I can access the web servers from the Internet on the two
internet-facing ext_if, but not the CARP interface yet. I assume I
just have to add an rdr rule which includes carp as well?
On Tue, Nov 11, 2008 at 4:58 PM, Vivek Ayer <[EMAIL PROTECTED]> wrote:
> I can ssh from the outside into the non-CARP interface. Actually, this
> is weird, but I can now ssh from the outside into the CARP address.
> But as far rdr goes in my pf.conf, I still can't reach the webserver
> from the outside. I can reach the web server inside my network, but
> the rdr in the router pf.conf is not directing properly to the CARP
> web server address.
>
> Another weird thing I notice. If I ssh into my web server CARP
> address, it works but then in like 30 seconds kills the sshd on the
> web servers. I'm not sure if this is because the CARP interface on the
> router and the CARP interface on the web server are flooding the
> network with so many packets since I'm also using IP balancing on both
> of them. I also figured I'd simplify the pf.conf on the web server to
> filter only carp traffic, so I set skip on the physical interface. Not
> sure if that messes packet transfer up.
>
> Vivek
>
> On Tue, Nov 11, 2008 at 4:28 PM, Felipe Alfaro Solana
> <[EMAIL PROTECTED]> wrote:
>> On Wed, Nov 12, 2008 at 12:53 AM, Vivek Ayer <[EMAIL PROTECTED]> wrote:
>>> Here's my current configuration for my entire network. Two routers
>>> working as one using IP balancing and two web servers on the inside
>>> working as one using IP balancing. I'm still getting issues as to
>>> reaching the web servers from the outside. I just feel like it's
>>> gotten too complicated CARPing the systems. The server could be
>>> reached from the outside previously when I only had one router and
>>> server. The router uses carpnodes 1,2,3 and 4 while the web server
>>> used 5 and 6 if that makes any difference at all.
>>
>> Can you reach the system at the non-CARP address? It seems to me that
>> what might be happening is that you are sending SSH traffic to the
>> CARP interface but since you are NAT-ting, the reply packets have the
>> source address of the Ethernet interface (ext_if) and not the CARP
>> interface. This will confuse your SSH client.
>>
>>>
>>> Here's my router pf.conf:
>>> # $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $
>>> #
>>> # See pf.conf(5) and /usr/share/pf for syntax and examples.
>>> # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
>>> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>>>
>>> # macros
>>> ext_if = "re0" # External Interface (169.229.158.0/24)
>>> int_if = "xl0" # Internal Interface (192.168.1.0/24)
>>> localnet = $int_if:network
>>> webserver = "192.168.1.50" # Redundant Sun Servers
>>> nameserver = "192.168.1.101" # Dell L400 Celeron
>>> webports = "{ http , https }"
>>> domainport = "{ domain }"
>>> tcp_services = "{ ssh }"
>>> icmp_types = "echoreq"
>>> carpdevs = "{ carp0 , carp1 }"
>>> syncdev = "{ re1 }"
>>> ssh_allowed = "192.168.1.100"
>>> carp_mcast = "224.0.0.18"
>>>
>>> # extra tweaks
>>> set skip on lo
>>> set block-policy return
>>> set loginterface $ext_if
>>> scrub in all
>>>
>>> # nat/rdr
>>> nat on $ext_if from $localnet to any -> ($ext_if)
>>> nat on $int_if proto tcp from $localnet to $webserver port $webports ->
>>> $int_if
>>> no nat on $int_if proto tcp from $int_if to $localnet
>>> rdr on $ext_if proto tcp from any to any port $webports -> $webserver
>>> rdr on $int_if proto tcp from $localnet to $ext_if port $webports ->
>>> $webserver
>>> rdr on $ext_if proto tcp from any to any port $domainport -> $nameserver
>>> rdr on $int_if proto tcp from $localnet to $ext_if port $domainport ->
