I suspect I'm getting this connection reset error because:
IN--->ROUTER---->S--->WEB SERVER1
T--->ROUTER---->W--->WEB SERVER2
SW is switch here.
If one router is on, it has carp0 and carp1 on either side and it can
send the request to the servers which may be load-balanced which is
fine. But when I turn on the other router, which also has carp0 and
carp1 on either side, it would normally cause a problem if it were a
slave, but because it takes turns with the other routers on being
master on both carp0 AND carp1, that switch to master is synchronized.
So I get the situation:
REQUEST---->(carp0:on here) ROUTER(carp1:was on here, but turned
off)----S------WEB SERVER
-------------------->(carp0:off here) ROUTER(carp1:turned on here
instead)----------W-----WEB SERVER
That's why I suspect I get the connection reset error in firefox when
requesting a webpage from inside. In other works the polling rates on
carp0 and carp1 of the routers are not in sync even though I set them
up symmetrically.
Any suggestions as to how go about tackling this. I don't want to
completely make a router the slave, but I can partially make it less
preferred. Do I make it advskew values asymmetric and what would be
the preferred values?
I can't figure out why ssh doesn't give me connection reset errors
when I enter from the outside. Maybe ssh has some way of keeping alive
the path that's about to close due to ip balancing.
Thanks,
Vivek
On Mon, Nov 17, 2008 at 8:22 PM, Vivek Ayer <[EMAIL PROTECTED]> wrote:
> So any resolution on the apache redirection? When I go to the website,
> I get the "Connection Interrupted" error. This only occurs when both
> routers are on. Oddly enough, when I ssh into the virtual IP, ssh
> traffic doesn't get jumbled up because of the ip balancing. I suspect
> I may have to up the advskew values to allow for the length of the
> polling rate to increase. May be apache traffic needs every part of a
> page to come from the same source IP. Should I try changing the
> advskew value on the routers? I can only get to the website, when one
> router is one, which really defeats the purpose of high availability
> and redundancy.
>
> Thanks,
> Vivek
>
> On Thu, Nov 13, 2008 at 6:39 PM, Vivek Ayer <[EMAIL PROTECTED]> wrote:
>> Confirmed. If I have both routers on, the http redirection on the CARP
>> interface doesn't work. But when I only have one on, then the
>> redirection works just fine. Is CARP getting confused with the
>> packets?
>>
>> On Thu, Nov 13, 2008 at 5:51 PM, Vivek Ayer <[EMAIL PROTECTED]> wrote:
>>> Yay! I got ssh and http to work on the CARP interface. Thanks.
>>>
>>> However, the httpd redirect is not working just yet on the CARP
>>> interface for one of the computers. Does IP balancing mess up
>>> redirect?
>>>
>>> When I only have one router up doing the redirect, the CARP interface
>>> works, but when I have both routers on, the CARP interface defaults to
>>> the one that doesn't apparently do redirection. I'm going to
>>> troubleshoot and turn off the one that works and turn on the computer
>>> that doesn't "redirect."
>>>
>>> Any other suggestions for troubleshooting this weird setup I have? Has
>>> anyone ever done this before having CARP'd web servers behind CARP'd
>>> routers?
>>>
>>> Here's my current pf.conf:
>>>
>>> # $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $
>>> #
>>> # See pf.conf(5) and /usr/share/pf for syntax and examples.
