Date: Fri, 21 Jul 2006 10:34:09 +0200 From: "Axel S. Gruner" <asg@suedfactoring.com> To: freebsd-pf@freebsd.org Subject: Problem with CARP Message-ID: <1153470849.716.23.camel@sn001.suedfac.com>
next in thread | raw e-mail | index | archive | help
Hi,
we have two primary firewalls (named fw1 and fw2) which are connected to
the WAN via one Router. Behind these Firewalls, we have our
ApplicationServers (app1 and app2), also running PF, and one of these
Applicationservers is also the GW for the internal Clients.
So, just fw1 and fw2 should work as a transparent Firewall, running PF
+CARP+PFSYNC.
GW for the internal clients is app2 (10.4.1.251), and the GW for app2
is .252/29 (the CARP interface on fw1 and fw2). The app2 has an external
address, .251/29 and is also connected to the internal net(10.4.1.251).
So, no problem getting out,and no problem getting in from the internet.
Rules are fine.
fw1 (two external addresses)
ext -> .242/29
int -> .249/29
fw2 (two external addresses)
ext -> .243/29
int -> .250/29
on both fw i have:
CARP0 -> .252/29
CARP1 -> .244/29
fw1 is the Master (etc/rc.conf):
-------------------------------
cloned_interfaces="carp0 carp1"
network_interfaces="lo0 xl0 xl1 xl2 carp0 carp1 pfsync0 pflog0"
ifconfig_carp0="vhid 1 pass foo xxx.xxx.xxx.244 255.255.255.248"
ifconfig_carp1="vhid 2 pass bar xxx.xxx.xxx.252 255.255.255.248"
pfsync_enable="YES"
pfsync_syncdev="xl2"
fw2 the slave (etc/rc.conf):
---------------------------
cloned_interfaces="carp0 carp1"
network_interfaces="lo0 xl0 xl1 xl2 carp0 carp1 pfsync0 pflog0"
ifconfig_carp0="vhid 1 pass foo advskew 128 xxx.xxx.xxx.244
255.255.255.248"
ifconfig_carp1="vhid 2 pass bar advskew 128 xxx.xxx.xxx.252
255.255.255.248"
pfsync_enable="YES"
pfsync_syncdev="xl2"
On both, fw1 and fw2 /etc/sysctl.conf:
--------------------------------------
net.inet.carp.preempt=1
net.inet.carp.allow=1
net.inet.carp.log=1
In both /etc/pf.conf i have:
----------------------------
pass out on $ext_if proto carp keep state
pass out on $int_if proto carp keep state
pass quick on { xl2 } proto pfsync
pass on { xl0 xl1 } proto carp keep state
where xl0 is the external interface, xl1 the internal, and xl2 crossover
cable between both hosts fw1 and fw2.
Ok, if i shutdown CARP0 on the fw1:
ifconfig carp0 down
the output of ifconfig looks like this:
fw1:
---
carp0: flags=8<LOOPBACK> mtu 1500
inet 212.202.224.244 netmask 0xffffff00
carp: INIT vhid 1 advbase 1 advskew 0
carp1: flags=49<UP,LOOPBACK,RUNNING> mtu 1500
inet 212.202.224.252 netmask 0xffffff00
carp: MASTER vhid 2 advbase 1 advskew 0
fw2:
---
carp0: flags=49<UP,LOOPBACK,RUNNING> mtu 1500
inet 212.202.224.244 netmask 0xffffff00
carp: MASTER vhid 1 advbase 1 advskew 128
carp1: flags=49<UP,LOOPBACK,RUNNING> mtu 1500
inet 212.202.224.252 netmask 0xffffff00
carp: BACKUP vhid 2 advbase 1 advskew 128
Ok, fw2 is working as the master, but why only on carp0, i thought with
preempt all of the CARP interfaces should switch to state BACKUP on fw1
and switch to MASTER on fw2.
So, before i shutdown CARP0, i pinged a host in the internet from the
internal net. So, i can not see any pause or break if i switch of CARP0
on fw1. But, my connection to the IRC dropped. Also ssh connection, ftp
will drop. So, after all that stuff a simple question: What is the
problem? What am i missing, or did i misunderstood something?
########################################################################
# DISCLAIMER #
# #
# Der Inhalt dieser E-Mail ist vertraulich. Falls Sie nicht der #
# angegebene Empfaenger sind oder falls diese Email irrtuemlich an Sie #
# addressiert wurde, verstaendigen Sie bitte den Absender sofort und #
# loeschen Sie die Email umgehend. Das unerlaubte Kopieren sowie die #
# unbefugte Uebermittlung sind nicht gestattet. #
# Die Sicherheit von Uebermittlungen per Email kann nicht garantiert #
# werden. Falls Sie eine Bestaetigung wuenschen, fordern Sie bitte den #
# Inhalt der Email als Hardcopy an. #
# #
# #
# The contents of this e-mail are confidential. #
# If you are not the named addressee you should not disseminate, #
# distribute or copy this e-mail. Please notify the sender immediately #
# if you have received this e-mail by mistake and delete this e-mail #
# from your system. Finally, the recipient should check this email and #
# any attachments for the presence of viruses. The company accepts no #
# liability for any damage caused by any virus transmitted by this #
# email. #
# #
# SuedFactoring GmbH, Heilbronner Strasse 86, 70191 Stuttgart #
########################################################################
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1153470849.716.23.camel>