Hi,
I installed a dual homed firewall using carp with "balancing ip". It
works fine except the little problem that ssh (forwarded to an internal
machine) over the carp-dev makes problems. The ssh session asks for the
password, connects and allows me to send out one command (e.g. ls). I
receive an answer (or a part of the answer) and then the session
freezes. If I try the same stunt with the 'real' (no carp) IP addresses
of the firewall machines then it works without problems.
My guess is that the balancing process moves the shh connection to the
other machine which causes the ssh session to leave our world...
Is a solution known for this problem?
Thanks!
David
-------------------------
Computer A:
carp0 (em3) internal network, balancing ip carpnodes 1:0,2:100
carp1 (em0) external network, balancing ip carpnodes 3:0,4:100
Computer B:
carp0 (em3) internal network, balancing ip carpnodes 1:100,2:0
carp1 (em0) external network, balancing ip carpnodes 3:100,4:0
plus a pfsync connection over a third network card (em2).
[pf.conf ->]
set skip on lo
scrub in
nat on {em0 } inet all -> {em0}
rdr pass on {em0 } proto tcp from any to any port 11099 -> 10.10.10.250
port 22
# The next line makes no difference :
rdr pass on {carp1 } proto tcp from any to any port 11099 ->
10.10.10.250 port 22
pass in quick on { em2 } proto pfsync keep state (no-sync)
pass out quick on { em2 } proto pfsync keep state (no-sync)
pass in quick on { em0 em3 } proto carp keep state
pass out quick on { em0 em3 } proto carp keep state
pass in quick on { em0 em3 } proto tcp from any to any port 999 keep state
pass out quick on { carp0 carp1 em0 em3 } proto tcp from any to any port
999 keep state
block all
pass in on { carp0 em3 } keep state
pass out on { carp0 carp1 em0 em3 } keep state
antispoof for { em0 em3 }
[<-]
