Hi ALL,
I myself got it working after changing pf.conf file and relayd.conf files
here are the new working ones
*
in /etc/pf.conf file* *( on both nodes - fw1 and fw2 )*
# cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if="em0"
pfsync_if="em1"
servers = "{ 192.168.0.66, 192.168.0.67 }"
set skip on lo
# filter rules and anchor for ftp-proxy(8)
#anchor "ftp-proxy/*"
#pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
# anchor for relayd(8)
*anchor "relayd/*"
pass on em1 proto pfsync
pass on { em0 em1 } proto carp *
##END
*pass log * # to establish keep-state
# rules for spamd(8)
#table <spamd-white> persist
#table <nospamd> persist file "/etc/mail/nospamd"
#pass in on egress proto tcp from any to any port smtp \
# rdr-to 127.0.0.1 port spamd
#pass in on egress proto tcp from <nospamd> to any port smtp
#pass in log on egress proto tcp from <spamd-white> to any port smtp
#pass out log on egress proto tcp to any port smtp
#block in quick from urpf-failed to any # use with care
# By default, do not permit remote connections to X11
#block in on ! lo0 proto tcp to port 6000:6010
*in /etc/relayd.conf file* *( on both nodes - fw1 and fw2 )*
# cat
/etc/relayd.conf
# $OpenBSD: relayd.conf,v 1.14 2011/04/07 13:33:52 reyk Exp $
#
# Macros
#
ext_addr="192.168.0.100"
webhost1="192.168.0.66"
webhost2="192.168.0.67"
#ext_if="em0"
table <servers> { $webhost1 $webhost2 }
*relay www* {
listen on $ext_addr port 80
#forward to <servers> port 80 mode loadbalance check tcp
forward to <servers> port 80 mode roundrobin check tcp
}
*relay smtp* {
listen on $ext_addr port 25
#forward to <servers> port 25 mode loadbalance check tcp
forward to <servers> port 25 mode roundrobin check tcp
}
anyway, I had to add below lines in /etc/rc.local files
/etc/rc.local (*on fw1*)
# cat
/etc/rc.local
# $OpenBSD: rc.local,v 1.44 2011/04/22 06:08:14 ajacoutot Exp $
# Site-specific startup actions, daemons, and other things which
# can be done AFTER your system goes into securemode. For actions
# which should be done BEFORE your system has gone into securemode
# please see /etc/rc.securelevel.
#configure pfsync
*ifconfig em1 192.168.9.67 netmask 255.255.255.0
ifconfig pfsync0 syncdev em1
ifconfig pfsync0 up*
#configure CARP on the LAN side
*ifconfig carp1 create
ifconfig carp1 vhid 1 carpdev em0 pass lanpasswd \
192.168.0.100 netmask 255.255.255.0*
#Staring relayd
*relayd *
*
*/etc/rc.local (*on fw2) *
# cat
/etc/rc.local
# $OpenBSD: rc.local,v 1.44 2011/04/22 06:08:14 ajacoutot Exp $
# Site-specific startup actions, daemons, and other things which
# can be done AFTER your system goes into securemode. For actions
# which should be done BEFORE your system has gone into securemode
# please see /etc/rc.securelevel.
#configure pfsync
*ifconfig em1 192.168.9.68 netmask 255.255.255.0
ifconfig pfsync0 syncdev em1
ifconfig pfsync0 up*
#configure CARP on the LAN side
*ifconfig carp1 create
ifconfig carp1 vhid 1 carpdev em0 pass lanpasswd \
advskew 128 192.168.0.100 netmask 255.255.255.0*
#Staring relayd
*relayd *
That's it.
