Fred,
Each ip address you have is assigned to a carp virtual interface. If you
have 10 ips then you could have 10 carp interfaces. Lets say we have an
external ip 33.33.33.33 assigned to carp1 ...
cat /etc/hostname.carp1
inet 33.33.33.33 255.255.255.0 33.33.33.255 vhid 1 advskew 1 carpdev em0 pass
long_pass_1
If you execute "ifconfig" you should see ...
carp1: flags=8843 mtu 1500
lladdr 00:00:5e:00:01:01
carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 1
groups: carp
inet6 fe80::333:3eff:fe33:101%carp1 prefixlen 64 scopeid 0x7
inet 33.33.33.33 netmask 0xffffff00 broadcast 33.33.33.255
You can use the device name "carp1" as the variable in you pf rules. You
could then pass traffic destined for carp1 to an internal machine.
CARP Firewall Failover for OpenBSD
http://calomel.org/pf_carp.html
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Fri, Apr 04, 2008 at 08:54:45AM -0500, Fred Newtz wrote:
>Well that wasn't the problem. Although I am sure at some point it would have
>been a problem. Let me ask you this question though.
>
>$carp1. Is that defined somewhere as a variable or is that a predefined
>variable that just works? I have multiple external ips and
>internal ips. So I would need to pass specific carp interfaces to specific
>internal addresses.
>
>
>Thanks,
>
>Fred
>
>-----Original Message-----
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fred Newtz
>Sent: Thursday, April 03, 2008 5:08 PM
>To: 'Calomel'
>Cc: [email protected]
>Subject: RE: CARP failover problem
>
>Calomel,
>
> Wow. Lots of stuff to look at!
>
>1. state information is being transferred between machines.
>2. AHHHH!!!! Thanks! I was just going through step three when I noticed
>something that I never thought to look at. For some
>reason I had bound all of the ips to one of my carp interfaces on the second
>box. I have no idea why I did that....... Who knows.
>Following so many different how-tos out there gets me in trouble.
>
>Let me try this and see if it works!
>
>
>Thanks,
>
>Fred
>
>-----Original Message-----
>From: Calomel [mailto:[EMAIL PROTECTED]
>Sent: Thursday, April 03, 2008 1:56 PM
>To: Fred Newtz
>Cc: [email protected]
>Subject: Re: CARP failover problem
>
>Fred,
>
>If you use "pftop" on both machines do you see the states from the MASTER
>firewall being transfered to the BACKUP?
>
>Are you binding all of your ip addresses to your physical interfaces?
>
>What do your carp hostname files contain?
> cat /etc/hostname.carp0
> cat /etc/hostname.carp1
> cat /etc/hostname.carp2
> ....etc...
>
>If you are binding the ips to your physical interfaces then when the BACKUP
>firewall takes over the MAC address is different. This
>_might_ be the reason.
>
>Do you have a pass rule like so specifying a carp interface?
> pass in on $ext_iIf inet proto tcp from any to $carp1 port $web
>
>Take a look at the area on this page called "Writing Pf rules with carp
>devices" for more information.
>
> CARP Firewall Failover for OpenBSD
> http://calomel.org/pf_carp.html
>
>These are just some guesses. Hope this helps.
>
>--
> Calomel @ http://calomel.org
> Open Source Research and Reference
>
>
>On Thu, Apr 03, 2008 at 11:09:39AM -0500, Fred Newtz wrote:
>>Calomel,
>>
>> Thanks for the response. Here is my sysctl.conf file showing the four
>> entries that are enabled on each machine:
>>
>>net.inet.ip.forwarding=1 # 1=Enable IP Forwarding
>>net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of IPv6
>>packets
>>net.inet.carp.preempt=1 # 1=Enable carp(4) preemption
>>net.inet.carp.log=1 # 1=Enable logging of carp(4) packets
>>
>> I have just double checked and both machines are setup with the same
>> four entries.
>>
>> The interfaces fail over properly. The problem is on the second
>>machine the traffic gets blocked. Maybe it is just a problem with the
>>second machine, but I have gone over all of the settings that I can
>>think of and where necessary (the second machine has different
>brands of network cards) all of the settings are the same.
