On Tue, Mar 13, 2012 at 11:15 AM, Paquitiu <sirr...@arrakis.es> wrote:
> Hi.
> The issue is simple, I can't match the outgoing traffic to carp ip address.
> When I go to some "show myip" web, it always appears the pysical one.
> Never the carp one.
>
> As my ISP provider gives us 4 ips, I use two (one for each nic of the
firewalls
> connected to internet) for physical interfaces and the other two for the
carp
> interfaces.
>
>
> Internet
> |
> +--------------------/ \------------------+
> | carp13(em0) = 81.92.37.13 |
> | carp12(em0) = 81.92.37.12 |
> | |
> 81.92.37.10 bge0 bge0 81.92.37.11
> | |
> +-------+ 10.0.0.2 +-------+
> | fw0 |- re0 ---- CARP Pfsync ---- re0 -| fw1 |
> +-------+ 10.0.0.1 +-------+
> | |
> 192.168.28.1 bge1 bge1
192.169.28.2
> | |
> | carp28(em1) = 192.168.28.11 |
> +--------------------\ /------------------+
> |
> Internal LAN
> (192.168.28/24)
>
>
> Config files(from one of the two firewalls):
>
> hostname.bge0
> inet 81.92.37.10 255.255.255.248 NONE
>
> hostname.bge1
> inet 192.168.28.1 255.255.255.0 NONE
>
> hostname.carp12
> inet 81.92.37.12 255.255.255.248 81.92.37.15 balancing ip carpnodes
> 120:0,121:100 pass PaSSWord12
>
> hostname.carp13
> inet 81.92.37.12 255.255.255.248 81.92.37.15 balancing ip carpnodes
> 130:100,131:0 pass PaSSWord13
>
> hostname.carp28
> inet 192.168.28.11 255.255.255.0 192.168.28.255 balancing ip carpnodes
> 28:0,29:100 pass PaSSWord28
>
> hostname.re0
> inet 10.0.0.1 255.255.255.0 NONE
>
> hostname.pfsync0
> up syncdev re0
>
> sysctl.conf
> net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4
packets
> net.inet.icmp.rediraccept=1 # 1=Accept ICMP redirects
> net.inet.carp.preempt=1 # 1=Enable carp(4) preemption
> net.inet.carp.log=3 # log level of carp(4) info, default 2
> net.inet.carp.allow=1
> net.inet.carp.arpbalance=0
>
> pf.conf
> priv_nets= "{127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8}"
> set block-policy drop
> set skip on lo
>
> #Nat outgoing connections
> match out on $ext_IF inet from !$ext_IF to any nat-to $ext_IF
>
> #This does not work: match out on $ext_IF inet from !$ext_IF to any nat-to
carp12
>
> #Filter rules
> block log all
> block in quick from urpf-failed #spoofed address protection
>
> #packet normaliztion
> match in all scrub (no-df)
>
> pass quick log on re0 inet proto pfsync keep state (no-sync)
> pass in quick log on $ext_IF proto carp from carp12 to 224.0.0.18 keep
state
> pass in quick log on $ext_IF proto carp from carp13 to 224.0.0.18 keep
state
> pass in quick log on $int_IF proto carp from carp28 to 224.0.0.18 keep
state
> pass on { $int_IF , $ext_IF } proto carp keep state (no-sync)
>
> block in quick on $ext_IF from $priv_nets to any
> block out quick on $ext_IF from any to $priv_nets
> block quick inet6
>
Don't try and use the carp interface as the target of nat-to, just the
IP address of the carp interface.
eg
match out on $ext_IF inet from !$ext_IF to any nat-to 81.92.37.12
Give that try and see if it works.
