Re: External CARP + SSL issues
Hello, Where is the web server? Is it internal or is it an external web server? It was all `external servers. What does telnet web_server 443 and openssl s_client -connect web_server:443 gives you? Have you tried sniffing the traffic to see what goes wrong? I can't test right now because the configuration was rolled back from the production environment. SSL should not be mattered by the firewalls, as long as they work the way you believe they work. Do you run any ssl proxy or http proxy somewhere? There is an transaparent HTTP proxy on the OpenBSD servers but it doesn't, of course, handle SSL. Regards,
External CARP + SSL issues
Hello everybody, I'm reposting this message as I got no answer on this email in the past few weeks. Maybe someone has insights on what could be wrong. I need help regarding the following situation. I have four OpenBSD firewalls configured to do load-balancing ( in and out) using ip-stealth. I have two CARP interfaces (internal and external) on each firewall. See the configuration below. Load-balancing works perfectly for non-SSL websites but I am unable to connect to secure websites (https). When forcing a connection to go directly through one of the four OpenBSD server or when using only one server, it works nicely so it's not a pf.conf issue. Any insight on what could be wrong on the configuration would be greatly appreciated. Here is my configuration: Internal CARP interfaces FW1 carp0 inet 10.50.1.1 /16 balancing ip-stealth carpnodes 11:0, 12:10, 13:25, 14:50 FW2 carp0 inet 10.50.1.1 /16 balancing ip-stealth carpnodes 11:50, 12:0, 13:10, 14:25 FW3 carp0 inet 10.50.1.1 /16 balancing ip-stealth carpnodes 11:25, 12:50, 13:0, 14:10 FW4 carp0 inet 10.50.1.1 /16 balancing ip-stealth carpnodes 11:10, 12:25, 13:50, 14:0 External CARP interfaces: FW1 carp1 inet 205.50.60.1 /27 balancing ip-stealth carpnodes 21:0, 22:10, 23:25, 24:50 FW2 carp1 inet 205.50.60.1 /27 balancing ip-stealth carpnodes 21:50, 22:0, 23:10, 24:25 FW3 carp1 inet 205.50.60.1 /27 balancing ip-stealth carpnodes 21:25, 22:50, 23:0, 24:10 FW4 carp1 inet 205.50.60.1 /27 balancing ip-stealth carpnodes 21:10, 22:25, 23:50, 24:0
External CARP + SSL issues
Hello everybody, I need help regarding the following situation. I have four OpenBSD firewalls configured to do load-balancing ( in and out) using ip-stealth. I have two CARP interfaces (internal and external) on each firewall. See the configuration below. Load-balancing works perfectly for non-SSL websites but I am unable to connect to secure websites (https). Any insight on what could be wrong on the configuration would be greatly appreciated. Here is my configuration: Internal CARP interfaces FW1 carp0 inet 10.50.1.1 /16 balancing ip-stealth carpnodes 11:0, 12:10, 13:25, 14:50 FW2 carp0 inet 10.50.1.1 /16 balancing ip-stealth carpnodes 11:50, 12:0, 13:10, 14:25 FW3 carp0 inet 10.50.1.1 /16 balancing ip-stealth carpnodes 11:25, 12:50, 13:0, 14:10 FW4 carp0 inet 10.50.1.1 /16 balancing ip-stealth carpnodes 11:10, 12:25, 13:50, 14:0 External CARP interfaces: FW1 carp1 inet 205.50.60.1 /27 balancing ip-stealth carpnodes 21:0, 22:10, 23:25, 24:50 FW2 carp1 inet 205.50.60.1 /27 balancing ip-stealth carpnodes 21:50, 22:0, 23:10, 24:25 FW3 carp1 inet 205.50.60.1 /27 balancing ip-stealth carpnodes 21:25, 22:50, 23:0, 24:10 FW4 carp1 inet 205.50.60.1 /27 balancing ip-stealth carpnodes 21:10, 22:25, 23:50, 24:0
CARP + ip-stealth going through the same server
Hello, I'm currently using 4 active-active OpenBSD 4.4 servers as a fully redundant firewall. CARP has been configured on the internal interfaces to expose the load-balanced IP address using ip-stealth on the four carpnodes. Each OpenBSD server has a different external IP address and I've recently received reports of problems with some streaming video or SSL-enabled websites. For example, one user would visit a website to view a Flash or Silverlight video. The first 30 seconds of the video is an ad. Once the ad is completed, the real content is streamed. The problem comes from the fact that the user might go through server A initially but after the 30 secs is over, it'll fetch the rest (by reconnecting) through server B, which has of course a different external IP. That results (in this case) in the user seing the ad over and over and never be able to stream the real video. Similar issues exist with some webmails out there that check the source IP address for session information (so users keep having to log back in). Is there any solution to this problem using ip-stealth? (I cannot user arp-based balancing) Thanks,