Date: Fri, 21 Jul 2006 10:34:09 +0200 From: "Axel S. Gruner" <asg@suedfactoring.com> To: freebsd-pf@freebsd.org Subject: Problem with CARP Message-ID: <1153470849.716.23.camel@sn001.suedfac.com>
next in thread | raw e-mail | index | archive | help
Hi, we have two primary firewalls (named fw1 and fw2) which are connected to the WAN via one Router. Behind these Firewalls, we have our ApplicationServers (app1 and app2), also running PF, and one of these Applicationservers is also the GW for the internal Clients. So, just fw1 and fw2 should work as a transparent Firewall, running PF +CARP+PFSYNC. GW for the internal clients is app2 (10.4.1.251), and the GW for app2 is .252/29 (the CARP interface on fw1 and fw2). The app2 has an external address, .251/29 and is also connected to the internal net(10.4.1.251). So, no problem getting out,and no problem getting in from the internet. Rules are fine. fw1 (two external addresses) ext -> .242/29 int -> .249/29 fw2 (two external addresses) ext -> .243/29 int -> .250/29 on both fw i have: CARP0 -> .252/29 CARP1 -> .244/29 fw1 is the Master (etc/rc.conf): ------------------------------- cloned_interfaces="carp0 carp1" network_interfaces="lo0 xl0 xl1 xl2 carp0 carp1 pfsync0 pflog0" ifconfig_carp0="vhid 1 pass foo xxx.xxx.xxx.244 255.255.255.248" ifconfig_carp1="vhid 2 pass bar xxx.xxx.xxx.252 255.255.255.248" pfsync_enable="YES" pfsync_syncdev="xl2" fw2 the slave (etc/rc.conf): --------------------------- cloned_interfaces="carp0 carp1" network_interfaces="lo0 xl0 xl1 xl2 carp0 carp1 pfsync0 pflog0" ifconfig_carp0="vhid 1 pass foo advskew 128 xxx.xxx.xxx.244 255.255.255.248" ifconfig_carp1="vhid 2 pass bar advskew 128 xxx.xxx.xxx.252 255.255.255.248" pfsync_enable="YES" pfsync_syncdev="xl2" On both, fw1 and fw2 /etc/sysctl.conf: -------------------------------------- net.inet.carp.preempt=1 net.inet.carp.allow=1 net.inet.carp.log=1 In both /etc/pf.conf i have: ---------------------------- pass out on $ext_if proto carp keep state pass out on $int_if proto carp keep state pass quick on { xl2 } proto pfsync pass on { xl0 xl1 } proto carp keep state where xl0 is the external interface, xl1 the internal, and xl2 crossover cable between both hosts fw1 and fw2. Ok, if i shutdown CARP0 on the fw1: ifconfig carp0 down the output of ifconfig looks like this: fw1: --- carp0: flags=8<LOOPBACK> mtu 1500 inet 212.202.224.244 netmask 0xffffff00 carp: INIT vhid 1 advbase 1 advskew 0 carp1: flags=49<UP,LOOPBACK,RUNNING> mtu 1500 inet 212.202.224.252 netmask 0xffffff00 carp: MASTER vhid 2 advbase 1 advskew 0 fw2: --- carp0: flags=49<UP,LOOPBACK,RUNNING> mtu 1500 inet 212.202.224.244 netmask 0xffffff00 carp: MASTER vhid 1 advbase 1 advskew 128 carp1: flags=49<UP,LOOPBACK,RUNNING> mtu 1500 inet 212.202.224.252 netmask 0xffffff00 carp: BACKUP vhid 2 advbase 1 advskew 128 Ok, fw2 is working as the master, but why only on carp0, i thought with preempt all of the CARP interfaces should switch to state BACKUP on fw1 and switch to MASTER on fw2. So, before i shutdown CARP0, i pinged a host in the internet from the internal net. So, i can not see any pause or break if i switch of CARP0 on fw1. But, my connection to the IRC dropped. Also ssh connection, ftp will drop. So, after all that stuff a simple question: What is the problem? What am i missing, or did i misunderstood something? ######################################################################## # DISCLAIMER # # # # Der Inhalt dieser E-Mail ist vertraulich. Falls Sie nicht der # # angegebene Empfaenger sind oder falls diese Email irrtuemlich an Sie # # addressiert wurde, verstaendigen Sie bitte den Absender sofort und # # loeschen Sie die Email umgehend. Das unerlaubte Kopieren sowie die # # unbefugte Uebermittlung sind nicht gestattet. # # Die Sicherheit von Uebermittlungen per Email kann nicht garantiert # # werden. Falls Sie eine Bestaetigung wuenschen, fordern Sie bitte den # # Inhalt der Email als Hardcopy an. # # # # # # The contents of this e-mail are confidential. # # If you are not the named addressee you should not disseminate, # # distribute or copy this e-mail. Please notify the sender immediately # # if you have received this e-mail by mistake and delete this e-mail # # from your system. Finally, the recipient should check this email and # # any attachments for the presence of viruses. The company accepts no # # liability for any damage caused by any virus transmitted by this # # email. # # # # SuedFactoring GmbH, Heilbronner Strasse 86, 70191 Stuttgart # ########################################################################
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1153470849.716.23.camel>