On 11/9/06, Chad M Stewart <[EMAIL PROTECTED]> wrote:
Can you send the output of netstat -rn? Maybe that'll help myself
and others a little more.
-Chad
Of course - sorry I forgot to do this in the first place. Looking at
this output it's clear I need to add some routes - but I don't know
what to add or where to add it. Also, the networks my CARP interfaces
sit on don't seem to be visible (carp0 is on a different subnet than
the fxp0 interfaces (the carpdevs) on the firewalls).
It seems clear that I need some sort of a default route so that
information to the internet is passed out via carp0 on fxp0 on each
server from the 1.2.3.102 CARP IP to the ISP's gateway at 1.2.3.101. I
also need routes to carry information out on fxp1 on each server to
the shared internal carp1 interface (5.6.7.249), and then to my router
at 5.6.7.250, so that it can route the traffic out to 5.6.7.0/26 and
5.6.7.64/27. I know that the router is not required, but I need it for
non-technical reasons (read: managers.)
What should I have in the /etc/mygate file? Should I have anything?
What routes do I need to add, and what file do I add them to so that
they persist when the router restarts?
I've included the original email I sent to misc@ after the output of
'netstat -rn', so that the addresses make sense.
Thanks for your help - it is greatly appreciated!
fw1: netstat -rn
**********************
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Interface
10.10.10/24 link#1 UC 0 0 - xl0
10.20.20/24 link#2 UC 0 0 - fxp0
127/8 127.0.0.1 UGRS 0 0 33224 lo0
127.0.0.1 127.0.0.1 UH 1 0 33224 lo0
5.6.7.248/29 link#3 UC 0 0 - fxp1
224/4 127.0.0.1 URS 0 0 33224 lo0
Internet6:
Destination Gateway
Flags Refs Use Mtu Interface
::/104 ::1 UGRS
0 0 - lo0
::/96 ::1 UGRS
0 0 - lo0
::1 ::1 UH
12 0 33224 lo0
::127.0.0.0/104 ::1 UGRS
0 0 - lo0
::224.0.0.0/100 ::1 UGRS
0 0 - lo0
::255.0.0.0/104 ::1 UGRS
0 0 - lo0
::ffff:0.0.0.0/96 ::1 UGRS
0 0 - lo0
2002::/24 ::1 UGRS
0 0 - lo0
2002:7f00::/24 ::1 UGRS
0 0 - lo0
2002:e000::/20 ::1 UGRS
0 0 - lo0
2002:ff00::/24 ::1 UGRS
0 0 - lo0
fe80::/10 ::1 UGRS
0 0 - lo0
fe80::%xl0/64 link#1 UC
0 0 - xl0
fe80::201:2ff:feed:c128%xl0 00:01:02:ed:c1:28 UHL
0 0 - lo0
fe80::%fxp0/64 link#2 UC
0 0 - fxp0
fe80::202:55ff:fefa:a298%fxp0 00:02:55:fa:a2:98 UHL
0 0 - lo0
fe80::%fxp1/64 link#3 UC
0 0 - fxp1
fe80::202:55ff:fefa:a299%fxp1 00:02:55:fa:a2:99 UHL
0 0 - lo0
fe80::%lo0/64 fe80::1%lo0 U
0 0 - lo0
fe80::1%lo0 link#7 UHL
0 0 - lo0
fec0::/10 ::1 UGRS
0 0 - lo0
ff01::/32 ::1 UC
0 0 - lo0
ff02::%xl0/32 link#1 UC
0 0 - xl0
ff02::%fxp0/32 link#2 UC
0 0 - fxp0
ff02::%fxp1/32 link#3 UC
0 0 - fxp1
ff02::%lo0/32 ::1 UC
0 0 - lo0
fw2: netstat -rn
**********************
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Interface
10.10.10/24 link#1 UC 0 0 - xl0
10.20.20/24 link#2 UC 0 0 - fxp0
127/8 127.0.0.1 UGRS 0 0 33224 lo0
127.0.0.1 127.0.0.1 UH 1 0 33224 lo0
5.6.7.248/29 link#3 UC 0 0 - fxp1
224/4 127.0.0.1 URS 0 0 33224 lo0
Internet6:
Destination Gateway
Flags Refs Use Mtu Interface
::/104 ::1 UGRS
0 0 - lo0
::/96 ::1 UGRS
0 0 - lo0
::1 ::1 UH
12 0 33224 lo0
::127.0.0.0/104 ::1 UGRS
0 0 - lo0
::224.0.0.0/100 ::1 UGRS
0 0 - lo0
::255.0.0.0/104 ::1 UGRS
0 0 - lo0
::ffff:0.0.0.0/96 ::1 UGRS
0 0 - lo0
2002::/24 ::1 UGRS
0 0 - lo0
2002:7f00::/24 ::1 UGRS
0 0 - lo0
2002:e000::/20 ::1 UGRS
0 0 - lo0
2002:ff00::/24 ::1 UGRS
0 0 - lo0
fe80::/10 ::1 UGRS
0 0 - lo0
fe80::%xl0/64 link#1 UC
0 0 - xl0
fe80::201:2ff:feed:bf8b%xl0 00:01:02:ed:bf:8b UHL
0 0 - lo0
fe80::%fxp0/64 link#2 UC
0 0 - fxp0
fe80::202:55ff:fefa:35fa%fxp0 00:02:55:fa:35:fa UHL
0 0 - lo0
fe80::%fxp1/64 link#3 UC
0 0 - fxp1
fe80::202:55ff:fefa:35fb%fxp1 00:02:55:fa:35:fb UHL
0 0 - lo0
fe80::%lo0/64 fe80::1%lo0 U
0 0 - lo0
fe80::1%lo0 link#7 UHL
0 0 - lo0
fec0::/10 ::1 UGRS
0 0 - lo0
ff01::/32 ::1 UC
0 0 - lo0
ff02::%xl0/32 link#1 UC
0 0 - xl0
ff02::%fxp0/32 link#2 UC
0 0 - fxp0
ff02::%fxp1/32 link#3 UC
0 0 - fxp1
ff02::%lo0/32 ::1 UC
0 0 - lo0
Original Email
**********************
Good day all,
I have read all available documentation, but can not seem to find the
solution to my problem. If anyone has any advice, or can point me
towards a good resource, please do so. I am sorry if the answer is
obvious and I have missed it.
