I can access the web servers from the Internet on the two internet-facing ext_if, but not the CARP interface yet. I assume I just have to add an rdr rule which includes carp as well?
On Tue, Nov 11, 2008 at 4:58 PM, Vivek Ayer <[EMAIL PROTECTED]> wrote: > I can ssh from the outside into the non-CARP interface. Actually, this > is weird, but I can now ssh from the outside into the CARP address. > But as far rdr goes in my pf.conf, I still can't reach the webserver > from the outside. I can reach the web server inside my network, but > the rdr in the router pf.conf is not directing properly to the CARP > web server address. > > Another weird thing I notice. If I ssh into my web server CARP > address, it works but then in like 30 seconds kills the sshd on the > web servers. I'm not sure if this is because the CARP interface on the > router and the CARP interface on the web server are flooding the > network with so many packets since I'm also using IP balancing on both > of them. I also figured I'd simplify the pf.conf on the web server to > filter only carp traffic, so I set skip on the physical interface. Not > sure if that messes packet transfer up. > > Vivek > > On Tue, Nov 11, 2008 at 4:28 PM, Felipe Alfaro Solana > <[EMAIL PROTECTED]> wrote: >> On Wed, Nov 12, 2008 at 12:53 AM, Vivek Ayer <[EMAIL PROTECTED]> wrote: >>> Here's my current configuration for my entire network. Two routers >>> working as one using IP balancing and two web servers on the inside >>> working as one using IP balancing. I'm still getting issues as to >>> reaching the web servers from the outside. I just feel like it's >>> gotten too complicated CARPing the systems. The server could be >>> reached from the outside previously when I only had one router and >>> server. The router uses carpnodes 1,2,3 and 4 while the web server >>> used 5 and 6 if that makes any difference at all. >> >> Can you reach the system at the non-CARP address? It seems to me that >> what might be happening is that you are sending SSH traffic to the >> CARP interface but since you are NAT-ting, the reply packets have the >> source address of the Ethernet interface (ext_if) and not the CARP >> interface. This will confuse your SSH client. >> >>> >>> Here's my router pf.conf: >>> # $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $ >>> # >>> # See pf.conf(5) and /usr/share/pf for syntax and examples. >>> # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 >>> # in /etc/sysctl.conf if packets are to be forwarded between interfaces. >>> >>> # macros >>> ext_if = "re0" # External Interface (169.229.158.0/24) >>> int_if = "xl0" # Internal Interface (192.168.1.0/24) >>> localnet = $int_if:network >>> webserver = "192.168.1.50" # Redundant Sun Servers >>> nameserver = "192.168.1.101" # Dell L400 Celeron >>> webports = "{ http , https }" >>> domainport = "{ domain }" >>> tcp_services = "{ ssh }" >>> icmp_types = "echoreq" >>> carpdevs = "{ carp0 , carp1 }" >>> syncdev = "{ re1 }" >>> ssh_allowed = "192.168.1.100" >>> carp_mcast = "224.0.0.18" >>> >>> # extra tweaks >>> set skip on lo >>> set block-policy return >>> set loginterface $ext_if >>> scrub in all >>> >>> # nat/rdr >>> nat on $ext_if from $localnet to any -> ($ext_if) >>> nat on $int_if proto tcp from $localnet to $webserver port $webports -> >>> $int_if >>> no nat on $int_if proto tcp from $int_if to $localnet >>> rdr on $ext_if proto tcp from any to any port $webports -> $webserver >>> rdr on $int_if proto tcp from $localnet to $ext_if port $webports -> >>> $webserver >>> rdr on $ext_if proto tcp from any to any port $domainport -> $nameserver >>> rdr on $int_if proto tcp from $localnet