Re: relayd for lan servers with carp and pfsync

Thu, 16 Aug 2012 05:36:06 -0700 

Serwus

W czwartek, 16 sie 2012 o 16:18 CEST
Indunil Jayasooriya <[email protected]> napisaƂ(a):

> I myself got it working after changing pf.conf file and relayd.conf files

You've changed redirect to relay in relayd.conf. I suppose this is the
real solution (it changes the way how relayd handle connections to
backends). All the rest of your changes (especially the ones in
rc.local) are probably irrelevant...


> here are the new working ones
> 
> *
> in /etc/pf.conf file* *( on both nodes - fw1 and fw2 )*
> 
> # cat /etc/pf.conf
> 
> #       $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
> #
> # See pf.conf(5) for syntax and examples.
> # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
> 
> ext_if="em0"
> pfsync_if="em1"
> 
> servers = "{ 192.168.0.66, 192.168.0.67 }"
> 
> set skip on lo
> 
> # filter rules and anchor for ftp-proxy(8)
> #anchor "ftp-proxy/*"
> #pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
> 
> # anchor for relayd(8)
> *anchor "relayd/*"
> 
> pass on em1 proto pfsync
> pass on { em0 em1 } proto carp *
> 
> ##END
> 
> *pass log  *              # to establish keep-state
> 
> # rules for spamd(8)
> #table <spamd-white> persist
> #table <nospamd> persist file "/etc/mail/nospamd"
> #pass in on egress proto tcp from any to any port smtp \
> #    rdr-to 127.0.0.1 port spamd
> #pass in on egress proto tcp from <nospamd> to any port smtp
> #pass in log on egress proto tcp from <spamd-white> to any port smtp
> #pass out log on egress proto tcp to any port smtp
> 
> 
> #block in quick from urpf-failed to any # use with care
> 
> # By default, do not permit remote connections to X11
> #block in on ! lo0 proto tcp to port 6000:6010
> 
> 
> 
> *in /etc/relayd.conf  file* *( on both nodes - fw1 and fw2 )*
> 
> # cat
> /etc/relayd.conf
> 
> # $OpenBSD: relayd.conf,v 1.14 2011/04/07 13:33:52 reyk Exp $
> #
> # Macros
> #
> 
> ext_addr="192.168.0.100"
> webhost1="192.168.0.66"
> webhost2="192.168.0.67"
> #ext_if="em0"
> 
> table <servers> { $webhost1 $webhost2 }
> 
> *relay www* {
>   listen on $ext_addr port 80
>   #forward to <servers> port 80 mode loadbalance check tcp
>   forward to <servers> port 80 mode roundrobin check tcp
> }
> 
> *relay smtp* {
>   listen on $ext_addr port 25
>   #forward to <servers> port 25 mode loadbalance check tcp
>   forward to <servers> port 25 mode roundrobin check tcp
> }
> 
> 
> 
> anyway, I had to add below lines in /etc/rc.local files
> 
> /etc/rc.local  (*on fw1*)
> 
> 
> # cat
> /etc/rc.local
> 
> #       $OpenBSD: rc.local,v 1.44 2011/04/22 06:08:14 ajacoutot Exp $
> 
> # Site-specific startup actions, daemons, and other things which
> # can be done AFTER your system goes into securemode.  For actions
> # which should be done BEFORE your system has gone into securemode
> # please see /etc/rc.securelevel.
> 
> #configure pfsync
> *ifconfig em1 192.168.9.67 netmask 255.255.255.0
> ifconfig pfsync0 syncdev em1
> ifconfig pfsync0 up*
> 
> #configure CARP on the LAN side
> *ifconfig carp1 create
> ifconfig carp1 vhid 1 carpdev em0 pass lanpasswd \
>      192.168.0.100 netmask 255.255.255.0*
> 
> #Staring relayd
> *relayd *
> *
> 
> */etc/rc.local  (*on fw2) *
> 
> 
> # cat
> /etc/rc.local
> 
> #       $OpenBSD: rc.local,v 1.44 2011/04/22 06:08:14 ajacoutot Exp $
> 
> # Site-specific startup actions, daemons, and other things which
> # can be done AFTER your system goes into securemode.  For actions
> # which should be done BEFORE your system has gone into securemode
> # please see /etc/rc.securelevel.
> 
> #configure pfsync
> *ifconfig em1 192.168.9.68 netmask 255.255.255.0
> ifconfig pfsync0 syncdev em1
> ifconfig pfsync0 up*
> 
> #configure CARP on the LAN side
> *ifconfig carp1 create
> ifconfig carp1 vhid 1 carpdev em0 pass lanpasswd \