>>> $nameserver
>>> rdr on $ext_if proto udp from any to any port $domainport -> $nameserver
>>> rdr on $int_if proto udp from $localnet to $ext_if port $domainport ->
>>> $nameserver
>>>
>>> # pass rules
>>> # block in # Default Deny
>>> pass out keep state
>>> pass in inet proto icmp all icmp-type $icmp_types keep state # Let Ping In
>>> pass in quick on $int_if
>>> pass in on $ext_if inet proto tcp from any to ($ext_if) \
>>> port $tcp_services flags S/SA keep state # Allow SSH Access from Outside
>>> pass in on $ext_if inet proto tcp from any to $webserver port $webports \
>>> flags S/SA synproxy state
>>> pass in on $ext_if inet proto udp from any to $nameserver port $domainport
>>> pass in on $ext_if inet proto tcp from any to $nameserver port $domainport \
>>> flags S/SA synproxy state
>>>
>>> # CARP/pfsync pass rules
>>> pass on $carpdevs proto carp keep state
>>> pass quick on $ext_if proto carp \
>>> from $ext_if:network to $carp_mcast keep state
>>> pass on $syncdev proto pfsync
>>> pass in on $carpdevs inet proto tcp from any to ($ext_if) \
>>> port $tcp_services flags S/SA keep state # Allow SSH Access from Outside
>>> pass in on $carpdevs inet proto tcp from any to $webserver port $webports \
>>> flags S/SA synproxy state
>>> pass in on $carpdevs inet proto udp from any to $nameserver port $domainport
>>> pass in on $carpdevs inet proto tcp from any to $nameserver port
>>> $domainport \
>>> flags S/SA synproxy state
>>>
>>> pass in on $int_if from $ssh_allowed to self keep state (no-sync)
>>> antispoof quick for { lo $int_if }
>>>
>>>
>>> And here'e my web server pf.conf:
>>>
>>> # $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $
>>> #
>>> # See pf.conf(5) and /usr/share/pf for syntax and examples.
>>> # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
>>> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>>>
>>> # macros
>>> ext_if="gem0" # External Interface (192.168.1.0/24)
>>> tcp_services = "{ ssh, www, https }"
>>> udp_services = "{ 123 }"
>>> icmp_types = "echoreq"
>>> carpdev = "{ carp0 }"
>>> syncdev = "{ re0 }"
>>> carp_mcast = "224.0.0.18"
>>>
>>> # extra tweaks
>>> set skip on lo
>>> set skip on gem0
>>> set block-policy return
>>> set loginterface $ext_if
>>> scrub in all
>>>
>>> # pass rules
>>> # block in
>>> # pass out proto tcp to any port $tcp_services
>>> # pass proto udp to any port $udp_services
>>> # pass in inet proto icmp all icmp-type $icmp_types keep state
>>>
>>> # CARP/pfsync pass rules
>>> pass on $carpdev proto carp keep state
>>> pass quick on $ext_if proto carp \
>>> from $ext_if:network to $carp_mcast keep state
>>> pass on $syncdev proto pfsync
>>>
>>> antispoof quick for { lo }
>>>
>>> Help appreciated!
>>> Vivek
>>>
>>> On Mon, Oct 20, 2008 at 1:51 PM, Stuart Henderson <[EMAIL PROTECTED]> wrote:
>>>> On 2008/10/20 14:19, Vivek Ayer wrote:
>>>>> I'll give that a shot. But in the meanwhile, it appears ntpd doesn't
>>>>> listen on the carp interface.
>>>>
>>>> unlikely, unless you restricted in the "listen on..." line.
>>>>
>>>> $ grep ^listen /etc/ntpd.conf
>>>> listen on *
>>>> $ ifconfig carp83|grep -w inet
>>>> inet 195.95.187.83 netmask 0xffffffe0 broadcast 195.95.187.95
>>>> $ fstat|grep 195.95.187.83:123
>>>> _ntp ntpd 19169 16* internet dgram udp 195.95.187.83:123
>>>>
>>>>> Could this also be due my current pf.conf?
>>>>
>>>> most likely - the suggestion I made will show you for sure
>>>> (I think running tcpdump on pflog is the single most useful tool
>>>> to help debug problems with a PF ruleset).
>>>
>>>
>>
>>
>>
>> --
>> http://www.felipe-alfaro.org/blog/disclaimer/
