Yay! I got ssh and http to work on the CARP interface. Thanks.
However, the httpd redirect is not working just yet on the CARP
interface for one of the computers. Does IP balancing mess up
redirect?
When I only have one router up doing the redirect, the CARP interface
works, but when I have both routers on, the CARP interface defaults to
the one that doesn't apparently do redirection. I'm going to
troubleshoot and turn off the one that works and turn on the computer
that doesn't "redirect."
Any other suggestions for troubleshooting this weird setup I have? Has
anyone ever done this before having CARP'd web servers behind CARP'd
routers?
Here's my current pf.conf:
# $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
# macros
ext_if = "re0" # External Interface (169.229.158.0/24)
int_if = "xl0" # Internal Interface (192.168.1.0/24)
localnet = $int_if:network
webserver = "192.168.1.50" # Redundant Sun Servers
nameserver = "192.168.1.101" # Dell L400 Celeron
webports = "{ http , https }"
domainport = "{ domain }"
tcp_services = "{ ssh }"
icmp_types = "echoreq"
carpdevs = "{ carp0 , carp1 }"
syncdev = "{ re1 }"
carp_mcast = "224.0.0.18"
# extra tweaks
set skip on lo
set block-policy return
set loginterface $ext_if
scrub in all
# nat
nat on $ext_if from $localnet to any -> ($ext_if)
no nat on $int_if proto tcp from $int_if to $localnet
nat on $int_if proto tcp from $localnet to $webserver port $webports -> $int_if
# rdr for http
rdr on $ext_if proto tcp from any to any port $webports -> $webserver
rdr on $int_if proto tcp from $localnet to $ext_if port $webports -> $webserver
rdr on $int_if proto tcp from $localnet to $int_if port $webports -> $webserver
# rdr for domain (tcp)
rdr on $ext_if proto tcp from any to any port $domainport -> $nameserver
rdr on $int_if proto tcp from $localnet to $ext_if port $domainport ->
$nameserver
rdr on $int_if proto tcp from $localnet to $int_if port $domainport ->
$nameserver
# rdr for domain (udp)
rdr on $ext_if proto udp from any to any port $domainport -> $nameserver
rdr on $int_if proto udp from $localnet to $ext_if port $domainport ->
$nameserver
rdr on $int_if proto udp from $localnet to $int_if port $domainport ->
$nameserver
# pass rules
block in # Default Deny
pass out keep state
antispoof quick for { lo }
pass in inet proto icmp all icmp-type $icmp_types keep state # Let Ping In
pass in quick on $int_if
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state # Allow SSH Access from Outside
pass in on $ext_if inet proto tcp from any to $webserver port $webports \
flags S/SA synproxy state
pass in on $ext_if inet proto udp from any to $nameserver port $domainport
pass in on $ext_if inet proto tcp from any to $nameserver port $domainport \
flags S/SA synproxy state
# Basic CARP/pfsync pass rules
pass on $carpdevs proto carp keep state
pass quick on $ext_if proto carp \
from $ext_if:network to $carp_mcast keep state
pass on $syncdev proto pfsync
# Internet-Facing CARP rules
pass in on $ext_if inet proto tcp from any to (carp0) \
port $tcp_services flags S/SA keep state # Allow SSH Access from Outside
pass in on $ext_if inet proto tcp from any to (carp0) \
port $webports flags S/SA synproxy state
pass in on $ext_if inet proto udp from any to (carp0) \
port $domainport
pass in on $ext_if inet proto tcp from any to (carp0) \
port $domainport flags S/SA synproxy state
# LAN-Facing CARP rules
pass in on $int_if inet proto tcp from $localnet to (carp1) \
port $tcp_services flags S/SA keep state # Allow SSH Access from Inside
pass in on $int_if inet proto tcp from $localnet to (carp1) \
port $webports flags S/SA synproxy state
pass in on $int_if inet proto udp from $localnet to (carp1) \
port $domainport
pass in on $int_if inet proto tcp from $localnet to (carp1) \
port $domainport flags S/SA synproxy state
Thanks
On Thu, Nov 13, 2008 at 12:27 PM, Vivek Ayer <[EMAIL PROTECTED]> wrote:
> Oh ok. That kind of makes sense.
>
> Thanks
>
> On Thu, Nov 13, 2008 at 2:11 AM, Marco Pfatschbacher <[EMAIL PROTECTED]>
> wrote:
>> On Wed, Nov 12, 2008 at 11:40:36AM -0800, Vivek Ayer wrote:
>>> i don't think I understand. Clarify. you mean carpdev is like your
>>> physical interface..eth0, re0, etc.?
>>
>> say you have a carp configured like:
>>
>> carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>> lladdr 00:00:5e:00:01:04
>> carp: MASTER carpdev em0 vhid 4 advbase 1 advskew 0
>> groups: carp
>> inet 1.2.3.4 netmask 0xff000000 broadcast 1.255.255.255
>>
>> As you can see, carp0 is using em0 as its carpdev.
>> A pf rule to pass ssh to the carp address would be:
>>
>> pass in on em0 inet proto tcp to (carp0) port 22
>>
>> and NOT:
>>
>> pass in on carp0 inet proto tcp to (carp0) port 22
>>
>> HTH,
>>
>> Marco