>      advskew 128 192.168.0.100 netmask 255.255.255.0*
> 
> #Staring relayd
> *relayd *
> 
> 
> That's it.
> 
> 
> Pls NOTE that , in /etc/relayd.conf file, I had to add *relay *www* *instead
> of *redirect* www and *relay *smtp instead* *of *redirect* smtp
> 
> 
> also in /etc/pf.conf file , instead of the below lines,
> 
> # anchor for relayd(8)
> *#anchor "relayd/*"
> 
> pass quick on { em1 } proto pfsync keep state (no-sync)
> pass on { em0 em1 } proto carp keep state*
> 
> 
> I added below lines
> 
> 
> # anchor for relayd(8)
> *anchor "relayd/*"
> 
> pass on em1 proto pfsync
> pass on { em0 em1 } proto carp *
> 
> 
> Now. my setup works
> 
> 
> 
> 
> 
> On Thu, Aug 16, 2012 at 12:13 PM, Indunil Jayasooriya
> <[email protected]>wrote:
> 
> > Hi misc,
> >
> >
> > I have 2 OpenBSD 5.1 64bit boxes. I want to setup relayd for lan servers
> > with carp and pfsync for LAN USERS.
> >
> > What I want to achieve is that LAN USERS connect to carp1 ip address ( lan
> > shared ip - 192.168.0.100  ). then, relayd will redirect that traffic to 2
> > lan servers running services http, smtp and pop. If one server goes down,
> > relayd will remove it from the table.
> >
> >
> > *This is What I did. *
> >
> > let's assume 2 OpenBSD 5.1 64bit boxes are fw1 and fw2
> >
> >
> > fw1
> >
> > em0 - 192.168.0.10 (and carp1 -  LAN shared IP - 192.168.0.100 )
> >
> > em1 - 192.168.9.67 ( for pfsync )
> >
> > fw2
> >
> > em0 - 192.168.0.11 (and carp1 -  LAN shared IP - 192.168.0.100 )
> >
> > em1 - 192.168.9.68 ( for pfsync )
> >
> >
> > LAN shared IP: 192.168.0.100 ( carp1 ip address on both nodes fw1 and fw2 )
> >
> >
> >
> > net.inet.ip.forwarding=1  in /etc/sysctl.conf on both fw1 and fw2
> >
> >
> >
> > Configure fw1:
> >
> > ! enable preemption and group interface failover
> > # sysctl -w net.inet.carp.preempt=1
> >
> >
> > ! configure pfsync
> > # ifconfig em1 192.168.9.67 netmask 255.255.255.0
> > # ifconfig pfsync0 syncdev em1
> > # ifconfig pfsync0 up
> >
> > ! configure CARP on the LAN side
> > # ifconfig carp1 create
> > # ifconfig carp1 vhid 1 carpdev em0 pass lanpasswd \
> >      192.168.0.100 netmask 255.255.255.0
> >
> >
> >
> > Configure fw2:
> >
> > ! enable preemption and group interface failover
> > # sysctl -w net.inet.carp.preempt=1
> >
> > ! configure pfsync
> > # ifconfig em1 192.168.9.68 netmask 255.255.255.0
> > # ifconfig pfsync0 syncdev em1
> > # ifconfig pfsync0 up
> >
> > ! configure CARP on the LAN side
> > # ifconfig carp1 create
> > # ifconfig carp1 vhid 1 carpdev em0 pass lanpasswd \
> >      advskew 128 192.168.0.100 netmask 255.255.255.0
> >
> >
> >
> > */etc/pf.conf * looks like this on both nodes ( fw1 and fw2 )
> >
> >
> > # cat
> > /etc/pf.conf
> >
> > #       $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
> > #
> > # See pf.conf(5) for syntax and examples.
> > # Remember to set net.inet.ip.forwarding=1 and/or
> > net.inet6.ip6.forwarding=1
> > # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
> >
> > ext_if="em0"
> > pfsync_if="em1"
> >
> > servers = "{ 192.168.0.66, 192.168.0.67 }"
> >
> > set skip on lo
> >
> > # filter rules and anchor for ftp-proxy(8)
> > #anchor "ftp-proxy/*"
> > #pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
> >
> > # anchor for relayd(8)
> > #anchor "relayd/*"
> >
> > pass quick on { em1 } proto pfsync keep state (no-sync)
> > pass on { em0 em1 } proto carp keep state
> >
> > ##END
> >
> > pass log                # to establish keep-state
> >
> > # rules for spamd(8)
> > #table <spamd-white> persist
> > #table <nospamd> persist file "/etc/mail/nospamd"
> > #pass in on egress proto tcp from any to any port smtp \
> > #    rdr-to 127.0.0.1 port spamd
> > #pass in on egress proto tcp from <nospamd> to any port smtp
> > #pass in log on egress proto tcp from <spamd-white> to any port smtp
> > #pass out log on egress proto tcp to any port smtp
