I can ssh from the outside into the non-CARP interface. Actually, this
is weird, but I can now ssh from the outside into the CARP address.
But as far rdr goes in my pf.conf, I still can't reach the webserver
from the outside. I can reach the web server inside my network, but
the rdr in the router pf.conf is not directing properly to the CARP
web server address.

Another weird thing I notice. If I ssh into my web server CARP
address, it works but then in like 30 seconds kills the sshd on the
web servers. I'm not sure if this is because the CARP interface on the
router and the CARP interface on the web server are flooding the
network with so many packets since I'm also using IP balancing on both
of them. I also figured I'd simplify the pf.conf on the web server to
filter only carp traffic, so I set skip on the physical interface. Not
sure if that messes packet transfer up.

Vivek

On Tue, Nov 11, 2008 at 4:28 PM, Felipe Alfaro Solana
<[EMAIL PROTECTED]> wrote:
> On Wed, Nov 12, 2008 at 12:53 AM, Vivek Ayer <[EMAIL PROTECTED]> wrote:
>> Here's my current configuration for my entire network. Two routers
>> working as one using IP balancing and two web servers on the inside
>> working as one using IP balancing. I'm still getting issues as to
>> reaching the web servers from the outside. I just feel like it's
>> gotten too complicated CARPing the systems. The server could be
>> reached from the outside previously when I only had one router and
>> server. The router uses carpnodes 1,2,3 and 4 while the web server
>> used 5 and 6 if that makes any difference at all.
>
> Can you reach the system at the non-CARP address? It seems to me that
> what might be happening is that you are sending SSH traffic to the
> CARP interface but since you are NAT-ting, the reply packets have the
> source address of the Ethernet interface (ext_if) and not the CARP
> interface. This will confuse your SSH client.
>
>>
>> Here's my router pf.conf:
>> #       $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $
>> #
>> # See pf.conf(5) and /usr/share/pf for syntax and examples.
>> # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
>> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>>
>> # macros
>> ext_if = "re0" # External Interface (169.229.158.0/24)
>> int_if = "xl0" # Internal Interface (192.168.1.0/24)
>> localnet = $int_if:network
>> webserver = "192.168.1.50" # Redundant Sun Servers
>> nameserver = "192.168.1.101" # Dell L400 Celeron
>> webports = "{ http , https }"
>> domainport = "{ domain }"
>> tcp_services = "{ ssh }"
>> icmp_types = "echoreq"
>> carpdevs = "{ carp0 , carp1 }"
>> syncdev = "{ re1 }"
>> ssh_allowed = "192.168.1.100"
>> carp_mcast = "224.0.0.18"
>>
>> # extra tweaks
>> set skip on lo
>> set block-policy return
>> set loginterface $ext_if
>> scrub in all
>>
>> # nat/rdr
>> nat on $ext_if from $localnet to any -> ($ext_if)
>> nat on $int_if proto tcp from $localnet to $webserver port $webports -> 
>> $int_if
>> no nat on $int_if proto tcp from $int_if to $localnet
>> rdr on $ext_if proto tcp from any to any port $webports -> $webserver
>> rdr on $int_if proto tcp from $localnet to $ext_if port $webports -> 
>> $webserver
>> rdr on $ext_if proto tcp from any to any port $domainport -> $nameserver
>> rdr on $int_if proto tcp from $localnet to $ext_if port $domainport ->
>> $nameserver
>> rdr on $ext_if proto udp from any to any port $domainport -> $nameserver
>> rdr on $int_if proto udp from $localnet to $ext_if port $domainport ->
>> $nameserver
>>
>> # pass rules
>> # block in # Default Deny
>> pass out keep state
>> pass in inet proto icmp all icmp-type $icmp_types keep state # Let Ping In
>> pass in quick on $int_if
>> pass in on $ext_if inet proto tcp from any to ($ext_if) \
>>   port $tcp_services flags S/SA keep state # Allow SSH Access from Outside
>> pass in on $ext_if inet proto tcp from any to $webserver port $webports \
>>   flags S/SA synproxy state
>> pass in on $ext_if inet proto udp from any to $nameserver port $domainport
>> pass in on $ext_if inet proto tcp from any to $nameserver port $domainport \
>>   flags S/SA synproxy state
>>
>> # CARP/pfsync pass rules
>> pass on $carpdevs proto carp keep state
>> pass quick on $ext_if proto carp \
>>   from $ext_if:network to $carp_mcast keep state
>> pass on $syncdev proto pfsync
>> pass in on $carpdevs inet proto tcp from any to ($ext_if) \
>>   port $tcp_services flags S/SA keep state # Allow SSH Access from Outside
>> pass in on $carpdevs inet proto tcp from any to $webserver port $webports \
>>   flags S/SA synproxy state
>> pass in on $carpdevs inet proto udp from any to $nameserver port $domainport
>> pass in on $carpdevs inet proto tcp from any to $nameserver port $domainport 
>> \
>>   flags S/SA synproxy state
>>
>> pass in on $int_if from $ssh_allowed to self keep state (no-sync)
>> antispoof quick for { lo $int_if }
>>
>>
>> And here'e my web server pf.conf:
>>
>> #       $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $
>> #
>> # See pf.conf(5) and /usr/share/pf for syntax and examples.
>> # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
>> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>>
>> # macros
>> ext_if="gem0" # External Interface (192.168.1.0/24)
>> tcp_services = "{ ssh, www, https }"
>> udp_services = "{ 123 }"
>> icmp_types = "echoreq"
>> carpdev = "{ carp0 }"
>> syncdev = "{ re0 }"
>> carp_mcast = "224.0.0.18"
>>
>> # extra tweaks
>> set skip on lo
>> set skip on gem0
>> set block-policy return
>> set loginterface $ext_if
>> scrub in all
>>
>> # pass rules
>> # block in
>> # pass out proto tcp to any port $tcp_services
>> # pass proto udp to any port $udp_services
>> # pass in inet proto icmp all icmp-type $icmp_types keep state
>>
>> # CARP/pfsync pass rules
>> pass on $carpdev proto carp keep state
>> pass quick on $ext_if proto carp \
>>   from $ext_if:network to $carp_mcast keep state
>> pass on $syncdev proto pfsync
>>
>> antispoof quick for { lo }
>>
>> Help appreciated!
>> Vivek
>>
>> On Mon, Oct 20, 2008 at 1:51 PM, Stuart Henderson <[EMAIL PROTECTED]> wrote:
>>> On 2008/10/20 14:19, Vivek Ayer wrote:
>>>> I'll give that a shot. But in the meanwhile, it appears ntpd doesn't
>>>> listen on the carp interface.
>>>
>>> unlikely, unless you restricted in the "listen on..." line.
>>>
>>> $ grep ^listen /etc/ntpd.conf
>>> listen on *
>>> $ ifconfig carp83|grep -w inet
>>>        inet 195.95.187.83 netmask 0xffffffe0 broadcast 195.95.187.95
>>> $ fstat|grep 195.95.187.83:123
>>> _ntp     ntpd       19169   16* internet dgram udp 195.95.187.83:123
>>>
>>>> Could this also be due my current pf.conf?
>>>
>>> most likely - the suggestion I made will show you for sure
>>> (I think running tcpdump on pflog is the single most useful tool
>>> to help debug problems with a PF ruleset).
>>
>>
>
>
>
> --
> http://www.felipe-alfaro.org/blog/disclaimer/

Reply via email to