While trying to "transpose" a working two-stage active-passive
firewall from an enterprise network with a _fixed_ public Internet
address to a much smaller home setup that must live with a _dynamic_
public IP address assigned by the DHCP server of my ISP, I observe
that running dhclient(8) on carp(4) interface does not work as
expected:
[EMAIL PROTECTED]:root]# ifconfig carp11 carpdev fxp0 vhid 11 up
[EMAIL PROTECTED]:root]# ifconfig carp11
carp11: flags=8803<UP,BROADCAST,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:5e:00:01:0b
carp: INIT carpdev fxp0 vhid 11 advbase 1 advskew 0
groups: carp
inet6 fe80::200:5eff:fe00:10b%carp11 prefixlen 64 scopeid 0x8
[EMAIL PROTECTED]:root]# ifconfig fxp0
fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:20:e0:68:fe:6c
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::220:e0ff:fe68:fe6c%fxp0 prefixlen 64 scopeid 0x1
inet 10.0.0.201 netmask 0xffffff00 broadcast 10.0.0.255
[EMAIL PROTECTED]:openvpn]# dhclient carp11
DHCPDISCOVER on carp11 to 255.255.255.255 port 67 interval 2
send_packet: Network is unreachable
DHCPDISCOVER on carp11 to 255.255.255.255 port 67 interval 2
send_packet: Network is unreachable
DHCPDISCOVER on carp11 to 255.255.255.255 port 67 interval 2
send_packet: Network is unreachable
DHCPDISCOVER on carp11 to 255.255.255.255 port 67 interval 2
send_packet: Network is unreachable
^C
It appears that dhclient does not like the fact that carp11 is in INIT
state. Try a naive work-around and bring carp11 into MASTER state by
assigning an fixed alias IP address to it:
[EMAIL PROTECTED]:root]# ifconfig carp11 1.2.3.4 netmask 255.255.255.0 up
[EMAIL PROTECTED]:root]# ifconfig carp11
carp11: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:5e:00:01:0b
carp: BACKUP carpdev fxp0 vhid 11 advbase 1 advskew 0
groups: carp
inet6 fe80::200:5eff:fe00:10b%carp11 prefixlen 64 scopeid 0x8
inet 1.2.3.4 netmask 0xffffff00 broadcast 1.2.3.255
[EMAIL PROTECTED]:root]# dhclient carp11
DHCPDISCOVER on carp11 to 255.255.255.255 port 67 interval 1
DHCPDISCOVER on carp11 to 255.255.255.255 port 67 interval 2
DHCPDISCOVER on carp11 to 255.255.255.255 port 67 interval 5
DHCPDISCOVER on carp11 to 255.255.255.255 port 67 interval 8
DHCPDISCOVER on carp11 to 255.255.255.255 port 67 interval 11
DHCPDISCOVER on carp11 to 255.255.255.255 port 67 interval 16
^C
[EMAIL PROTECTED]:root]# tcpdump -i fxp0 -n port 67 or port 68
tcpdump: listening on fxp0, link-type EN10MB
12:40:57.000270 0.0.0.0.68 > 255.255.255.255.67: xid:0xf2d76fa5 ether
00:00:5e:00:01:0b [|bootp] [tos 0x10]
12:40:57.031501 10.0.0.2.67 > 10.0.0.202.68: xid:0xf2d76fa5
Y:10.0.0.202 S:10.0.0.4 ether 00:00:5e:00:01:0b [|bootp] [tos 0x10]
12:40:58.011180 0.0.0.0.68 > 255.255.255.255.67: xid:0xf2d76fa5 secs:2
ether 00:00:5e:00:01:0b [|bootp] [tos 0x10]
12:40:58.019206 10.0.0.2.67 > 10.0.0.202.68: xid:0xf2d76fa5 secs:2
Y:10.0.0.202 S:10.0.0.4 ether 00:00:5e:00:01:0b [|bootp] [tos 0x10]
12:41:00.017143 0.0.0.0.68 > 255.255.255.255.67: xid:0xf2d76fa5 secs:4
ether 00:00:5e:00:01:0b [|bootp] [tos 0x10]
12:41:00.020060 10.0.0.2.67 > 10.0.0.202.68: xid:0xf2d76fa5 secs:4
Y:10.0.0.202 S:10.0.0.4 ether 00:00:5e:00:01:0b [|bootp] [tos 0x10]
12:41:05.027505 0.0.0.0.68 > 255.255.255.255.67: xid:0xf2d76fa5 secs:9
ether 00:00:5e:00:01:0b [|bootp] [tos 0x10]
12:41:05.036755 10.0.0.2.67 > 10.0.0.202.68: xid:0xf2d76fa5 secs:9
Y:10.0.0.202 S:10.0.0.4 ether 00:00:5e:00:01:0b [|bootp] [tos 0x10]
12:41:13.038056 0.0.0.0.68 > 255.255.255.255.67: xid:0xf2d76fa5
secs:17 ether 00:00:5e:00:01:0b [|bootp] [tos 0x10]
12:41:13.053316 10.0.0.2.67 > 10.0.0.202.68: xid:0xf2d76fa5 secs:17
Y:10.0.0.202 S:10.0.0.4 ether 00:00:5e:00:01:0b [|bootp] [tos 0x10]
12:41:24.048927 0.0.0.0.68 > 255.255.255.255.67: xid:0xf2d76fa5
secs:28 ether 00:00:5e:00:01:0b [|bootp] [tos 0x10]
12:41:24.057559 10.0.0.2.67 > 10.0.0.202.68: xid:0xf2d76fa5 secs:28
Y:10.0.0.202 S:10.0.0.4 ether 00:00:5e:00:01:0b [|bootp] [tos 0x10]
^C
218 packets received by filter
0 packets dropped by kernel
The DHCP server (dhcpd) at 10.0.0.2 replies and assigns the dynamic
address 10.0.0.202 to the requesting client. However, dhclient on
carp11 apparently does "never get it".
Additional info:
- The firewall clusters at work and at home both run i486-current;
- The setup works fine if a fixed IP address is staically assigned to
the CARP interface;
- Searching the archives showed that others also stumbled across this
difficulty earlier.
http://archives.neohapsis.com/archives/openbsd/2005-11/2665.html
- Apparently, one solution was to write some scripts that bring
dhclient up and down whenever one of the cluster's external interfaces
goes up or down, eventually using ifstated(8). In response to
http://undeadly.org/cgi?action=article&sid=20071012140725&mode=expanded
someone offered his scripts to what seems to be exactly a solution to my problem
http://undeadly.org/cgi?action=article&sid=20071012140725&pid=2
But, so far, I was unable to locate it. Were those scripts ever published later?
Is there a specific reason why dhclient does run on CARP interface as
I exepected? Or, was it not implemented because there is niot really a
need for this? Are there simply better solutions, for example using
ifstated?
Otherwise, OpenBSD performs amazingly well in this SOHO setup which
uses two recycled old Nokia IP120 boxes (scrapped IPSO/Checkpoint FW-1
for OpenBSD) for the firewall cluster at the inner stage, and two WRAP
for the firewall cluster at the outer stage.
Thanks for any suggestions and pointers,
Rolf
