Calomel,
Thanks for the response. Here is my sysctl.conf file showing the four
entries that are enabled on each machine:
net.inet.ip.forwarding=1 # 1=Enable IP Forwarding
net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of IPv6 packets
net.inet.carp.preempt=1 # 1=Enable carp(4) preemption
net.inet.carp.log=1 # 1=Enable logging of carp(4) packets
I have just double checked and both machines are setup with the same
four entries.
The interfaces fail over properly. The problem is on the second
machine the traffic gets blocked. Maybe it is just a
problem with the second machine, but I have gone over all of the settings that
I can think of and where necessary (the second
machine has different brands of network cards) all of the settings are the
same.
Here is the pf.conf on the machine that does work:
ext_if="vr0"
int_if="xl0"
nat_p="{tcp, udp, icmp}"
carp_dev="{vr0,xl0}"
sync_if="rl0"
NoRouteIPs="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
web="{80,443}"
rdr on $ext_if proto tcp from any to 64.244.168.194 port 80 -> 192.168.1.190
port 80
rdr on $ext_if proto tcp from any to 64.244.168.195 port 80 -> 192.168.1.191
port 80
rdr on $ext_if proto tcp from any to 64.244.168.196 port 80 -> 192.168.1.192
port 80
rdr on $ext_if proto tcp from any to 64.244.168.197 port 80 -> 192.168.1.193
port 80
rdr on $ext_if proto tcp from any to 64.244.168.198 port 80 -> 192.168.1.194
port 80
rdr on $ext_if proto tcp from any to 64.244.168.199 port 80 -> 192.168.1.195
port 80
rdr on $ext_if proto tcp from any to 64.244.168.194 port 443 -> 192.168.1.190
port 443
rdr on $ext_if proto tcp from any to 64.244.168.195 port 443 -> 192.168.1.191
port 443
rdr on $ext_if proto tcp from any to 64.244.168.196 port 443 -> 192.168.1.192
port 443
rdr on $ext_if proto tcp from any to 64.244.168.197 port 443 -> 192.168.1.193
port 443
rdr on $ext_if proto tcp from any to 64.244.168.198 port 443 -> 192.168.1.194
port 443
rdr on $ext_if proto tcp from any to 64.244.168.199 port 443 -> 192.168.1.195
port 443
rdr on $ext_if proto tcp from any to 64.244.168.199 port 22 -> 192.168.1.190
port 22
nat on $ext_if proto $nat_p from 192.168.1.0/24 to any -> 64.244.168.220
block in quick on $ext_if from $NoRouteIPs to any
block out quick on $ext_if from any to $NoRouteIPs
pass out on $carp_dev proto carp keep state
pass in on $ext_if proto tcp to ($ext_if) port ssh
pass on $sync_if proto pfsync
Here is the pf.conf on the machine that does not work:
ext_if="vr0"
int_if="xl0"
nat_p="{tcp, udp, icmp}"
sync_if="rl1"
carp_dev="{vr0,rl1}"
NoRouteIPs="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
web="{80,443}"
rdr on $ext_if proto tcp from any to 64.244.168.194 port 80 -> 192.168.1.190
port 80
rdr on $ext_if proto tcp from any to 64.244.168.195 port 80 -> 192.168.1.191
port 80
rdr on $ext_if proto tcp from any to 64.244.168.196 port 80 -> 192.168.1.192
port 80
rdr on $ext_if proto tcp from any to 64.244.168.197 port 80 -> 192.168.1.193
port 80
rdr on $ext_if proto tcp from any to 64.244.168.198 port 80 -> 192.168.1.194
port 80
rdr on $ext_if proto tcp from any to 64.244.168.199 port 80 -> 192.168.1.195
port 80
rdr on $ext_if proto tcp from any to 64.244.168.194 port 443 -> 192.168.1.190
port 443
rdr on $ext_if proto tcp from any to 64.244.168.195 port 443 -> 192.168.1.191
port 443
rdr on $ext_if proto tcp from any to 64.244.168.196 port 443 -> 192.168.1.192
port 443
rdr on $ext_if proto tcp from any to 64.244.168.197 port 443 -> 192.168.1.193
port 443
rdr on $ext_if proto tcp from any to 64.244.168.198 port 443 -> 192.168.1.194
port 443
rdr on $ext_if proto tcp from any to 64.244.168.199 port 443 -> 192.168.1.195
port 443
rdr on $ext_if proto tcp from any to 64.244.168.199 port 22 -> 192.168.1.190
port 22
nat on $ext_if proto $nat_p from 192.168.1.0/24 to any -> 64.244.168.221
block in quick on $ext_if from $NoRouteIPs to any
block out quick on $ext_if from any to $NoRouteIPs
pass out on $carp_dev proto carp keep state
pass in on $ext_if proto tcp to ($ext_if) port ssh
pass on $sync_if proto pfsync
pfctl -nf /etc/pf.conf comes back with no errors on both machines.
Here is my rc.conf.local file on both machines as well:
pf=YES
pf_rules="/etc/pf.conf"
pflog_enable=YES
pflog_logfile="/var/log/pflog"
If there is anything else I am missing please let me know!
Thanks!
Fred
-----Original Message-----
From: Calomel [mailto:[EMAIL PROTECTED]
Sent: Thursday, April 03, 2008 10:43 AM
To: Fred Newtz
Cc: [email protected]
Subject: Re: CARP failover problem
Fred,
Did you also enable net.inet.carp.preempt?
net.inet.carp.preempt equaling one(1) allows hosts within a redundancy group
that have a better advbase and advskew to preempt the
master. In addition, this option also enables failing over all interfaces in
the event that one interface goes down. If one physical
CARP-enabled interface goes down, CARP will change advskew to 240 on all other
CARP-enabled interfaces, in essence, failing itself
over.
CARP Firewall Failover for OpenBSD
http://calomel.org/pf_carp.html
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Wed, Apr 02, 2008 at 12:06:34PM -0500, Fred Newtz wrote:
>I have two machines configured with OpenBSD carp pf and pfsync. The state
>table is syncing properly. I have one webserver behind
>the two firewall machines. For some reason my master machine (which is
>working) will freeze up. The interfaces all failover properly but no
>traffic will pass through the backup machine. I am pretty new at this
>so please tell me if I can provide any configuration information to help
>determine what is going on here. I can pass traffic
between the fw2 (backup firewall) and my webserver just fine.
>
>I have 6 carp interfaces setup. One of them is my gateway interface
>for the webserver to get back out of the network. During testing I am
>only ifconfig carp2 down for one of my interfaces. Do I need to fail the
>gateway carp interface as well for this to work properly?
>
>Thanks,
>
>Fred
