Hi all,
I'm having trouble with carpnodes and nating outgoing traffic to the
external
carp interface. I'm trying to get traffic leaving my LAN thru the firewall
to
have the external carp1 address xxx.yyy.60.21 instead of the $ext_if 60.18
or
60.19 depending on which firewall carp picked. This way if I start a long
lived connection like an scp thru the carp firewalls I can fail the
connection
over. Both firewalls are PC Engines WRAP with 3 NICs running 4.4obsd.
>From my laptop which is behind the firewalls on 10.10.10.8 with a gateway of
10.10.10.1 (carp0). If I nslookup google.com it hangs for a second before
returning the result. running 'tcpdump -i pflog0 -n -e' on each firewall I
get
a blocked packet at the start of every nslookup.
rule 0/(match) block in on vr0: xxx.yyy.48.7.53 >
xxx.yyy.60.21.60157:[|domain]
If I change the pf.conf and put $ext_if instead of $carp_if everything works
fine but traffic is leaving on my $ext_if instead of the $carp_if and long
lived connection wont fail over when one of the firewalls goes down.
How can I change my setup to have load balancing and have my external IP be
my carp1 address? Any help would be greatly appreciated.
Thanks in advance,
Sheldon
router
|
+-----carp1----+
| |
FW1 - pfsync - FW2
| |
+-----carp0----+
|
laptop
##########################
# Firewall 1's net setup #
##########################
hostname fw1
sysctl net.inet.carp.preempt=1
sysctl net.inet.ip.forwarding=1
ifconfig pflog0 create up
ifconfig lo0 127.0.0.1 netmask 255.0.0.0
ifconfig vr0 xxx.yyy.60.18 netmask 255.255.255.240
ifconfig vr1 10.10.10.2 netmask 255.255.255.0
ifconfig vr2 172.16.0.2 netmask 255.255.255.0
route add default xxx.yyy.60.17
ifconfig carp0 10.10.10.1 carpnodes 1:0,2:100 balancing ip-stealth
ifconfig carp1 xxx.yyy.60.21 carpnodes 3:0,4:100 balancing ip-stealth
pfctl -e -f /etc/pf.conf
ifconfig pfsync0 syncdev vr2 up
##########################
# Firewall 2's net setup #
##########################
hostname fw2
sysctl net.inet.carp.preempt=1
sysctl net.inet.ip.forwarding=1
ifconfig pflog0 create up
ifconfig lo0 127.0.0.1 netmask 255.0.0.0
ifconfig vr0 xxx.yyy.60.19 netmask 255.255.255.240
ifconfig vr1 10.10.10.3 netmask 255.255.255.0
ifconfig vr2 172.16.0.3 netmask 255.255.255.0
route add default xxx.yyy.60.17
ifconfig carp0 10.10.10.1 carpnodes 1:100,2:0 balancing ip-stealth
ifconfig carp1 xxx.yyy.60.21 carpnodes 3:100,4:0 balancing ip-stealth
pfctl -e -f /etc/pf.conf
ifconfig pfsync0 syncdev vr2 up
#################
# pf.conf rules #
#################
ext_if = vr0 # External WAN interface
int_if = vr1 # Internal LAN interface
pfs_if = vr2 # Pfsync interface
carp_if = carp1 # External CARP interface
set block-policy drop
set loginterface $ext_if
set skip on lo
scrub in
# NAT outgoing connections
nat on $ext_if inet from !$ext_if to any -> $carp_if
block log all # Default deny
block in quick from urpf-failed # Spoofed address protection
pass quick on $pfs_if proto pfsync keep state (no-sync) # Enable pfsync
pass on { $int_if, $ext_if } proto carp keep state (no-sync) # Enable CARP
# SSH
pass in on $ext_if inet proto tcp to $ext_if port 2022 flags S/SA keep state
# ICMP
pass in inet proto icmp all
pass out inet proto icmp all
# DNS
pass in on $int_if inet proto { tcp, udp } from $int_if:network to any port
53
pass out on $ext_if inet proto { tcp, udp } from $carp_if to any port
53
