Here's my current configuration for my entire network. Two routers
working as one using IP balancing and two web servers on the inside
working as one using IP balancing. I'm still getting issues as to
reaching the web servers from the outside. I just feel like it's
gotten too complicated CARPing the systems. The server could be
reached from the outside previously when I only had one router and
server. The router uses carpnodes 1,2,3 and 4 while the web server
used 5 and 6 if that makes any difference at all.

Here's my router pf.conf:
#       $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

# macros
ext_if = "re0" # External Interface (169.229.158.0/24)
int_if = "xl0" # Internal Interface (192.168.1.0/24)
localnet = $int_if:network
webserver = "192.168.1.50" # Redundant Sun Servers
nameserver = "192.168.1.101" # Dell L400 Celeron
webports = "{ http , https }"
domainport = "{ domain }"
tcp_services = "{ ssh }"
icmp_types = "echoreq"
carpdevs = "{ carp0 , carp1 }"
syncdev = "{ re1 }"
ssh_allowed = "192.168.1.100"
carp_mcast = "224.0.0.18"

# extra tweaks
set skip on lo
set block-policy return
set loginterface $ext_if
scrub in all

# nat/rdr
nat on $ext_if from $localnet to any -> ($ext_if)
nat on $int_if proto tcp from $localnet to $webserver port $webports -> $int_if
no nat on $int_if proto tcp from $int_if to $localnet
rdr on $ext_if proto tcp from any to any port $webports -> $webserver
rdr on $int_if proto tcp from $localnet to $ext_if port $webports -> $webserver
rdr on $ext_if proto tcp from any to any port $domainport -> $nameserver
rdr on $int_if proto tcp from $localnet to $ext_if port $domainport ->
$nameserver
rdr on $ext_if proto udp from any to any port $domainport -> $nameserver
rdr on $int_if proto udp from $localnet to $ext_if port $domainport ->
$nameserver

# pass rules
# block in # Default Deny
pass out keep state
pass in inet proto icmp all icmp-type $icmp_types keep state # Let Ping In
pass in quick on $int_if
pass in on $ext_if inet proto tcp from any to ($ext_if) \
   port $tcp_services flags S/SA keep state # Allow SSH Access from Outside
pass in on $ext_if inet proto tcp from any to $webserver port $webports \
   flags S/SA synproxy state
pass in on $ext_if inet proto udp from any to $nameserver port $domainport
pass in on $ext_if inet proto tcp from any to $nameserver port $domainport \
   flags S/SA synproxy state

# CARP/pfsync pass rules
pass on $carpdevs proto carp keep state
pass quick on $ext_if proto carp \
   from $ext_if:network to $carp_mcast keep state
pass on $syncdev proto pfsync
pass in on $carpdevs inet proto tcp from any to ($ext_if) \
   port $tcp_services flags S/SA keep state # Allow SSH Access from Outside
pass in on $carpdevs inet proto tcp from any to $webserver port $webports \
   flags S/SA synproxy state
pass in on $carpdevs inet proto udp from any to $nameserver port $domainport
pass in on $carpdevs inet proto tcp from any to $nameserver port $domainport \
   flags S/SA synproxy state

pass in on $int_if from $ssh_allowed to self keep state (no-sync)
antispoof quick for { lo $int_if }


And here'e my web server pf.conf:

#       $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

# macros
ext_if="gem0" # External Interface (192.168.1.0/24)
tcp_services = "{ ssh, www, https }"
udp_services = "{ 123 }"
icmp_types = "echoreq"
carpdev = "{ carp0 }"
syncdev = "{ re0 }"
carp_mcast = "224.0.0.18"

# extra tweaks
set skip on lo
set skip on gem0
set block-policy return
set loginterface $ext_if
scrub in all

# pass rules
# block in
# pass out proto tcp to any port $tcp_services
# pass proto udp to any port $udp_services
# pass in inet proto icmp all icmp-type $icmp_types keep state

# CARP/pfsync pass rules
pass on $carpdev proto carp keep state
pass quick on $ext_if proto carp \
   from $ext_if:network to $carp_mcast keep state
pass on $syncdev proto pfsync

antispoof quick for { lo }

Help appreciated!
Vivek

On Mon, Oct 20, 2008 at 1:51 PM, Stuart Henderson <[EMAIL PROTECTED]> wrote:
> On 2008/10/20 14:19, Vivek Ayer wrote:
>> I'll give that a shot. But in the meanwhile, it appears ntpd doesn't
>> listen on the carp interface.
>
> unlikely, unless you restricted in the "listen on..." line.
>
> $ grep ^listen /etc/ntpd.conf
> listen on *
> $ ifconfig carp83|grep -w inet
>        inet 195.95.187.83 netmask 0xffffffe0 broadcast 195.95.187.95
> $ fstat|grep 195.95.187.83:123
> _ntp     ntpd       19169   16* internet dgram udp 195.95.187.83:123
>
>> Could this also be due my current pf.conf?
>
> most likely - the suggestion I made will show you for sure
> (I think running tcpdump on pflog is the single most useful tool
> to help debug problems with a PF ruleset).

Reply via email to