Where I work we have a small network (class C) which has always been
subnetted by our Cisco 2621 router. While I am not able to replace the
Cisco router for non-technical reasons, I am able to install a pair of
OpenBSD 4.0 boxes to act as redundant firewalls. The setup of carp,
pfsync and pf was simple enough thanks to the excellent documentation,
however I am encountering routing errors with my current setup, and
would appreciate some help.
Here's a brief diagram of my network.
***************************
** Internet **
***************************
|
|
***************************
** ISP Router: 1.2.3.101 **
***************************
|
|
***************************
** carp0: 1.2.3.102 **-----------------------\
*************************** |
| |
| |
*************************** ***************************
** fw1 ** pfsync0 ** fw1 **
** fxp0: 10.20.20.100 ** 10.10.10.0/24 ** fxp0: 10.20.20.200 **
** fxp1: 5.6.7.251 **------------------** fxp1: 5.6.7.252 **
** xl0: 10.10.10.100 ** ** xl0: 10.10.10.200 **
*************************** ***************************
| |
| |
*************************** |
** carp1: 5.6.7.249 **-----------------------/
***************************
|
|
*****************************
** Local Router (2621) **
** External: 5.6.7.250 **
** Internal: 5.6.7.1/26 **
** Internal: 5.6.7.64/27 **
*****************************
Our ISP provides us with a our own class C network, 5.6.7.0/24 for the
purpose of this explaination. Our ISP routes our class C to us down a
/30 - we'll call it 1.2.3.100/30.
Our Cisco 2621's external interface was previously set to 1.2.3.102,
and it was able to route our class C, which was subnetted into two
chunks - 5.6.7.0/26 and 5.6.7.64/27. I partitioned a new chunk of the
class C for the internal IPs of the firewalls, 5.6.7.248/29.
I set all of this up, created a pair of 3 port vlans (one for each
carp interface) and powered it up. Everything seems to work, except
for I get routing errors - ie, no route to host. I can't even seem to
ping across the 10.10.10.0/24 network (which is just a simple
corssover cable between the firewalls).
Here is the output of all relevant configuration files. Once again, if
anyone can help it would be greatly appreciated. Thanks!
fw1: hostname.fxp0
**********************
inet 10.20.20.100 255.255.255.0 NONE
fw1: hostname.fxp1
**********************
inet 5.6.7.251 255.255.255.248 NONE
fw1: hostname.xl0
**********************
inet 10.10.10.100 255.255.255.0 NONE
fw1: hostname.pfsync0
**********************
up syncdev xl0
fw1: hostname.carp0
**********************
inet 1.2.3.102 255.255.255.252 vhid 1 carpdev fxp0 pass ******
fw1: hostname.carp1
**********************
inet 5.6.7.249 255.255.255.248 vhid 2 carpdev fxp1 pass ******
fw1: mygate
**********************
1.2.3.101
fw1: pf.conf
**********************
ExtIf = "fxp0"
IntIf = "fxp1"
SyncIf = "xl0"
pass on $SyncIf proto pfsync
pass out on $ExtIf proto carp keep state
pass out on $IntIf proto carp keep state
pass in all
pass out all
fw1: sysctl.conf
**********************
-- snip --
net.inet.ip.forwarding=1
-- snip --
fw1: rc.conf
**********************
-- snip --
pf=YES
pf_rules=/etc/pf.conf
-- snip --
fw2: hostname.fxp0
**********************
inet 10.20.20.200 255.255.255.0 NONE
fw2: hostname.fxp1
**********************
inet 5.6.7.252 255.255.255.248 NONE
fw2: hostname.xl0
**********************
inet 10.10.10.200 255.255.255.0 NONE
fw2: hostname.pfsync0
**********************
up syncdev xl0
fw2: hostname.carp0
**********************
inet 1.2.3.102 255.255.255.252 vhid 1 carpdev fxp0 pass ******
fw2: hostname.carp1
**********************
inet 5.6.7.249 255.255.255.248 vhid 2 carpdev fxp1 pass ******
fw2: mygate
**********************
1.2.3.101
fw2: pf.conf
**********************
ExtIf = "fxp0"
IntIf = "fxp1"
SyncIf = "xl0"
pass on $SyncIf proto pfsync
pass out on $ExtIf proto carp keep state
pass out on $IntIf proto carp keep state
pass in all
pass out all
fw2: sysctl.conf
**********************
-- snip --
net.inet.ip.forwarding=1
-- snip --
fw2: rc.conf
**********************
-- snip --
pf=YES
pf_rules=/etc/pf.conf
-- snip --
