Hallo!
I have used carp ip-stealth balancing for only pass and block rules with
two openbsd 4.5 firewalls and https server quite successfully, like this
to isp router is firewalls' default gw
|--carp0--| carp0: 192.168.1.170
_|_ _|_
FW1 | | | | FW2
|___| |___|
|--carp1--| carp1: 10.0.1.193
| |
----|-------|---------|------|---
| |
_|_ _|_
| | 10.0.1.200:443 | | 10.0.1.199:80
|___| https server |___| http server
Carp interfaces are created with definitions like this (on the other
firewall 1:100,2:0 -> 1:0,2:100)
inet 192.168.1.170 255.255.255.248 192.168.1.175 carpnodes \
1:100,2:0 balancing ip-stealth pass xxx carpdev em0
inet 10.0.1.193 255.255.255.240 10.0.1.207 carpnodes \
3:100,4:0 balancing ip-stealth pass yyy carpdev em1
And the problem arrives when i add second server (http) and trying to
use rdr rules rewriting ip address, essential rules are
rdr on $ext_if inet proto tcp to 10.0.1.199 port 8080 tag TO_HTTP \
-> 10.0.1.199 port 80
rdr on $ext_if inet proto tcp to 10.0.1.200 port 80 tag TO_HTTP \
-> 10.0.1.199 port 80
pass in quick on $ext_if inet tagged TO_HTTP
pass in quick on $ext_if inet proto tcp to 10.0.1.200 port 443 \
tag TO_HTTP
pass out quick on $int_if inet tagged TO_HTTP
So the problem is i cant figure out why first rdr works and the second
rdr does not.
I tested my setup and come out with the following observations
1. when i switch traffic to one or the other firewall, second rdr gets
working too (i use ifconfig -g carp carpdemote 50 and to change
balanceing back ... -carpdemote 50)
2. in non-working case and logging on passes with 'log (all)' i can see
that syn packet enters and leaves thru one firewall and server's reply
tries to leave entering the other firewall and gets blocked there (in
itself quite rigthfully). I also checked that this syn-ack appears on
both firewalls but somehow the right one silently dropped it and the
wrong one blocked it.
3. i checked switches mac address tables and they dont have virtual mac
address as they should not in stealth mode
Most perplexing is that more-or-less the very same setup has been
working for me on serveral occasions, one difference is that networking
stuff i.e. switches are different, but they should be quite vanilla
Cisco stuff and since syn-ack gets onto both firewalls' interfaces but
only the wrong ones accepts it i dont suspect switches in the first place.
I would appriciate very much your help to solve this situation. I guess
it is hard to tell how to fix it but maybe you could point me towards
checking or turning attention to something which helps me further.
Best regards,
Imre
PS Actual ip addresses are different but i maintained subnet sizes and
numbers used in subnets. Hardware is HP DL360, em0 cards.
