On Wed, Nov 12, 2008 at 12:53 AM, Vivek Ayer <[EMAIL PROTECTED]> wrote:
> Here's my current configuration for my entire network. Two routers
> working as one using IP balancing and two web servers on the inside
> working as one using IP balancing. I'm still getting issues as to
> reaching the web servers from the outside. I just feel like it's
> gotten too complicated CARPing the systems. The server could be
> reached from the outside previously when I only had one router and
> server. The router uses carpnodes 1,2,3 and 4 while the web server
> used 5 and 6 if that makes any difference at all.
Can you reach the system at the non-CARP address? It seems to me that
what might be happening is that you are sending SSH traffic to the
CARP interface but since you are NAT-ting, the reply packets have the
source address of the Ethernet interface (ext_if) and not the CARP
interface. This will confuse your SSH client.
>
> Here's my router pf.conf:
> # $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $
> #
> # See pf.conf(5) and /usr/share/pf for syntax and examples.
> # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>
> # macros
> ext_if = "re0" # External Interface (169.229.158.0/24)
> int_if = "xl0" # Internal Interface (192.168.1.0/24)
> localnet = $int_if:network
> webserver = "192.168.1.50" # Redundant Sun Servers
> nameserver = "192.168.1.101" # Dell L400 Celeron
> webports = "{ http , https }"
> domainport = "{ domain }"
> tcp_services = "{ ssh }"
> icmp_types = "echoreq"
> carpdevs = "{ carp0 , carp1 }"
> syncdev = "{ re1 }"
> ssh_allowed = "192.168.1.100"
> carp_mcast = "224.0.0.18"
>
> # extra tweaks
> set skip on lo
> set block-policy return
> set loginterface $ext_if
> scrub in all
>
> # nat/rdr
> nat on $ext_if from $localnet to any -> ($ext_if)
> nat on $int_if proto tcp from $localnet to $webserver port $webports ->
> $int_if
> no nat on $int_if proto tcp from $int_if to $localnet
> rdr on $ext_if proto tcp from any to any port $webports -> $webserver
> rdr on $int_if proto tcp from $localnet to $ext_if port $webports ->
> $webserver
> rdr on $ext_if proto tcp from any to any port $domainport -> $nameserver
> rdr on $int_if proto tcp from $localnet to $ext_if port $domainport ->
> $nameserver
> rdr on $ext_if proto udp from any to any port $domainport -> $nameserver
> rdr on $int_if proto udp from $localnet to $ext_if port $domainport ->
> $nameserver
>
> # pass rules
> # block in # Default Deny
> pass out keep state
> pass in inet proto icmp all icmp-type $icmp_types keep state # Let Ping In
> pass in quick on $int_if
> pass in on $ext_if inet proto tcp from any to ($ext_if) \
> port $tcp_services flags S/SA keep state # Allow SSH Access from Outside
> pass in on $ext_if inet proto tcp from any to $webserver port $webports \
> flags S/SA synproxy state
> pass in on $ext_if inet proto udp from any to $nameserver port $domainport
> pass in on $ext_if inet proto tcp from any to $nameserver port $domainport \
> flags S/SA synproxy state
>
> # CARP/pfsync pass rules
> pass on $carpdevs proto carp keep state
> pass quick on $ext_if proto carp \
> from $ext_if:network to $carp_mcast keep state
> pass on $syncdev proto pfsync
> pass in on $carpdevs inet proto tcp from any to ($ext_if) \
> port $tcp_services flags S/SA keep state # Allow SSH Access from Outside
> pass in on $carpdevs inet proto tcp from any to $webserver port $webports \
> flags S/SA synproxy state
> pass in on $carpdevs inet proto udp from any to $nameserver port $domainport
> pass in on $carpdevs inet proto tcp from any to $nameserver port $domainport \
> flags S/SA synproxy state
>
> pass in on $int_if from $ssh_allowed to self keep state (no-sync)
> antispoof quick for { lo $int_if }
>
>
> And here'e my web server pf.conf:
>
> # $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $
> #
> # See pf.conf(5) and /usr/share/pf for syntax and examples.
> # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>
> # macros
> ext_if="gem0" # External Interface (192.168.1.0/24)
> tcp_services = "{ ssh, www, https }"
> udp_services = "{ 123 }"
> icmp_types = "echoreq"
> carpdev = "{ carp0 }"
> syncdev = "{ re0 }"
> carp_mcast = "224.0.0.18"
>
> # extra tweaks
> set skip on lo
> set skip on gem0
> set block-policy return
> set loginterface $ext_if
> scrub in all
>
> # pass rules
> # block in
> # pass out proto tcp to any port $tcp_services
> # pass proto udp to any port $udp_services
> # pass in inet proto icmp all icmp-type $icmp_types keep state
>
> # CARP/pfsync pass rules
> pass on $carpdev proto carp keep state
> pass quick on $ext_if proto carp \
> from $ext_if:network to $carp_mcast keep state
> pass on $syncdev proto pfsync
>
> antispoof quick for { lo }
>
> Help appreciated!
> Vivek
>
> On Mon, Oct 20, 2008 at 1:51 PM, Stuart Henderson <[EMAIL PROTECTED]> wrote:
>> On 2008/10/20 14:19, Vivek Ayer wrote:
>>> I'll give that a shot. But in the meanwhile, it appears ntpd doesn't
>>> listen on the carp interface.
>>
>> unlikely, unless you restricted in the "listen on..." line.
>>
>> $ grep ^listen /etc/ntpd.conf
>> listen on *
>> $ ifconfig carp83|grep -w inet
>> inet 195.95.187.83 netmask 0xffffffe0 broadcast 195.95.187.95
>> $ fstat|grep 195.95.187.83:123
>> _ntp ntpd 19169 16* internet dgram udp 195.95.187.83:123
>>
>>> Could this also be due my current pf.conf?
>>
>> most likely - the suggestion I made will show you for sure
>> (I think running tcpdump on pflog is the single most useful tool
>> to help debug problems with a PF ruleset).
>
>
--
http://www.felipe-alfaro.org/blog/disclaimer/
