Good day all,
I have read all available documentation, but can not seem to find the
solution to my problem. If anyone has any advice, or can point me
towards a good resource, it would be appreciated. I am sorry if the
answer is obvious and I have missed it.
Where I work we have a small network (class C) which has always been
subnetted by our Cisco 2621 router. While I am not able to replace the
Cisco router for non-technical reasons, I am able to install a pair of
OpenBSD 4.0 boxes to act as redundant firewalls. The setup of carp,
pfsync and pf was simple enough thanks to the excellent documentation,
however I am encountering routing errors with my current setup, and
would appreciate some help.
Here's a brief diagram of my network.
***************************
** Internet **
***************************
|
|
***************************
** ISP Router: 1.2.3.101 **
***************************
|
|
***************************
** carp0: 1.2.3.102 **-----------------------\
*************************** |
| |
| |
*************************** ***************************
** fw1 ** pfsync0 ** fw1 **
** fxp0: 10.20.20.100 ** 10.10.10.0/24 ** fxp0: 10.20.20.200 **
** fxp1: 5.6.7.251 **------------------** fxp1: 5.6.7.252 **
** xl0: 10.10.10.100 ** ** xl0: 10.10.10.200 **
*************************** ***************************
| |
| |
*************************** |
** carp1: 5.6.7.249 **-----------------------/
***************************
|
|
*****************************
** Local Router (2621) **
** External: 5.6.7.250 **
** Internal: 5.6.7.1/26 **
** Internal: 5.6.7.64/27 **
*****************************
Our ISP provides us with a our own class C network, 5.6.7.0/24 for the
purpose of this explaination. Our ISP routes our class C to us down a
/30 - we'll call it 1.2.3.100/30.
Our Cisco 2621's external interface was previously set to 1.2.3.102,
and it was able to route our class C, which was subnetted into two
chunks - 5.6.7.0/26 and 5.6.7.64/27. I partitioned a new chunk of the
class C for the internal IPs of the firewalls, 5.6.7.248/29.
I set all of this up, created a pair of 3 port vlans (one for each
carp interface) and powered it up. Everything seems to work, except
for I get routing errors - ie, no route to host. I can't even seem to
ping across the 10.10.10.0/24 network (which is just a simple
crossover cable between the firewalls).
Here is the output of all relevant configuration files. I am unsure
about what the contents of "mygate" should be. I'm also pretty sure I
need some "route add" statements, but I don't know what they should be
or where to put them.
Once again, if anyone can help it would be greatly appreciated. Thanks!
fw1: hostname.fxp0
**********************
inet 10.20.20.100 255.255.255.0 NONE
fw1: hostname.fxp1
**********************
inet 5.6.7.251 255.255.255.248 NONE
fw1: hostname.xl0
**********************
inet 10.10.10.100 255.255.255.0 NONE
fw1: hostname.pfsync0
**********************
up syncdev xl0
fw1: hostname.carp0
**********************
inet 1.2.3.102 255.255.255.252 vhid 1 carpdev fxp0 pass ******
fw1: hostname.carp1
**********************
inet 5.6.7.249 255.255.255.248 vhid 2 carpdev fxp1 pass ******
fw1: mygate
**********************
1.2.3.101
fw1: pf.conf
**********************
ExtIf = "fxp0"
IntIf = "fxp1"
SyncIf = "xl0"
pass on $SyncIf proto pfsync
pass out on $ExtIf proto carp keep state
pass out on $IntIf proto carp keep state
pass in all
pass out all
fw1: sysctl.conf
**********************
-- snip --
net.inet.ip.forwarding=1
-- snip --
fw1: rc.conf
**********************
-- snip --
pf=YES
pf_rules=/etc/pf.conf
-- snip --
fw2: hostname.fxp0
**********************
inet 10.20.20.200 255.255.255.0 NONE
fw2: hostname.fxp1
**********************
inet 5.6.7.252 255.255.255.248 NONE
fw2: hostname.xl0
**********************
inet 10.10.10.200 255.255.255.0 NONE
fw2: hostname.pfsync0
**********************
up syncdev xl0
fw2: hostname.carp0
**********************
inet 1.2.3.102 255.255.255.252 vhid 1 carpdev fxp0 pass ******
fw2: hostname.carp1
**********************
inet 5.6.7.249 255.255.255.248 vhid 2 carpdev fxp1 pass ******
fw2: mygate
**********************
1.2.3.101
fw2: pf.conf
**********************
ExtIf = "fxp0"
IntIf = "fxp1"
SyncIf = "xl0"
pass on $SyncIf proto pfsync
pass out on $ExtIf proto carp keep state
pass out on $IntIf proto carp keep state
pass in all
pass out all
fw2: sysctl.conf
**********************
-- snip --
net.inet.ip.forwarding=1
-- snip --
fw2: rc.conf
**********************
-- snip --
pf=YES
pf_rules=/etc/pf.conf
-- snip --