>>> # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
>>> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>>>
>>> # macros
>>> ext_if = "re0" # External Interface (169.229.158.0/24)
>>> int_if = "xl0" # Internal Interface (192.168.1.0/24)
>>> localnet = $int_if:network
>>> webserver = "192.168.1.50" # Redundant Sun Servers
>>> nameserver = "192.168.1.101" # Dell L400 Celeron
>>> webports = "{ http , https }"
>>> domainport = "{ domain }"
>>> tcp_services = "{ ssh }"
>>> icmp_types = "echoreq"
>>> carpdevs = "{ carp0 , carp1 }"
>>> syncdev = "{ re1 }"
>>> carp_mcast = "224.0.0.18"
>>>
>>> # extra tweaks
>>> set skip on lo
>>> set block-policy return
>>> set loginterface $ext_if
>>> scrub in all
>>>
>>> # nat
>>> nat on $ext_if from $localnet to any -> ($ext_if)
>>> no nat on $int_if proto tcp from $int_if to $localnet
>>> nat on $int_if proto tcp from $localnet to $webserver port $webports ->
>>> $int_if
>>>
>>> # rdr for http
>>> rdr on $ext_if proto tcp from any to any port $webports -> $webserver
>>> rdr on $int_if proto tcp from $localnet to $ext_if port $webports ->
>>> $webserver
>>> rdr on $int_if proto tcp from $localnet to $int_if port $webports ->
>>> $webserver
>>>
>>> # rdr for domain (tcp)
>>> rdr on $ext_if proto tcp from any to any port $domainport -> $nameserver
>>> rdr on $int_if proto tcp from $localnet to $ext_if port $domainport ->
>>> $nameserver
>>> rdr on $int_if proto tcp from $localnet to $int_if port $domainport ->
>>> $nameserver
>>>
>>> # rdr for domain (udp)
>>> rdr on $ext_if proto udp from any to any port $domainport -> $nameserver
>>> rdr on $int_if proto udp from $localnet to $ext_if port $domainport ->
>>> $nameserver
>>> rdr on $int_if proto udp from $localnet to $int_if port $domainport ->
>>> $nameserver
>>>
>>> # pass rules
>>> block in # Default Deny
>>> pass out keep state
>>> antispoof quick for { lo }
>>> pass in inet proto icmp all icmp-type $icmp_types keep state # Let Ping In
>>> pass in quick on $int_if
>>> pass in on $ext_if inet proto tcp from any to ($ext_if) \
>>> port $tcp_services flags S/SA keep state # Allow SSH Access from Outside
>>> pass in on $ext_if inet proto tcp from any to $webserver port $webports \
>>> flags S/SA synproxy state
>>> pass in on $ext_if inet proto udp from any to $nameserver port $domainport
>>> pass in on $ext_if inet proto tcp from any to $nameserver port $domainport \
>>> flags S/SA synproxy state
>>>
>>> # Basic CARP/pfsync pass rules
>>> pass on $carpdevs proto carp keep state
>>> pass quick on $ext_if proto carp \
>>> from $ext_if:network to $carp_mcast keep state
>>> pass on $syncdev proto pfsync
>>>
>>> # Internet-Facing CARP rules
>>> pass in on $ext_if inet proto tcp from any to (carp0) \
>>> port $tcp_services flags S/SA keep state # Allow SSH Access from Outside
>>> pass in on $ext_if inet proto tcp from any to (carp0) \
>>> port $webports flags S/SA synproxy state
>>> pass in on $ext_if inet proto udp from any to (carp0) \
>>> port $domainport
>>> pass in on $ext_if inet proto tcp from any to (carp0) \
>>> port $domainport flags S/SA synproxy state
>>>
>>> # LAN-Facing CARP rules
>>> pass in on $int_if inet proto tcp from $localnet to (carp1) \
>>> port $tcp_services flags S/SA keep state # Allow SSH Access from Inside
>>> pass in on $int_if inet proto tcp from $localnet to (carp1) \
>>> port $webports flags S/SA synproxy state
>>> pass in on $int_if inet proto udp from $localnet to (carp1) \
>>> port $domainport
>>> pass in on $int_if inet proto tcp from $localnet to (carp1) \
>>> port $domainport flags S/SA synproxy state
>>>
>>> Thanks
>>>
>>> On Thu, Nov 13, 2008 at 12:27 PM, Vivek Ayer <[EMAIL PROTECTED]> wrote:
>>>> Oh ok. That kind of makes sense.
>>>>
>>>> Thanks
>>>>
>>>> On Thu, Nov 13, 2008 at 2:11 AM, Marco Pfatschbacher <[EMAIL PROTECTED]>
>>>> wrote:
>>>>> On Wed, Nov 12, 2008 at 11:40:36AM -0800, Vivek Ayer wrote:
>>>>>> i don't think I understand. Clarify. you mean carpdev is like your
>>>>>> physical interface..eth0, re0, etc.?
>>>>>
>>>>> say you have a carp configured like:
>>>>>
>>>>> carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>>>>> lladdr 00:00:5e:00:01:04
>>>>> carp: MASTER carpdev em0 vhid 4 advbase 1 advskew 0
>>>>> groups: carp
>>>>> inet 1.2.3.4 netmask 0xff000000 broadcast 1.255.255.255
>>>>>
>>>>> As you can see, carp0 is using em0 as its carpdev.
>>>>> A pf rule to pass ssh to the carp address would be:
>>>>>
>>>>> pass in on em0 inet proto tcp to (carp0) port 22
>>>>>
>>>>> and NOT:
>>>>>
>>>>> pass in on carp0 inet proto tcp to (carp0) port 22
>>>>>
>>>>> HTH,
>>>>>
>>>>> Marco
