Hi,
I'm trying to set up two redundant gateways using OpenBSD 4.8, CARP
and PF (see below for setup details).
I want to force packets incoming on carp1, out on carp0 (and NAT it,
using carp0's IP).
Here's the output from /etc/pf.conf on GW0;
<<<<<<<<<<<<<<<<<<
# Interfaces
pfsync_if="em4"
ext_if="trunk0"
int_if="trunk1"
ext_carp_if="carp0"
int_carp_if="carp1"
all_ext_if="{" $ext_if $ext_carp_if "}"
all_int_if="{" $int_if $int_carp_if "}"
all_if="{" $ext_if $ext_carp_if $int_if $int_carp_if "}"
# IPs
ext_gw="138.138.1.1"
# Allowed ICMP-types
icmp_types="{ echorep, echoreq, timex, paramprob, unreach code
needfrag }"
# Blocked nets
table <blocked_nets> { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12,
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }
# Our networks
our_int_net="{ 10.162.0.0/16 }"
# Options and NAT
set block-policy drop # Packets that are blocked, will be
dropped
set loginterface $ext_carp_if # Log things if specified in filters
set skip on lo # Skip filtering on loopback-interface
(s)
# NAT all requests from our network
match out on $ext_carp_if inet from $our_int_net to any nat-to
$ext_carp_if
# Rules
block in log # Default deny
block in quick from urpf-failed # Spoofed address protection
match in all scrub (no-df) # Scrub incoming packets
# Enable pfsync
pass quick on $pfsync_if proto pfsync keep state (no-sync)
# Enable CARP
pass quick on { $ext_if, $int_if } proto carp keep state (no-sync)
# Block stuff (-:
block in quick log on $all_ext_if from <blocked_nets> to any
block out quick log on $all_ext_if from any to <blocked_nets>
pass out on $int_carp_if to $our_int_net
pass in quick on $all_int_if from $our_int_net to $all_int_if
pass in on $int_carp_if proto { tcp, udp, icmp } from $our_int_net
route-to ($ext_carp_if $ext_gw)
pass out on $all_ext_if
>>>>>>>>>>>>>>>>>>
This does not work at all. If I change
match out on $ext_carp_if inet from $our_int_net to any nat-to
$ext_carp_if
to
match out on $all_ext_if inet from $our_int_net to any nat-to
$all_ext_if
it works, except that it NATs to trunk0's IP-address instead of
carp0's IP-address (which is somewhat expected).
I'm guessing it has something to do with the fact that the systems
default gateway is listed with trunk0 as the outgoing interface. I've
tried to change the default gateway;
root@gw1:~# route add -net 0.0.0.0/0 -iface carp0 137.138.1.1
route: carp0: bad address
but that doesn't seem to work.
I guess I'm missing something essential, but I can't figure out what.
Any help is appreciated.
<<<<<<<<<<<<<<<<<<
The system is configured in the following way;
GW0:
em0 + em1 -> trunk0 (137.138.10.11) -> carp0 (137.138.10.10), master
em2 + em3 -> trunk1 (10.162.56.3) -> carp1 (10.162.56.2), master
em4 (172.16.16.1) -> pfsync0
Destination Gateway Flags Refs Use Mtu
Prio Iface
default 137.138.1.1 UGS 1 25217 -
8 trunk0
10.162/16 link#10 UCS 0 0 -
8 trunk1
10.162.56/24 link#10 UC 1 0 -
4 trunk1
10.162.56.2 10.162.56.2 UH 0 4 -
4 carp1
10.162.56.3 00:30:48:c9:a1:1d UHLc 0 2 -
4 lo0
127/8 127.0.0.1 UGRS 0 0 33160
8 lo0
127.0.0.1 127.0.0.1 UH 1 120 33160
4 lo0
137.138/16 link#9 UC 3 0 -
4 trunk0
137.138.1.1 0a:00:30:89:0b:01 UHLc 1 2 -
4 trunk0
137.138.10.10 137.138.11.19 UH 0 4 -
4 carp0
137.138.10.11 00:30:48:c9:a1:1c UHLc 0 6 -
4 lo0
172.16.16/24 link#5 UC 0 0 -
4 em4
224/4 127.0.0.1 URS 0 0 33160
8 lo0
GW1:
em0 + em1 -> trunk0 (137.138.10.12) -> carp0 (137.138.10.10), backup
em2 + em3 -> trunk1 (10.162.56.4) -> carp1 (10.162.56.2), backup
em4 (172.16.16.2) -> pfsync0
Destination Gateway Flags Refs Use Mtu
Prio Iface
default 137.138.1.1 UGS 1 1541 -
8 trunk0
10.162/16 10.162.56.1 UGS 0 802 -
8 trunk1
10.162.56/24 link#10 UC 1 0 -
4 trunk1
10.162.56.1 00:16:b9:0f:f9:80 UHLc 1 0 -
4 trunk1
127/8 127.0.0.1 UGRS 0 0 33160
8 lo0
127.0.0.1 127.0.0.1 UH 1 120 33160
4 lo0
137.138/16 link#9 UC 4 0 -
4 trunk0
137.138.1.1 0a:00:30:89:0b:01 UHLc 1 0 -
4 trunk0
172.16.16/24 link#5 UC 1 0 -
4 em4
172.16.16.2 00:1b:21:90:c1:96 UHLc 0 2 -
4 lo0
224/4 127.0.0.1 URS 0 0 33160
8 lo0
>>>>>>>>>>>>>>>>>>
--
Joachim
