#configure CARP on the LAN side
*ifconfig carp1 create
ifconfig carp1 vhid 1 carpdev em0 pass lanpasswd \
192.168.0.100 netmask 255.255.255.0*
#Staring relayd
*relayd *
*
*/etc/rc.local (*on fw2) *
# cat
/etc/rc.local
# $OpenBSD: rc.local,v 1.44 2011/04/22 06:08:14 ajacoutot Exp $
# Site-specific startup actions, daemons, and other things which
# can be done AFTER your system goes into securemode. For actions
# which should be done BEFORE your system has gone into securemode
# please see /etc/rc.securelevel.
#configure pfsync
*ifconfig em1 192.168.9.68 netmask 255.255.255.0
ifconfig pfsync0 syncdev em1
ifconfig pfsync0 up*
#configure CARP on the LAN side
*ifconfig carp1 create
ifconfig carp1 vhid 1 carpdev em0 pass lanpasswd \
advskew 128 192.168.0.100 netmask 255.255.255.0*
#Staring relayd
*relayd *
That's it.
Pls NOTE that , in /etc/relayd.conf file, I had to add *relay *www* *instead
of *redirect* www and *relay *smtp instead* *of *redirect* smtp
also in /etc/pf.conf file , instead of the below lines,
# anchor for relayd(8)
*#anchor relayd/*
pass quick on { em1 } proto pfsync keep state (no-sync)
pass on { em0 em1 } proto carp keep state*
I added below lines
# anchor for relayd(8)
*anchor relayd/*
pass on em1 proto pfsync
pass on { em0 em1 } proto carp *
Now. my setup works
On Thu, Aug 16, 2012 at 12:13 PM, Indunil Jayasooriya
induni...@gmail.comwrote:
Hi misc,
I have 2 OpenBSD 5.1 64bit boxes. I want to setup relayd for lan servers
with carp and pfsync for LAN USERS.
What I want to achieve is that LAN USERS connect to carp1 ip address ( lan
shared ip - 192.168.0.100 ). then, relayd will redirect that traffic to 2
lan servers running services http, smtp and pop. If one server goes down,
relayd will remove it from the table.
*This is What I did. *
let's assume 2 OpenBSD 5.1 64bit boxes are fw1 and fw2
fw1
em0 - 192.168.0.10 (and carp1 - LAN shared IP - 192.168.0.100 )
em1 - 192.168.9.67 ( for pfsync )
fw2
em0 - 192.168.0.11 (and carp1 - LAN shared IP - 192.168.0.100 )
em1 - 192.168.9.68 ( for pfsync )
LAN shared IP: 192.168.0.100 ( carp1 ip address on both nodes fw1 and fw2 )
net.inet.ip.forwarding=1 in /etc/sysctl.conf on both fw1 and fw2
Configure fw1:
! enable preemption and group interface failover
# sysctl -w net.inet.carp.preempt=1
! configure pfsync
# ifconfig em1 192.168.9.67 netmask 255.255.255.0
# ifconfig pfsync0 syncdev em1
# ifconfig pfsync0 up
!
Re: relayd for lan servers with carp and pfsync
Serwus
W czwartek, 16 sie 2012 o 16:18 CEST
Indunil Jayasooriya induni...@gmail.com napisaĆ(a):
I myself got it working after changing pf.conf file and relayd.conf files
You've changed redirect to relay in relayd.conf. I suppose this is the
real solution (it changes the way how relayd handle connections to
backends). All the rest of your changes (especially the ones in
rc.local) are probably irrelevant...
