Here's my current configuration for my entire network. Two routers working as one using IP balancing and two web servers on the inside working as one using IP balancing. I'm still getting issues as to reaching the web servers from the outside. I just feel like it's gotten too complicated CARPing the systems. The server could be reached from the outside previously when I only had one router and server. The router uses carpnodes 1,2,3 and 4 while the web server used 5 and 6 if that makes any difference at all.
Here's my router pf.conf: # $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $ # # See pf.conf(5) and /usr/share/pf for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. # macros ext_if = "re0" # External Interface (169.229.158.0/24) int_if = "xl0" # Internal Interface (192.168.1.0/24) localnet = $int_if:network webserver = "192.168.1.50" # Redundant Sun Servers nameserver = "192.168.1.101" # Dell L400 Celeron webports = "{ http , https }" domainport = "{ domain }" tcp_services = "{ ssh }" icmp_types = "echoreq" carpdevs = "{ carp0 , carp1 }" syncdev = "{ re1 }" ssh_allowed = "192.168.1.100" carp_mcast = "224.0.0.18" # extra tweaks set skip on lo set block-policy return set loginterface $ext_if scrub in all # nat/rdr nat on $ext_if from $localnet to any -> ($ext_if) nat on $int_if proto tcp from $localnet to $webserver port $webports -> $int_if no nat on $int_if proto tcp from $int_if to $localnet rdr on $ext_if proto tcp from any to any port $webports -> $webserver rdr on $int_if proto tcp from $localnet to $ext_if port $webports -> $webserver rdr on $ext_if proto tcp from any to any port $domainport -> $nameserver rdr on $int_if proto tcp from $localnet to $ext_if port $domainport -> $nameserver rdr on $ext_if proto udp from any to any port $domainport -> $nameserver rdr on $int_if proto udp from $localnet to $ext_if port $domainport -> $nameserver # pass rules # block in # Default Deny pass out keep state pass in inet proto icmp all icmp-type $icmp_types keep state # Let Ping In pass in quick on $int_if pass in on $ext_if inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state # Allow SSH Access from Outside pass in on $ext_if inet proto tcp from any to $webserver port $webports \ flags S/SA synproxy state pass in on $ext_if inet proto udp from any to $nameserver port $domainport pass in on $ext_if inet proto tcp from any to $nameserver port $domainport \ flags S/SA synproxy state # CARP/pfsync pass rules pass on $carpdevs proto carp keep state pass quick on $ext_if proto carp \ from $ext_if:network to $carp_mcast keep state pass on $syncdev proto pfsync pass in on $carpdevs inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state # Allow SSH Access from Outside pass in on $carpdevs inet proto tcp from any to $webserver port $webports \ flags S/SA synproxy state pass in on $carpdevs inet proto udp from any to $nameserver port $domainport pass in on $carpdevs inet proto tcp from any to $nameserver port $domainport \ flags S/SA synproxy state pass in on $int_if from $ssh_allowed to self keep state (no-sync) antispoof quick for { lo $int_if } And here'e my web server pf.conf: # $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $ # # See pf.conf(5) and /usr/share/pf for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. # macros ext_if="gem0" # External Interface (192.168.1.0/24) tcp_services = "{ ssh, www, https }" udp_services = "{ 123 }" icmp_types = "echoreq" carpdev = "{ carp0 }" syncdev = "{ re0 }" carp_mcast = "224.0.0.18" # extra tweaks set skip on lo set skip on gem0 set block-policy return set loginterface $ext_if scrub in all # pass rules # block in # pass out proto tcp to any port $tcp_services # pass proto udp to any port $udp_services # pass in inet proto icmp all icmp-type $icmp_types keep state # CARP/pfsync pass rules pass on $carpdev proto carp keep state pass quick on $ext_if proto carp \ from $ext_if:network to $carp_mcast keep state pass on $syncdev proto pfsync antispoof quick for { lo } Help appreciated! Vivek On Mon, Oct 20, 2008 at 1:51 PM, Stuart Henderson <[EMAIL PROTECTED]> wrote: > On 2008/10/20 14:19, Vivek Ayer wrote: >> I'll give that a shot. But in the meanwhile, it appears ntpd doesn't >> listen on the carp interface. > > unlikely, unless you restricted in the "listen on..." line. > > $ grep ^listen /etc/ntpd.conf > listen on * > $ ifconfig carp83|grep -w inet > inet 195.95.187.83 netmask 0xffffffe0 broadcast 195.95.187.95 > $ fstat|grep 195.95.187.83:123 > _ntp ntpd 19169 16* internet dgram udp 195.95.187.83:123 > >> Could this also be due my current pf.conf? > > most likely - the suggestion I made will show you for sure > (I think running tcpdump on pflog is the single most useful tool > to help debug problems with a PF ruleset).