to $ext_if port $domainport -> >>> $nameserver >>> rdr on $ext_if proto udp from any to any port $domainport -> $nameserver >>> rdr on $int_if proto udp from $localnet to $ext_if port $domainport -> >>> $nameserver >>> >>> # pass rules >>> # block in # Default Deny >>> pass out keep state >>> pass in inet proto icmp all icmp-type $icmp_types keep state # Let Ping In >>> pass in quick on $int_if >>> pass in on $ext_if inet proto tcp from any to ($ext_if) \ >>> port $tcp_services flags S/SA keep state # Allow SSH Access from Outside >>> pass in on $ext_if inet proto tcp from any to $webserver port $webports \ >>> flags S/SA synproxy state >>> pass in on $ext_if inet proto udp from any to $nameserver port $domainport >>> pass in on $ext_if inet proto tcp from any to $nameserver port $domainport \ >>> flags S/SA synproxy state >>> >>> # CARP/pfsync pass rules >>> pass on $carpdevs proto carp keep state >>> pass quick on $ext_if proto carp \ >>> from $ext_if:network to $carp_mcast keep state >>> pass on $syncdev proto pfsync >>> pass in on $carpdevs inet proto tcp from any to ($ext_if) \ >>> port $tcp_services flags S/SA keep state # Allow SSH Access from Outside >>> pass in on $carpdevs inet proto tcp from any to $webserver port $webports \ >>> flags S/SA synproxy state >>> pass in on $carpdevs inet proto udp from any to $nameserver port $domainport >>> pass in on $carpdevs inet proto tcp from any to $nameserver port >>> $domainport \ >>> flags S/SA synproxy state >>> >>> pass in on $int_if from $ssh_allowed to self keep state (no-sync) >>> antispoof quick for { lo $int_if } >>> >>> >>> And here'e my web server pf.conf: >>> >>> # $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $ >>> # >>> # See pf.conf(5) and /usr/share/pf for syntax and examples. >>> # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 >>> # in /etc/sysctl.conf if packets are to be forwarded between interfaces. >>> >>> # macros >>> ext_if="gem0" # External Interface (192.168.1.0/24) >>> tcp_services = "{ ssh, www, https }" >>> udp_services = "{ 123 }" >>> icmp_types = "echoreq" >>> carpdev = "{ carp0 }" >>> syncdev = "{ re0 }" >>> carp_mcast = "224.0.0.18" >>> >>> # extra tweaks >>> set skip on lo >>> set skip on gem0 >>> set block-policy return >>> set loginterface $ext_if >>> scrub in all >>> >>> # pass rules >>> # block in >>> # pass out proto tcp to any port $tcp_services >>> # pass proto udp to any port $udp_services >>> # pass in inet proto icmp all icmp-type $icmp_types keep state >>> >>> # CARP/pfsync pass rules >>> pass on $carpdev proto carp keep state >>> pass quick on $ext_if proto carp \ >>> from $ext_if:network to $carp_mcast keep state >>> pass on $syncdev proto pfsync >>> >>> antispoof quick for { lo } >>> >>> Help appreciated! >>> Vivek >>> >>> On Mon, Oct 20, 2008 at 1:51 PM, Stuart Henderson <[EMAIL PROTECTED]> wrote: >>>> On 2008/10/20 14:19, Vivek Ayer wrote: >>>>> I'll give that a shot. But in the meanwhile, it appears ntpd doesn't >>>>> listen on the carp interface. >>>> >>>> unlikely, unless you restricted in the "listen on..." line. >>>> >>>> $ grep ^listen /etc/ntpd.conf >>>> listen on * >>>> $ ifconfig carp83|grep -w inet >>>> inet 195.95.187.83 netmask 0xffffffe0 broadcast 195.95.187.95 >>>> $ fstat|grep 195.95.187.83:123 >>>> _ntp ntpd 19169 16* internet dgram udp 195.95.187.83:123 >>>> >>>>> Could this also be due my current pf.conf? >>>> >>>> most likely - the suggestion I made will show you for sure >>>> (I think running tcpdump on pflog is the single most useful tool >>>> to help debug problems with a PF ruleset). >>> >>> >> >> >> >> -- >> http://www.felipe-alfaro.org/blog/disclaimer/