Re: pf/carp for redundant production use

Wed, 21 Sep 2005 02:03:01 -0700

Hi guys, I got pf and carp working together. However, I have noticed that TCP oriented application doesn't get recover well when I disconnect a cable. I setup a netcat listener on a machine inside the network. Then I ran netcat from another machine outside the network. I was able to connect and was able to send some characters. However, when I disconnected the primary firewall's external interface, netcat won't work anymore until I execute netcat again that connects to the shared external ip address. Am I missing any configuration? Looks like it's related to pf state tables not being sent to the backup firewall. Please help. Thanks, Neil Neil writes:
Hi guys, I'm very new to carp. I used openbsd and pf about 2 yrs so I have forgotten it too. Anyways, I just finished building 2 machines with 3 nics on each machine. I got CARP working as well but have some questions. Here is my configuration: 
/*******************************************
/* FW1:
/*******************************************
external interface: fxp1 => 192.168.1.1/24
internal interface: xl0  => 172.16.0.1/16
pfsync interface fxp0 => 10.10.10.1/24 carp0: inet 172.16.0.100 255.255.0.0 172.16.255.255 carpdev xl0 vhid 1 pass lanpasswd carp1: inet 192.168.1.100 255.255.255.0 192.168.1.255 carpdev fxp1 vhid 2 pass netpasswd pfsync0: up syncif fxp0 

/*******************************************
/* FW2:
/*******************************************
external interface: ne3  => 192.168.1.2/24
internal interface: rl0  => 172.16.0.2/16

pfsync interface    fxp0 => 10.10.10.2/24  

carp0: inet 172.16.0.100 255.255.0.0 172.16.255.255 carpdev rl0 vhid 1 
pass lanpasswd advskew 128
carp1: inet 192.168.1.100 255.255.255.0 192.168.1.255 carpdev ne3 vhid 2 
pass netpasswd advskew 128
pfsync0: up syncif fxp0  


LAN shared IP:          172.16.0.100

WAN/Internet shared IP: 192.168.1.100  


DIAGRAM:
                   EXTERNAL
       +--------| 192.168.1.x  |--------+
       |                                |
   fxp1|                                |ne3
    +-----+                          +-----+
    | fw1 |-fxp0---10.10.10.x---fxp0-| fw2 |
    +-----+                          +-----+
    xl0|                                |rl0
       |                                |
    ---+--------| 172.16.x.x   |--------+---

                   INTERNAL  




1. Let say we want to do some NAT using CARP/PF setup:  


web server public: 192.168.1.10

web server NAT:    172.16.1.10(real ip)  


mailserver public: 192.168.1.11

mailserver NAT:    172.16.1.11(real ip) 


a. How will I configure CARP?

b. How will I configure the pf.conf on both firewalls? An example will 
really help me a lot.
c. Do I also have to create an alias interface for the 2 machine's 
external interface?  




2. Can someone please send me a pf.conf that can be used in production 
environment?  

3. Am I correct that my internal mailserver's and webserver's gateway 
should point to 172.16.0.100?  

4. What if the interface where our pfsync is configured goes bad or cable 
gets disconnected, what happens?  

5. Other than this setup, are there anything that I can add to make it 
much more reliable?  

Thanks in advance!  


Neil
























					Reply via email to