Active failover with local Squid and ftp-proxy.

[Bryan Allen]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yo.
I have two boxes set up in active failover mode. Everything works  
just fine except for locally proxied connections (ftp-proxy and Squid- 
transparent).

[EMAIL PROTECTED]:[~]# uname -a
OpenBSD master.example.com 3.9 GENERIC.MP#598 i386
[EMAIL PROTECTED]:[~]# pkg_info | grep squid
squid-2.5.STABLE12p1-transparent WWW and FTP proxy cache and accelerator

carp0 = ext CARP group.
carp1 = int CARP group.
a.b.c.254 = Shared CARP IP addr (the proxy address).

em0 = ext system IP.
em1 = int system IP.

10.1.1.1 (master:bge0) and 10.1.1.2 (backup:fxp0) is the crossover  
for pfsync.

[EMAIL PROTECTED]:[~]# cat /etc/hostname.carp0
inet x.x.x.254 255.255.128.0 x.x.127.255 vhid 1 carpdev em0 \
        pass laqmer1
[EMAIL PROTECTED]:[~]# cat /etc/hostname.carp1
inet 192.168.1.254 255.255.255.0 192.168.1.255 vhid 2 carpdev em1 \
        pass laqmer1
[EMAIL PROTECTED]:[~]# cat /etc/hostname.em0
inet x.x.x.1 255.255.128.0 NONE
[EMAIL PROTECTED]:[~]# cat /etc/hostname.em1
inet 192.168.1.1 255.255.255.0 NONE
[EMAIL PROTECTED]:[~]# cat /etc/hostname.bge0
inet 10.1.1.1 255.255.255.0 NONE
[EMAIL PROTECTED]:[~]# grep -v '^#' /etc/sysctl.conf
net.inet.carp.preempt=1         # 1=Enable CARP preempt and group  
failover.
net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of  
IPv4 packets

[EMAIL PROTECTED]:[~]# cat /etc/hostname.carp0
inet x.x.x.254 6 255.255.128.0 x.x.127.255 vhid 1 carpdev em0 \
        pass laqmer1 advskew 128
[EMAIL PROTECTED]:[~]# cat /etc/hostname.carp1
inet 192.168.1.254 255.255.255.0 192.168.1.255 vhid 2 carpdev em1 \
        pass laqmer1 advskew 128
[EMAIL PROTECTED]:[~]# cat /etc/hostname.em0
inet x.x.x.2 255.255.128.0 NONE
[EMAIL PROTECTED]:[~]# cat /etc/hostname.em1
inet 192.168.1.2 255.255.255.0 NONE
[EMAIL PROTECTED]:[~]# cat /etc/hostname.fxp0
inet 10.1.1.2 255.255.255.0 NONE
[EMAIL PROTECTED]:[~]# grep -v "^#" /etc/sysctl.conf
net.inet.carp.preempt=1         # 1=Allow CARP preempt and group  
failover.
net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of  
IPv4 packets

pf rules ($pfsync_if = "fxp0" on backup):

#####
# macros
ext_if = "em0"
int_if = "em1"

pfsync_if = "bge0"
carp0 = "x.x.x.254"

tcp_services = "{ 22 }"
trusted_networks = "{ x.x.0.0/16 y.y.0.0/16 }"

icmp_types = "echoreq"

# options
set block-policy return
set loginterface $ext_if

scrub in no-df

# ftp-proxy redirection.
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021

# Squid proxy redirection.
rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1  
port 3128

nat on $ext_if from $int_if:network to any -> $carp0

# filter rules
block in log all
block out log all

block in quick inet6 all
block out quick inet6 all

pass quick on lo0 all

anchor "ftp-proxy/*"

antispoof for $ext_if

pass quick on { $pfsync_if } proto pfsync
pass on { $ext_if $int_if } proto carp keep state

# squid
pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128  
keep state
pass out on $ext_if inet proto tcp from any to any port www keep state
#####

If I move the nat $int_if -> $carp0 rule above the FTP rdrs, ftp- 
proxy connections stop being able to connect (even though packets  
leaving the wire are src addr'd with the system IP, not the CARP  
addr), either via passive or active ftp. (The client can auth, but  
listings get blocked.)

[EMAIL PROTECTED]:[~]# tcpdump -nnvvi pflog0 host ftp.cs.mun.ca
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0, link-type PFLOG
16:03:25.031262 134.153.48.2.44567 > x.x.x.1.113: [|tcp] (ttl 54, id  
4404, len 60, bad cksum dab1! differs by 4000)
16:03:26.882443 192.168.1.100.58440 > 134.153.48.2.44568: [|tcp] (ttl  
64, id 12019, len 60, bad cksum 9321! differs by 4000)

When I nat $int_if out $carp0 (and move it below the ftp rdrs),  
failover works great for anything that isn't getting proxied locally  
on the system (transparent Squid and ftp-proxy). SSH and scp lag for  
a second or two and then come back and it's super awesome. ftp-proxy  
connections stall out, and the Squid connections die.

I'm presuming this is because those connections are being routed  
$ext_if as opposed to carp0, with the system IP as opposed to the  
shared CARP IP.

After searching the pf@ and misc@ archives and googling around, the  
only option I can seem to find is setting up CARP aliases for all  
three interfaces so when failover happens, the backup will answer for  
all IPs? (Some minor config changes to the above would be needed so  
the backup could still be reached while the master controlled its  
addr, or just fiddle with preempt, presumably.)

Is setting up a CARP group with the system IPs aliased a proper  
solution or am I missing some obvious pf magic that will route  
connections from Squid and ftp-proxy through the CARP IP?
- --
Bryan Allen
[EMAIL PROTECTED]
http://bda.mirrorshades.net/

cyberpunk is dead. long live cyberpunk.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFEmF/18DRlpnH/NmoRAmhKAKCXMJbRNA0UVPpzYyd+vMbxvTMcDwCfYJvr
vtNTQRvsihZKKZ1y18xH4G8=
=LTTi
-----END PGP SIGNATURE-----