Pls NOTE that , in /etc/relayd.conf file, I had to add *relay *www* *instead
of *redirect* www and *relay *smtp instead* *of *redirect* smtp
also in /etc/pf.conf file , instead of the below lines,
# anchor for relayd(8)
*#anchor "relayd/*"
pass quick on { em1 } proto pfsync keep state (no-sync)
pass on { em0 em1 } proto carp keep state*
I added below lines
# anchor for relayd(8)
*anchor "relayd/*"
pass on em1 proto pfsync
pass on { em0 em1 } proto carp *
Now. my setup works
On Thu, Aug 16, 2012 at 12:13 PM, Indunil Jayasooriya
<[email protected]>wrote:
> Hi misc,
>
>
> I have 2 OpenBSD 5.1 64bit boxes. I want to setup relayd for lan servers
> with carp and pfsync for LAN USERS.
>
> What I want to achieve is that LAN USERS connect to carp1 ip address ( lan
> shared ip - 192.168.0.100 ). then, relayd will redirect that traffic to 2
> lan servers running services http, smtp and pop. If one server goes down,
> relayd will remove it from the table.
>
>
> *This is What I did. *
>
> let's assume 2 OpenBSD 5.1 64bit boxes are fw1 and fw2
>
>
> fw1
>
> em0 - 192.168.0.10 (and carp1 - LAN shared IP - 192.168.0.100 )
>
> em1 - 192.168.9.67 ( for pfsync )
>
> fw2
>
> em0 - 192.168.0.11 (and carp1 - LAN shared IP - 192.168.0.100 )
>
> em1 - 192.168.9.68 ( for pfsync )
>
>
> LAN shared IP: 192.168.0.100 ( carp1 ip address on both nodes fw1 and fw2 )
>
>
>
> net.inet.ip.forwarding=1 in /etc/sysctl.conf on both fw1 and fw2
>
>
>
> Configure fw1:
>
> ! enable preemption and group interface failover
> # sysctl -w net.inet.carp.preempt=1
>
>
> ! configure pfsync
> # ifconfig em1 192.168.9.67 netmask 255.255.255.0
> # ifconfig pfsync0 syncdev em1
> # ifconfig pfsync0 up
>
> ! configure CARP on the LAN side
> # ifconfig carp1 create
> # ifconfig carp1 vhid 1 carpdev em0 pass lanpasswd \
> 192.168.0.100 netmask 255.255.255.0
>
>
>
> Configure fw2:
>
> ! enable preemption and group interface failover
> # sysctl -w net.inet.carp.preempt=1
>
> ! configure pfsync
> # ifconfig em1 192.168.9.68 netmask 255.255.255.0
> # ifconfig pfsync0 syncdev em1
> # ifconfig pfsync0 up
>
> ! configure CARP on the LAN side
> # ifconfig carp1 create
> # ifconfig carp1 vhid 1 carpdev em0 pass lanpasswd \
> advskew 128 192.168.0.100 netmask 255.255.255.0
>
>
>
> */etc/pf.conf * looks like this on both nodes ( fw1 and fw2 )
>
>
> # cat
> /etc/pf.conf
>
> # $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
> #
> # See pf.conf(5) for syntax and examples.