> >
> >
> > #block in quick from urpf-failed to any # use with care
> >
> > # By default, do not permit remote connections to X11
> > #block in on ! lo0 proto tcp to port 6000:6010
> >
> > *
> > /etc/relayd.conf* is like this on both nodes ( fw1 and fw2 )
> >
> >
> >
> > # cat
> > /etc/relayd.conf
> >
> > # $OpenBSD: relayd.conf,v 1.14 2011/04/07 13:33:52 reyk Exp $
> > #
> > # Macros
> > #
> >
> > ext_addr="192.168.0.100"
> > webhost1="192.168.0.66"
> > webhost2="192.168.0.67"
> >
> > table <servers> { $webhost1 $webhost2 }
> >
> > redirect www {
> >   listen on $ext_addr port 80
> >   #forward to <servers> port 80 mode loadbalance check tcp
> >   forward to <servers> port 80 mode roundrobin check tcp
> > }
> >
> > redirect smtp {
> >   listen on $ext_addr port 25
> >   #forward to <servers> port 25 mode loadbalance check tcp
> >   forward to <servers> port 25 mode roundrobin check tcp
> > }
> >
> > redirect pop {
> >   listen on $ext_addr port 110
> >   #forward to <servers> port 110 mode loadbalance check tcp
> >   forward to <servers> port 110 mode roundrobin check tcp
> > }
> >
> >
> >
> > then I issued below 2 commands on both nodes (fw1 and fw2 )
> >
> >
> > # pfctl -f /etc/pf.conf
> >
> >
> > # relayd
> >
> >
> > then, from a lan PC ( actually my fedora 12 desktop), I executed below 2
> > commands
> >
> >
> > telnet 192.168.0.100 80 and  telnet 192.168.0.100 25
> >
> >
> > *Both worked round ribbon manner as I expected. *
> >
> >
> > then, I added these on both nodes ( fw1 and fw2 )
> >
> >
> > /etc/hostname.carp1
> >     inet 192.168.0.100 255.255.255.0 192.168.0.255 vhid 1 carpdev em0 \
> >         pass lanpasswd
> >
> > /etc/hostname.pfsync0
> >     up syncdev em1
> >
> >
> >
> >
> > Then, I rebooted both hosts (first fw1 and then fw2 )
> >
> >
> > Then, I run telnet command again to carp1 ip address ( 192.168.0.100 ) in
> > following way,
> >
> >
> > telnet 192.168.0.100 80 and  telnet 192.168.0.100 25
> >
> >
> >
> > It does NOT work.
> >
> > Could you pls let me know why?
> >
> >
> >
> > since fw2 is backup, I think /etc/hostname.carp1 should be diffrent. (
> > with advskew 128 ) in following way?
> >
> >
> >
> > /etc/hostname.carp1
> >     inet 192.168.0.100 255.255.255.0 192.168.0.255 vhid 1 carpdev em0 \
> >         pass lanpasswd advskew 128
> >
> >
> > *relayctl show summary*   gives in this way on both nodes ( Pls note that
> > port *pop3 is NOT yet configured* )
> >
> >
> > # relayctl show
> > summary
> >
> > Id      Type            Name                            Avlblty Status
> > 1       redirect        www                                     active
> > 1       table           servers:80                              active (2
> > hosts)
> > 1       host            192.168.0.66                    100.00% up
> > 2       host            192.168.0.67                    100.00% up
> > 2       redirect        smtp                                    active
> > 2       table           servers:25                              active (2
> > hosts)
> > 3       host            192.168.0.66                    100.00% up
> > 4       host            192.168.0.67                    100.00% up
> > 3       redirect        pop                                     down
> > 3       table           servers:110                             empty
> > 5       host            192.168.0.66                    0.00%   down
> > 6       host            192.168.0.67                    0.00%   down
> >
> >
> >
> > Seeking your ideas to solve this? where have I gone wrong?
> >
> >
> > I referred to below 2 URLs
> >
> >
> > http://www.openbsd.org/faq/pf/carp.html#failover
> >
> > http://meinit.nl/openbsd-loadbalancing-and-failover-relayd-pf-and-carp
> >
> >
> >
> >
> >
> >
> >
> >
> > --
> > Thank you
> > Indunil Jayasooriya
> >
> >
> 
> 


-- 
Greetings
Rafal Bisingier

Reply via email to