Hi misc,
I have 2 OpenBSD 5.1 64bit boxes. I want to setup relayd for lan servers
with carp and pfsync for LAN USERS.
What I want to achieve is that LAN USERS connect to carp1 ip address ( lan
shared ip - 192.168.0.100 ). then, relayd will redirect that traffic to 2
lan servers running services http, smtp and pop. If one server goes down,
relayd will remove it from the table.
*This is What I did. *
let's assume 2 OpenBSD 5.1 64bit boxes are fw1 and fw2
fw1
em0 - 192.168.0.10 (and carp1 - LAN shared IP - 192.168.0.100 )
em1 - 192.168.9.67 ( for pfsync )
fw2
em0 - 192.168.0.11 (and carp1 - LAN shared IP - 192.168.0.100 )
em1 - 192.168.9.68 ( for pfsync )
LAN shared IP: 192.168.0.100 ( carp1 ip address on both nodes fw1 and fw2 )
net.inet.ip.forwarding=1 in /etc/sysctl.conf on both fw1 and fw2
Configure fw1:
! enable preemption and group interface failover
# sysctl -w net.inet.carp.preempt=1
! configure pfsync
# ifconfig em1 192.168.9.67 netmask 255.255.255.0
# ifconfig pfsync0 syncdev em1
# ifconfig pfsync0 up
! configure CARP on the LAN side
# ifconfig carp1 create
# ifconfig carp1 vhid 1 carpdev em0 pass lanpasswd \
192.168.0.100 netmask 255.255.255.0
Configure fw2:
! enable preemption and group interface failover
# sysctl -w net.inet.carp.preempt=1
! configure pfsync
# ifconfig em1 192.168.9.68 netmask 255.255.255.0
# ifconfig pfsync0 syncdev em1
# ifconfig pfsync0 up
! configure CARP on the LAN side
# ifconfig carp1 create
# ifconfig carp1 vhid 1 carpdev em0 pass lanpasswd \
advskew 128 192.168.0.100 netmask 255.255.255.0
*/etc/pf.conf * looks like this on both nodes ( fw1 and fw2 )
# cat
/etc/pf.conf
# $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if="em0"
pfsync_if="em1"
servers = "{ 192.168.0.66, 192.168.0.67 }"
set skip on lo
# filter rules and anchor for ftp-proxy(8)
#anchor "ftp-proxy/*"
#pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
# anchor for relayd(8)
#anchor "relayd/*"
pass quick on { em1 } proto pfsync keep state (no-sync)
pass on { em0 em1 } proto carp keep state
##END
pass log # to establish keep-state
# rules for spamd(8)
#table <spamd-white> persist
#table <nospamd> persist file "/etc/mail/nospamd"
#pass in on egress proto tcp from any to any port smtp \
# rdr-to 127.0.0.1 port spamd
#pass in on egress proto tcp from <nospamd> to any port smtp
#pass in log on egress proto tcp from <spamd-white> to any port smtp
#pass out log on egress proto tcp to any port smtp
#block in quick from urpf-failed to any # use with care
# By default, do not permit remote connections to X11
#block in on ! lo0 proto tcp to port 6000:6010
*
/etc/relayd.conf* is like this on both nodes ( fw1 and fw2 )
# cat
/etc/relayd.conf
# $OpenBSD: relayd.conf,v 1.14 2011/04/07 13:33:52 reyk Exp $
#
# Macros
#
ext_addr="192.168.0.100"
webhost1="192.168.0.66"
webhost2="192.168.0.67"
table <servers> { $webhost1 $webhost2 }
redirect www {
listen on $ext_addr port 80
#forward to <servers> port 80 mode loadbalance check tcp
forward to <servers> port 80 mode roundrobin check tcp
}
redirect smtp {
listen on $ext_addr port 25
#forward to <servers> port 25 mode loadbalance check tcp
forward to <servers> port 25 mode roundrobin check tcp
}
redirect pop {
listen on $ext_addr port 110
#forward to <servers> port 110 mode loadbalance check tcp
forward to <servers> port 110 mode roundrobin check tcp
}
then I issued below 2 commands on both nodes (fw1 and fw2 )
# pfctl -f /etc/pf.conf
# relayd
then, from a lan PC ( actually my fedora 12 desktop), I executed below 2
commands
telnet 192.168.0.100 80 and telnet 192.168.0.100 25
*Both worked round ribbon manner as I expected. *
then, I added these on both nodes ( fw1 and fw2 )
/etc/hostname.carp1
inet 192.168.0.100 255.255.255.0 192.168.0.255 vhid 1 carpdev em0 \
pass lanpasswd
/etc/hostname.pfsync0
up syncdev em1
Then, I rebooted both hosts (first fw1 and then fw2 )
Then, I run telnet command again to carp1 ip address ( 192.168.0.100 ) in
following way,
telnet 192.168.0.100 80 and telnet 192.168.0.100 25
It does NOT work.
Could you pls let me know why?
since fw2 is backup, I think /etc/hostname.carp1 should be diffrent. ( with
advskew 128 ) in following way?
/etc/hostname.carp1
inet 192.168.0.100 255.255.255.0 192.168.0.255 vhid 1 carpdev em0 \
pass lanpasswd advskew 128
*relayctl show summary* gives in this way on both nodes ( Pls note that
port *pop3 is NOT yet configured* )
# relayctl show
summary
Id Type Name Avlblty Status
1 redirect www active
1 table servers:80 active (2
hosts)
1 host 192.168.0.66 100.00% up
2 host 192.168.0.67 100.00% up
2 redirect smtp active
2 table servers:25 active (2
hosts)
3 host 192.168.0.66 100.00% up
4 host 192.168.0.67 100.00% up
3 redirect pop down
3 table servers:110 empty
5 host 192.168.0.66 0.00% down
6 host 192.168.0.67 0.00% down
Seeking your ideas to solve this? where have I gone wrong?
I referred to below 2 URLs
http://www.openbsd.org/faq/pf/carp.html#failover
http://meinit.nl/openbsd-loadbalancing-and-failover-relayd-pf-and-carp
--
Thank you
Indunil Jayasooriya