> # Remember to set net.inet.ip.forwarding=1 and/or
> net.inet6.ip6.forwarding=1
> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>
> ext_if="em0"
> pfsync_if="em1"
>
> servers = "{ 192.168.0.66, 192.168.0.67 }"
>
> set skip on lo
>
> # filter rules and anchor for ftp-proxy(8)
> #anchor "ftp-proxy/*"
> #pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
>
> # anchor for relayd(8)
> #anchor "relayd/*"
>
> pass quick on { em1 } proto pfsync keep state (no-sync)
> pass on { em0 em1 } proto carp keep state
>
> ##END
>
> pass log # to establish keep-state
>
> # rules for spamd(8)
> #table <spamd-white> persist
> #table <nospamd> persist file "/etc/mail/nospamd"
> #pass in on egress proto tcp from any to any port smtp \
> # rdr-to 127.0.0.1 port spamd
> #pass in on egress proto tcp from <nospamd> to any port smtp
> #pass in log on egress proto tcp from <spamd-white> to any port smtp
> #pass out log on egress proto tcp to any port smtp
>
>
> #block in quick from urpf-failed to any # use with care
>
> # By default, do not permit remote connections to X11
> #block in on ! lo0 proto tcp to port 6000:6010
>
> *
> /etc/relayd.conf* is like this on both nodes ( fw1 and fw2 )
>
>
>
> # cat
> /etc/relayd.conf
>
> # $OpenBSD: relayd.conf,v 1.14 2011/04/07 13:33:52 reyk Exp $
> #
> # Macros
> #
>
> ext_addr="192.168.0.100"
> webhost1="192.168.0.66"
> webhost2="192.168.0.67"
>
> table <servers> { $webhost1 $webhost2 }
>
> redirect www {
> listen on $ext_addr port 80
> #forward to <servers> port 80 mode loadbalance check tcp
> forward to <servers> port 80 mode roundrobin check tcp
> }
>
> redirect smtp {
> listen on $ext_addr port 25
> #forward to <servers> port 25 mode loadbalance check tcp
> forward to <servers> port 25 mode roundrobin check tcp
> }
>
> redirect pop {
> listen on $ext_addr port 110
> #forward to <servers> port 110 mode loadbalance check tcp
> forward to <servers> port 110 mode roundrobin check tcp
> }
>
>
>
> then I issued below 2 commands on both nodes (fw1 and fw2 )
>
>
> # pfctl -f /etc/pf.conf
>
>
> # relayd
>
>
> then, from a lan PC ( actually my fedora 12 desktop), I executed below 2
> commands
>
>
> telnet 192.168.0.100 80 and telnet 192.168.0.100 25
>
>
> *Both worked round ribbon manner as I expected. *
>
>
> then, I added these on both nodes ( fw1 and fw2 )
>
>
> /etc/hostname.carp1
> inet 192.168.0.100 255.255.255.0 192.168.0.255 vhid 1 carpdev em0 \
> pass lanpasswd
>
> /etc/hostname.pfsync0
> up syncdev em1
>
>
>
>
> Then, I rebooted both hosts (first fw1 and then fw2 )
>
>
> Then, I run telnet command again to carp1 ip address ( 192.168.0.100 ) in
> following way,
>
>
> telnet 192.168.0.100 80 and telnet 192.168.0.100 25
>
>
>
> It does NOT work.
>
> Could you pls let me know why?
>
>
>
> since fw2 is backup, I think /etc/hostname.carp1 should be diffrent. (
> with advskew 128 ) in following way?
>
>
>
> /etc/hostname.carp1
> inet 192.168.0.100 255.255.255.0 192.168.0.255 vhid 1 carpdev em0 \
> pass lanpasswd advskew 128
>
>
> *relayctl show summary* gives in this way on both nodes ( Pls note that
> port *pop3 is NOT yet configured* )
>
>
> # relayctl show
> summary
>
> Id Type Name Avlblty Status
> 1 redirect www active
> 1 table servers:80 active (2
> hosts)
> 1 host 192.168.0.66 100.00% up
> 2 host 192.168.0.67 100.00% up
> 2 redirect smtp active
> 2 table servers:25 active (2
> hosts)
> 3 host 192.168.0.66 100.00% up
> 4 host 192.168.0.67 100.00% up
> 3 redirect pop down
> 3 table servers:110 empty
> 5 host 192.168.0.66 0.00% down
> 6 host 192.168.0.67 0.00% down
>
>
>
> Seeking your ideas to solve this? where have I gone wrong?
>
>
> I referred to below 2 URLs
>
>
> http://www.openbsd.org/faq/pf/carp.html#failover
>
> http://meinit.nl/openbsd-loadbalancing-and-failover-relayd-pf-and-carp
>
>
>
>
>
>
>
>
> --
> Thank you
> Indunil Jayasooriya
>
>
--
Thank you
Indunil Jayasooriya