here are the new working ones
*
in /etc/pf.conf file* *( on both nodes - fw1 and fw2 )*
# cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if=em0
pfsync_if=em1
servers = { 192.168.0.66, 192.168.0.67 }
set skip on lo
# filter rules and anchor for ftp-proxy(8)
#anchor ftp-proxy/*
#pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
# anchor for relayd(8)
*anchor relayd/*
pass on em1 proto pfsync
pass on { em0 em1 } proto carp *
##END
*pass log * # to establish keep-state
# rules for spamd(8)
#table spamd-white persist
#table nospamd persist file /etc/mail/nospamd
#pass in on egress proto tcp from any to any port smtp \
#rdr-to 127.0.0.1 port spamd
#pass in on egress proto tcp from nospamd to any port smtp
#pass in log on egress proto tcp from spamd-white to any port smtp
#pass out log on egress proto tcp to any port smtp
#block in quick from urpf-failed to any # use with care
# By default, do not permit remote connections to X11
#block in on ! lo0 proto tcp to port 6000:6010
*in /etc/relayd.conf file* *( on both nodes - fw1 and fw2 )*
# cat
/etc/relayd.conf
# $OpenBSD: relayd.conf,v 1.14 2011/04/07 13:33:52 reyk Exp $
#
# Macros
#
ext_addr=192.168.0.100
webhost1=192.168.0.66
webhost2=192.168.0.67
#ext_if=em0
table servers { $webhost1 $webhost2 }
*relay www* {
listen on $ext_addr port 80
#forward to servers port 80 mode loadbalance check tcp
forward to servers port 80 mode roundrobin check tcp
}
*relay smtp* {
listen on $ext_addr port 25
#forward to servers port 25 mode loadbalance check tcp
forward to servers port 25 mode roundrobin check tcp
}
anyway, I had to add below lines in /etc/rc.local files
/etc/rc.local (*on fw1*)
# cat
/etc/rc.local
# $OpenBSD: rc.local,v 1.44 2011/04/22 06:08:14 ajacoutot Exp $
# Site-specific startup actions, daemons, and other things which
# can be done AFTER your system goes into securemode. For actions
# which should be done BEFORE your system has gone into securemode
# please see /etc/rc.securelevel.
#configure pfsync
*ifconfig em1 192.168.9.67 netmask 255.255.255.0
ifconfig pfsync0 syncdev em1
ifconfig pfsync0 up*
#configure CARP on the LAN side
*ifconfig carp1 create
ifconfig carp1 vhid 1 carpdev em0 pass lanpasswd \
192.168.0.100 netmask 255.255.255.0*
#Staring relayd
*relayd *
*
*/etc/rc.local (*on fw2) *
# cat
/etc/rc.local
# $OpenBSD: rc.local,v 1.44 2011/04/22 06:08:14 ajacoutot Exp $
# Site-specific startup actions, daemons, and other things which
# can be done AFTER your system goes into securemode. For actions
# which should be done BEFORE your system has gone into securemode
# please see /etc/rc.securelevel.
#configure pfsync
*ifconfig em1 192.168.9.68 netmask 255.255.255.0
ifconfig pfsync0 syncdev em1
ifconfig pfsync0 up*
#configure CARP on the LAN side
*ifconfig carp1 create
ifconfig carp1 vhid 1 carpdev em0 pass lanpasswd \
advskew 128 192.168.0.100 netmask 255.255.255.0*
#Staring relayd
*relayd *
That's it.
Pls NOTE that , in /etc/relayd.conf file, I had to add *relay *www* *instead
of *redirect* www and *relay *smtp instead* *of *redirect* smtp
also in /etc/pf.conf file , instead of the below lines,
# anchor for relayd(8)
*#anchor relayd/*
pass quick on { em1 } proto pfsync keep state (no-sync)
pass on { em0 em1 } proto carp keep state*
I added below lines
# anchor for relayd(8)
*anchor relayd/*
pass on em1 proto pfsync
pass on { em0 em1 } proto carp *
Now. my setup works
On Thu, Aug 16, 2012 at 12:13 PM, Indunil Jayasooriya
induni...@gmail.comwrote:
Hi misc,
I have 2 OpenBSD 5.1 64bit boxes. I want to setup relayd for lan servers
with carp and pfsync for LAN USERS.
What I want to achieve is that LAN USERS connect to carp1 ip address ( lan
shared ip - 192.168.0.100 ). then, relayd will redirect that traffic to 2
lan servers running services http, smtp and pop. If one server goes down,
relayd will remove it from the table.
*This is What I did. *
let's assume 2 OpenBSD 5.1 64bit boxes are fw1 and fw2
fw1
em0 - 192.168.0.10 (and carp1 - LAN shared IP - 192.168.0.100 )
em1 -
