So any resolution on the apache redirection? When I go to the website,
I get the "Connection Interrupted" error. This only occurs when both
routers are on. Oddly enough, when I ssh into the virtual IP, ssh
traffic doesn't get jumbled up because of the ip balancing. I suspect
I may have to up the advskew values to allow for the length of the
polling rate to increase. May be apache traffic needs every part of a
page to come from the same source IP. Should I try changing the
advskew value on the routers? I can only get to the website, when one
router is one, which really defeats the purpose of high availability
and redundancy.
Thanks,
Vivek
On Thu, Nov 13, 2008 at 6:39 PM, Vivek Ayer <[EMAIL PROTECTED]> wrote:
> Confirmed. If I have both routers on, the http redirection on the CARP
> interface doesn't work. But when I only have one on, then the
> redirection works just fine. Is CARP getting confused with the
> packets?
>
> On Thu, Nov 13, 2008 at 5:51 PM, Vivek Ayer <[EMAIL PROTECTED]> wrote:
>> Yay! I got ssh and http to work on the CARP interface. Thanks.
>>
>> However, the httpd redirect is not working just yet on the CARP
>> interface for one of the computers. Does IP balancing mess up
>> redirect?
>>
>> When I only have one router up doing the redirect, the CARP interface
>> works, but when I have both routers on, the CARP interface defaults to
>> the one that doesn't apparently do redirection. I'm going to
>> troubleshoot and turn off the one that works and turn on the computer
>> that doesn't "redirect."
>>
>> Any other suggestions for troubleshooting this weird setup I have? Has
>> anyone ever done this before having CARP'd web servers behind CARP'd
>> routers?
>>
>> Here's my current pf.conf:
>>
>> # $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $
>> #
>> # See pf.conf(5) and /usr/share/pf for syntax and examples.
>> # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
>> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>>
>> # macros
>> ext_if = "re0" # External Interface (169.229.158.0/24)
>> int_if = "xl0" # Internal Interface (192.168.1.0/24)
>> localnet = $int_if:network
>> webserver = "192.168.1.50" # Redundant Sun Servers
>> nameserver = "192.168.1.101" # Dell L400 Celeron
>> webports = "{ http , https }"
>> domainport = "{ domain }"
>> tcp_services = "{ ssh }"
>> icmp_types = "echoreq"
>> carpdevs = "{ carp0 , carp1 }"
>> syncdev = "{ re1 }"
>> carp_mcast = "224.0.0.18"
>>
>> # extra tweaks
>> set skip on lo
>> set block-policy return
>> set loginterface $ext_if
>> scrub in all
>>
>> # nat
>> nat on $ext_if from $localnet to any -> ($ext_if)
>> no nat on $int_if proto tcp from $int_if to $localnet
>> nat on $int_if proto tcp from $localnet to $webserver port $webports ->
>> $int_if
>>
>> # rdr for http
>> rdr on $ext_if proto tcp from any to any port $webports -> $webserver
>> rdr on $int_if proto tcp from $localnet to $ext_if port $webports ->
>> $webserver
>> rdr on $int_if proto tcp from $localnet to $int_if port $webports ->
>> $webserver
>>
>> # rdr for domain (tcp)
>> rdr on $ext_if proto tcp from any to any port $domainport -> $nameserver
>> rdr on $int_if proto tcp from $localnet to $ext_if port $domainport ->
>> $nameserver
>> rdr on $int_if proto tcp from $localnet to $int_if port $domainport ->
>> $nameserver
>>
>> # rdr for domain (udp)
>> rdr on $ext_if proto udp from any to any port $domainport -> $nameserver
>> rdr on $int_if proto udp from $localnet to $ext_if port $domainport ->
>> $nameserver
>> rdr on $int_if proto udp from $localnet to $int_if port $domainport ->
>> $nameserver
>>
>> # pass rules
>> block in # Default Deny
>> pass out keep state
>> antispoof quick for { lo }
>> pass in inet proto icmp all icmp-type $icmp_types keep state # Let Ping In
>> pass in quick on $int_if
>> pass in on $ext_if inet proto tcp from any to ($ext_if) \
>> port $tcp_services flags S/SA keep state # Allow SSH Access from Outside
>> pass in on $ext_if inet proto tcp from any to $webserver port $webports \
>> flags S/SA synproxy state
>> pass in on $ext_if inet proto udp from any to $nameserver port $domainport
>> pass in on $ext_if inet proto tcp from any to $nameserver port $domainport \
>> flags S/SA synproxy state
>>
>> # Basic CARP/pfsync pass rules
>> pass on $carpdevs proto carp keep state
>> pass quick on $ext_if proto carp \
>> from $ext_if:network to $carp_mcast keep state
>> pass on $syncdev proto pfsync
>>
>> # Internet-Facing CARP rules
>> pass in on $ext_if inet proto tcp from any to (carp0) \
>> port $tcp_services flags S/SA keep state # Allow SSH Access from Outside
>> pass in on $ext_if inet proto tcp from any to (carp0) \
>> port $webports flags S/SA synproxy state
>> pass in on $ext_if inet proto udp from any to (carp0) \
>> port $domainport
>> pass in on $ext_if inet proto tcp from any to (carp0) \
>> port $domainport flags S/SA synproxy state
>>
>> # LAN-Facing CARP rules
>> pass in on $int_if inet proto tcp from $localnet to (carp1) \
>> port $tcp_services flags S/SA keep state # Allow SSH Access from Inside
>> pass in on $int_if inet proto tcp from $localnet to (carp1) \
>> port $webports flags S/SA synproxy state
>> pass in on $int_if inet proto udp from $localnet to (carp1) \
>> port $domainport
>> pass in on $int_if inet proto tcp from $localnet to (carp1) \
>> port $domainport flags S/SA synproxy state
>>
>> Thanks
>>
>> On Thu, Nov 13, 2008 at 12:27 PM, Vivek Ayer <[EMAIL PROTECTED]> wrote:
>>> Oh ok. That kind of makes sense.
>>>
>>> Thanks
>>>
>>> On Thu, Nov 13, 2008 at 2:11 AM, Marco Pfatschbacher <[EMAIL PROTECTED]>
>>> wrote:
>>>> On Wed, Nov 12, 2008 at 11:40:36AM -0800, Vivek Ayer wrote:
>>>>> i don't think I understand. Clarify. you mean carpdev is like your
>>>>> physical interface..eth0, re0, etc.?
>>>>
>>>> say you have a carp configured like:
>>>>
>>>> carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>>>> lladdr 00:00:5e:00:01:04
>>>> carp: MASTER carpdev em0 vhid 4 advbase 1 advskew 0
>>>> groups: carp
>>>> inet 1.2.3.4 netmask 0xff000000 broadcast 1.255.255.255
>>>>
>>>> As you can see, carp0 is using em0 as its carpdev.
>>>> A pf rule to pass ssh to the carp address would be:
>>>>
>>>> pass in on em0 inet proto tcp to (carp0) port 22
>>>>
>>>> and NOT:
>>>>
>>>> pass in on carp0 inet proto tcp to (carp0) port 22
>>>>
>>>> HTH,
>>>>
>>>> Marco
