Confirmed. If I have both routers on, the http redirection on the CARP
interface doesn't work. But when I only have one on, then the
redirection works just fine. Is CARP getting confused with the
packets?
On Thu, Nov 13, 2008 at 5:51 PM, Vivek Ayer <[EMAIL PROTECTED]> wrote:
> Yay! I got ssh and http to work on the CARP interface. Thanks.
>
> However, the httpd redirect is not working just yet on the CARP
> interface for one of the computers. Does IP balancing mess up
> redirect?
>
> When I only have one router up doing the redirect, the CARP interface
> works, but when I have both routers on, the CARP interface defaults to
> the one that doesn't apparently do redirection. I'm going to
> troubleshoot and turn off the one that works and turn on the computer
> that doesn't "redirect."
>
> Any other suggestions for troubleshooting this weird setup I have? Has
> anyone ever done this before having CARP'd web servers behind CARP'd
> routers?
>
> Here's my current pf.conf:
>
> # $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $
> #
> # See pf.conf(5) and /usr/share/pf for syntax and examples.
> # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>
> # macros
> ext_if = "re0" # External Interface (169.229.158.0/24)
> int_if = "xl0" # Internal Interface (192.168.1.0/24)
> localnet = $int_if:network
> webserver = "192.168.1.50" # Redundant Sun Servers
> nameserver = "192.168.1.101" # Dell L400 Celeron
> webports = "{ http , https }"
> domainport = "{ domain }"
> tcp_services = "{ ssh }"
> icmp_types = "echoreq"
> carpdevs = "{ carp0 , carp1 }"
> syncdev = "{ re1 }"
> carp_mcast = "224.0.0.18"
>
> # extra tweaks
> set skip on lo
> set block-policy return
> set loginterface $ext_if
> scrub in all
>
> # nat
> nat on $ext_if from $localnet to any -> ($ext_if)
> no nat on $int_if proto tcp from $int_if to $localnet
> nat on $int_if proto tcp from $localnet to $webserver port $webports ->
> $int_if
>
> # rdr for http
> rdr on $ext_if proto tcp from any to any port $webports -> $webserver
> rdr on $int_if proto tcp from $localnet to $ext_if port $webports ->
> $webserver
> rdr on $int_if proto tcp from $localnet to $int_if port $webports ->
> $webserver
>
> # rdr for domain (tcp)
> rdr on $ext_if proto tcp from any to any port $domainport -> $nameserver
> rdr on $int_if proto tcp from $localnet to $ext_if port $domainport ->
> $nameserver
> rdr on $int_if proto tcp from $localnet to $int_if port $domainport ->
> $nameserver
>
> # rdr for domain (udp)
> rdr on $ext_if proto udp from any to any port $domainport -> $nameserver
> rdr on $int_if proto udp from $localnet to $ext_if port $domainport ->
> $nameserver
> rdr on $int_if proto udp from $localnet to $int_if port $domainport ->
> $nameserver
>
> # pass rules
> block in # Default Deny
> pass out keep state
> antispoof quick for { lo }
> pass in inet proto icmp all icmp-type $icmp_types keep state # Let Ping In
> pass in quick on $int_if
> pass in on $ext_if inet proto tcp from any to ($ext_if) \
> port $tcp_services flags S/SA keep state # Allow SSH Access from Outside
> pass in on $ext_if inet proto tcp from any to $webserver port $webports \
> flags S/SA synproxy state
> pass in on $ext_if inet proto udp from any to $nameserver port $domainport
> pass in on $ext_if inet proto tcp from any to $nameserver port $domainport \
> flags S/SA synproxy state
>
> # Basic CARP/pfsync pass rules
> pass on $carpdevs proto carp keep state
> pass quick on $ext_if proto carp \
> from $ext_if:network to $carp_mcast keep state
> pass on $syncdev proto pfsync
>
> # Internet-Facing CARP rules
> pass in on $ext_if inet proto tcp from any to (carp0) \
> port $tcp_services flags S/SA keep state # Allow SSH Access from Outside
> pass in on $ext_if inet proto tcp from any to (carp0) \
> port $webports flags S/SA synproxy state
> pass in on $ext_if inet proto udp from any to (carp0) \
> port $domainport
> pass in on $ext_if inet proto tcp from any to (carp0) \
> port $domainport flags S/SA synproxy state
>
> # LAN-Facing CARP rules
> pass in on $int_if inet proto tcp from $localnet to (carp1) \
> port $tcp_services flags S/SA keep state # Allow SSH Access from Inside
> pass in on $int_if inet proto tcp from $localnet to (carp1) \
> port $webports flags S/SA synproxy state
> pass in on $int_if inet proto udp from $localnet to (carp1) \
> port $domainport
> pass in on $int_if inet proto tcp from $localnet to (carp1) \
> port $domainport flags S/SA synproxy state
>
> Thanks
>
> On Thu, Nov 13, 2008 at 12:27 PM, Vivek Ayer <[EMAIL PROTECTED]> wrote:
>> Oh ok. That kind of makes sense.
>>
>> Thanks
>>
>> On Thu, Nov 13, 2008 at 2:11 AM, Marco Pfatschbacher <[EMAIL PROTECTED]>
>> wrote:
>>> On Wed, Nov 12, 2008 at 11:40:36AM -0800, Vivek Ayer wrote:
>>>> i don't think I understand. Clarify. you mean carpdev is like your
>>>> physical interface..eth0, re0, etc.?
>>>
>>> say you have a carp configured like:
>>>
>>> carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>>> lladdr 00:00:5e:00:01:04
>>> carp: MASTER carpdev em0 vhid 4 advbase 1 advskew 0
>>> groups: carp
>>> inet 1.2.3.4 netmask 0xff000000 broadcast 1.255.255.255
>>>
>>> As you can see, carp0 is using em0 as its carpdev.
>>> A pf rule to pass ssh to the carp address would be:
>>>
>>> pass in on em0 inet proto tcp to (carp0) port 22
>>>
>>> and NOT:
>>>
>>> pass in on carp0 inet proto tcp to (carp0) port 22
>>>
>>> HTH,
>>>
>>> Marco
