On Wednesday, April 1, 2009 5:41:30 PM UTC+11, Sheldon Jones wrote:
> Hi all,
>=20
> I'm having trouble with carpnodes and nating outgoing traffic to the=20
> external
> carp interface. I'm trying to get traffic leaving my LAN thru the=20
> firewall to
> have the external carp1 address xxx.yyy.60.21 instead of the $ext_if=20
> 60.18 or
> 60.19 depending on which firewall carp picked. This way if I start a long
> lived connection like an scp thru the carp firewalls I can fail the=20
> connection
> over. Both firewalls are PC Engines WRAP with 3 NICs running 4.4obsd.
>=20
> From my laptop which is behind the firewalls on 10.10.10.8 with a=20
> gateway of
> 10.10.10.1 (carp0). If I nslookup google.com it hangs for a second before
> returning the result. running 'tcpdump -i pflog0 -n -e' on each firewall=
=20
> I get
> a blocked packet at the start of every nslookup.
>=20
> rule 0/(match) block in on vr0: xxx.yyy.48.7.53 >=20
> xxx.yyy.60.21.60157:[|domain]
>=20
> If I change the pf.conf and put $ext_if instead of $carp_if everything wo=
rks
> fine but traffic is leaving on my $ext_if instead of the $carp_if and lon=
g
> lived connection wont fail over when one of the firewalls goes down.
>=20
>=20
> How can I change my setup to have load balancing and have my external IP =
be
> my carp1 address? Any help would be greatly appreciated.
>=20
> Thanks in advance,
> Sheldon
>=20
> router
> |
> +-----carp1----+
> | |
> FW1 - pfsync - FW2
> | |
> +-----carp0----+
> |
> laptop
>=20
> ##########################
> # Firewall 1's net setup #
> ##########################
> hostname fw1
>=20
> sysctl net.inet.carp.preempt=3D1
> sysctl net.inet.ip.forwarding=3D1
>=20
> ifconfig pflog0 create up
> ifconfig lo0 127.0.0.1 netmask 255.0.0.0
> ifconfig vr0 xxx.yyy.60.18 netmask 255.255.255.240
> ifconfig vr1 10.10.10.2 netmask 255.255.255.0
> ifconfig vr2 172.16.0.2 netmask 255.255.255.0
>=20
> route add default xxx.yyy.60.17
>=20
> ifconfig carp0 10.10.10.1 carpnodes 1:0,2:100 balancing ip-stealth
> ifconfig carp1 xxx.yyy.60.21 carpnodes 3:0,4:100 balancing ip-stealth
>=20
> pfctl -e -f /etc/pf.conf
> ifconfig pfsync0 syncdev vr2 up
>=20
> ##########################
> # Firewall 2's net setup #
> ##########################
> hostname fw2
>=20
> sysctl net.inet.carp.preempt=3D1
> sysctl net.inet.ip.forwarding=3D1
>=20
> ifconfig pflog0 create up
> ifconfig lo0 127.0.0.1 netmask 255.0.0.0
> ifconfig vr0 xxx.yyy.60.19 netmask 255.255.255.240
> ifconfig vr1 10.10.10.3 netmask 255.255.255.0
> ifconfig vr2 172.16.0.3 netmask 255.255.255.0
>=20
> route add default xxx.yyy.60.17
>=20
> ifconfig carp0 10.10.10.1 carpnodes 1:100,2:0 balancing ip-stealth
> ifconfig carp1 xxx.yyy.60.21 carpnodes 3:100,4:0 balancing ip-stealth
>=20
> pfctl -e -f /etc/pf.conf
> ifconfig pfsync0 syncdev vr2 up
>=20
>=20
> #################
> # pf.conf rules #
> #################
> ext_if =3D vr0 # External WAN interface
> int_if =3D vr1 # Internal LAN interface
> pfs_if =3D vr2 # Pfsync interface
> carp_if =3D carp1 # External CARP interface
>=20
> set block-policy drop
> set loginterface $ext_if
> set skip on lo
>=20
> scrub in
>=20
> # NAT outgoing connections
> nat on $ext_if inet from !$ext_if to any -> $carp_if
>=20
> block log all # Default deny
> block in quick from urpf-failed # Spoofed address protection
>=20
> pass quick on $pfs_if proto pfsync keep state (no-sync) # Enable pfs=
ync
> pass on { $int_if, $ext_if } proto carp keep state (no-sync) # Enable CAR=
P
>=20
> # SSH
> pass in on $ext_if inet proto tcp to $ext_if port 2022 flags S/SA keep st=
ate
>=20
> # ICMP
> pass in inet proto icmp all
> pass out inet proto icmp all
>=20
> # DNS
> pass in on $int_if inet proto { tcp, udp } from $int_if:network to any=
=20
> port 53
> pass out on $ext_if inet proto { tcp, udp } from $carp_if to any=
=20
> port 53
Hi Sheldon,
Did you ever find a solution to this issue? I just got stuck on this myself=
, most examples I see for this configuration seem to NAT to the $ext_if, bu=
t then in a fail-over the conversations would have a router specific ip in =
them so therefore I can't see the use in using pfsync to sync states that w=
ill not match anyway?
Cheers
Andrew Barnes
