Sorry for this bad web mailer formatting. I didn't want that.Am 12.10.2016 2:08 
nachm. schrieb Robert Paschedag <robert.pasche...@web.de>:
>
> Hi all, basically, if have exactly this problem already described 
> here(https://groups.google.com/forum/#!topic/bit.listserv.openbsd-pf/yZn4EUjxwfY).But
>  
> because there is no answer since 2009, I'll give it a try. The setup of 
> the 2 servers is also the same as in the other threadonly exception is, 
> that my boxes are behind a "master" firewallwhich I do not manage. I have 
> 2 OpenBSD 6.0 servers that should just act as a load balancerfor SFTP 
> connections. We use DSR mode because huge files getdownloaded from the 
> SFTP servers and don't want the "load" topass completly through the 
> OpenBSD load balancers. Everything is working as long as I don't do a 
> failover to the backup system.In this situation, I see, that the "new" 
> carp master "resets" the connectionof the client. Immediatly opening a 
> new SFTP sessions then works asexpected through the "new" carp master. 
> This is my /etc/pf.conf (identical on both). Still testing.. # cat 
> /etc/pf.conf 
> carp_if = "vmx0" 
> sync_if = "vmx1"# already allow pfsync and carp protocols 
> pass quick on $sync_if proto pfsync keep state (no-sync) 
> pass on $carp_if proto carp keep state (no-sync)# allow relayd to 
> communicate with pf and set rules 
> anchor "relayd/*" And this is the relayd.conf log updates 
> prefork 5fx_vip = "VIP"table <fxhosts> { 
> "host1" 
> "host2" 
> }redirect FX-SFTP { 
> listen on $fx_vip port 22 interface vmx0 
> route to <fxhosts> check tcp interface vmx0 
> sticky-address 
> } 
> This is the "ruleset" (identical on both) after reloading pf # pfctl -a 
> '*' -s rules 
> pass quick on vmx1 proto pfsync all keep state (no-sync) 
> pass on vmx0 proto carp all keep state (no-sync) 
> anchor "relayd/*" all { 
> anchor "FX-SFTP" all { 
> pass in quick on vmx0 on rdomain 0 inet proto tcp from any to VIP port = 
> 22 flags any keep state (sloppy, tcp.established 600) route-to 
> <FX-SFTP>@vmx0 round-robin sticky-address 
> } 
> } When the first connection is made, I see the state on thebackup carp 
> machine. But with slightly different content. This is on "master" all tcp 
> VIP:22 <- CLIENT:43334 ESTABLISHED:ESTABLISHED 
> [0 + 1]  [946261580 + 2] 
> age 00:00:35, expires in 00:09:37, 16:0 pkts, 913:0 bytes, anchor 2, 
> rule 2, sloppy  id: 57fbd5520000a2b4 creatorid: d4cdd00a "expires" is 10 
> minutes (tcp.established 600) and I see the anchor and rulewhich 
> generated state This in on "backup" all tcp VIP:22 <- CLIENT:43334 
> ESTABLISHED:ESTABLISHED 
> [0 + 1]  [946261580 + 2] 
> age 00:00:32, expires in 23:59:41, 0:0 pkts, 0:0 bytes, sloppy 
> id: 57fbd5520000a2b4 creatorid: d4cdd00a expires is 1 day (?) and 
> "backup" did not yet see any packes. Now, how can I get this to work, so 
> the sessions won't be terminatedin case of a failover. Every help will be 
> appreciated. Kind regards,Robert 

Reply via email to