>>
>> Here is the pf.conf on the machine that does work:
>>
>>ext_if="vr0"
>>int_if="xl0"
>>nat_p="{tcp, udp, icmp}"
>>carp_dev="{vr0,xl0}"
>>sync_if="rl0"
>>
>>NoRouteIPs="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
>>web="{80,443}"
>>
>>rdr on $ext_if proto tcp from any to 64.244.168.194 port 80 ->
>>192.168.1.190 port 80 rdr on $ext_if proto tcp from any to
>>64.244.168.195 port 80 -> 192.168.1.191 port 80 rdr on $ext_if proto
>>tcp from any to 64.244.168.196 port 80 -> 192.168.1.192 port 80 rdr on
>>$ext_if proto tcp from any to 64.244.168.197 port 80 -> 192.168.1.193
>>port 80 rdr on $ext_if proto tcp from any to 64.244.168.198 port 80 ->
>>192.168.1.194 port 80 rdr on $ext_if proto tcp from any to
>>64.244.168.199 port 80 -> 192.168.1.195 port 80 rdr on $ext_if proto
>>tcp from any to 64.244.168.194 port 443 -> 192.168.1.190 port 443 rdr
>>on $ext_if proto tcp from any to 64.244.168.195 port 443 ->
>>192.168.1.191 port 443 rdr on $ext_if proto tcp from any to
>>64.244.168.196 port 443 -> 192.168.1.192 port 443 rdr on $ext_if proto
>>tcp from any to 64.244.168.197 port 443 -> 192.168.1.193 port 443 rdr
>>on $ext_if proto tcp from any to 64.244.168.198 port 443 ->
>>192.168.1.194 port 443 rdr on $ext_if proto tcp from any to
>>64.244.168.199 port 443 -> 192.168.1.195 port 443 rdr on $ext_if proto
>>tcp from any to 64.244.168.199 port 22 -> 192.168.1.190 port 22 nat on
>>$ext_if proto $nat_p from 192.168.1.0/24 to any -> 64.244.168.220
>>
>>block in quick on $ext_if from $NoRouteIPs to any block out quick on
>>$ext_if from any to $NoRouteIPs pass out on $carp_dev proto carp keep
>>state pass in on $ext_if proto tcp to ($ext_if) port ssh pass on
>>$sync_if proto pfsync
>>
>>
>>
>>
>>Here is the pf.conf on the machine that does not work:
>>
>>ext_if="vr0"
>>int_if="xl0"
>>nat_p="{tcp, udp, icmp}"
>>sync_if="rl1"
>>carp_dev="{vr0,rl1}"
>>
>>NoRouteIPs="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
>>web="{80,443}"
>>
>>rdr on $ext_if proto tcp from any to 64.244.168.194 port 80 ->
>>192.168.1.190 port 80 rdr on $ext_if proto tcp from any to
>>64.244.168.195 port 80 -> 192.168.1.191 port 80 rdr on $ext_if proto
>>tcp from any to 64.244.168.196 port 80 -> 192.168.1.192 port 80 rdr on
>>$ext_if proto tcp from any to 64.244.168.197 port 80 -> 192.168.1.193
>>port 80 rdr on $ext_if proto tcp from any to 64.244.168.198 port 80 ->
>>192.168.1.194 port 80 rdr on $ext_if proto tcp from any to
>>64.244.168.199 port 80 -> 192.168.1.195 port 80 rdr on $ext_if proto
>>tcp from any to 64.244.168.194 port 443 -> 192.168.1.190 port 443 rdr
>>on $ext_if proto tcp from any to 64.244.168.195 port 443 ->
>>192.168.1.191 port 443 rdr on $ext_if proto tcp from any to
>>64.244.168.196 port 443 -> 192.168.1.192 port 443 rdr on $ext_if proto
>>tcp from any to 64.244.168.197 port 443 -> 192.168.1.193 port 443 rdr
>>on $ext_if proto tcp from any to 64.244.168.198 port 443 ->
>>192.168.1.194 port 443 rdr on $ext_if proto tcp from any to
>>64.244.168.199 port 443 -> 192.168.1.195 port 443 rdr on $ext_if proto
>>tcp from any to 64.244.168.199 port 22 -> 192.168.1.190 port 22 nat on
>>$ext_if proto $nat_p from 192.168.1.0/24 to any -> 64.244.168.221
>>
>>block in quick on $ext_if from $NoRouteIPs to any block out quick on
>>$ext_if from any to $NoRouteIPs pass out on $carp_dev proto carp keep
>>state pass in on $ext_if proto tcp to ($ext_if) port ssh pass on
>>$sync_if proto pfsync
>>
>>
>>pfctl -nf /etc/pf.conf comes back with no errors on both machines.
>>
>>Here is my rc.conf.local file on both machines as well:
>>
>>pf=YES
>>pf_rules="/etc/pf.conf"
>>pflog_enable=YES
>>pflog_logfile="/var/log/pflog"
>>
>>
>>
>>If there is anything else I am missing please let me know!
>>
>>
>>Thanks!
>>
>>Fred
>>
>>
>>
>>
>>-----Original Message-----
>>From: Calomel [mailto:[EMAIL PROTECTED]
>>Sent: Thursday, April 03, 2008 10:43 AM
>>To: Fred Newtz
>>Cc: [email protected]
>>Subject: Re: CARP failover problem
>>
>>Fred,
>>
>>Did you also enable net.inet.carp.preempt?
>>
>>net.inet.carp.preempt equaling one(1) allows hosts within a redundancy
>>group that have a better advbase and advskew to preempt the master. In
>>addition, this option also enables failing over all interfaces in the
>>event that one interface goes down. If one physical CARP-enabled
>>interface goes down, CARP will change advskew to 240 on all other
>CARP-enabled interfaces, in essence, failing itself over.
>>
>> CARP Firewall Failover for OpenBSD
>> http://calomel.org/pf_carp.html
>>
>>--
>> Calomel @ http://calomel.org
>> Open Source Research and Reference
>>
>>
>>On Wed, Apr 02, 2008 at 12:06:34PM -0500, Fred Newtz wrote:
>>>I have two machines configured with OpenBSD carp pf and pfsync. The state
>>>table is syncing properly. I have one webserver
>behind
>>>the two firewall machines. For some reason my master machine (which
>>>is
>>>working) will freeze up. The interfaces all failover properly but no
>>>traffic will pass through the backup machine. I am pretty new at this
>>>so please tell me if I can provide any configuration information to
>>>help determine what is going on here. I can pass traffic
>>between the fw2 (backup firewall) and my webserver just fine.
>>>
>>>I have 6 carp interfaces setup. One of them is my gateway interface
>>>for the webserver to get back out of the network. During testing I am
>>>only ifconfig carp2 down for one of my interfaces. Do I need to fail
>>>the gateway carp interface as well for this to work
>properly?
>>>
>>>Thanks,
>>>
>>>Fred
