[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Pfsync not working



I am having the same problem.  My topology looks exactly the same as
yours, client-hub-firewalls-hub-server.  All interfaces are up and
tcpdump shows shows the carp traffic occurring on both external and
internal interfaces.  PFsync traffic is sniffable on the crossover
link.  For some reason firewall 1 wants to be a master on both links,
and firewall 2 has one link as master and the other as backup. 
shutting down firewall 1 does not cause firewall 2 to take over for
both links.  I can ssh to the firewalls from both client and server. 
I have verfied that IP forwarding is enabled and I have the same
pf.conf.  I too see the duplicate IP messages across the console.  I
suspect this is due to my lack of familiarity with PF, but the pf.conf
looks pretty straight forward.  I'm at the scratching-my-head phase.
[email protected] (Vladimir Potapov) wrote in message news:<[email protected]>...
> I have the next topology of network:
> 
>                     ----------- Firewall 1 -------
>     Client  ----HUB                |              HUB ---- Server
>                     ----------- Firewall 2 -------
> 
> Client(SUSE 9 box):
> IP-192.168.0.10
> Route-192.168.0.254
> Server(OpenBSD 3.5):
> IP-10.0.0.2
> Route-10.0.0.254
> 
> Firewall 1 - master(OpenBSD 3.5):
> 
> #/etc/hostname.sk0(internal network):
> inet 192.168.0.254 255.255.255.0 NONE
> 
> #/etc/hostname.fxp0(PFSYNC if):
> inet 192.168.254.254 255.255.255.0 NONE
> 
> #/etc/hostname.fxp0(Network where server(external)):
> inet 10.0.0.254 255.255.255.0 NONE
> 
> #/etc/hostname.carp0:
> inet 10.0.0.1 255.255.255.0 10.0.0.255 vhid 1 pass good
> 
> #/etc/hostname.carp1:
> inet 192.168.0.1 255.255.255.0 192.168.0.255 vhid 2 pass best
> 
> #PF.CONF#
> pass log all
> pass log quick on { fxp0 } pfsync
> pass log on { sk0 fxp1 } proto carp keep state
> 
> Firewall 2 - backup(OpenBSD 3.5):
> 
> #/etc/hostname.sk0(internal network):
> inet 192.168.0.254 255.255.255.0 NONE
> 
> #/etc/hostname.xl0(PFSYNC if):
> inet 192.168.254.254 255.255.255.0 NONE
> 
> #/etc/hostname.ne3(Network where server(external)):
> inet 10.0.0.254 255.255.255.0 NONE
> 
> #/etc/hostname.carp0:
> inet 10.0.0.1 255.255.255.0 10.0.0.255 vhid 1 advskew 100 pass good
> 
> #/etc/hostname.carp1:
> inet 192.168.0.1 255.255.255.0 192.168.0.255 vhid 2 advskew 100 pass best
> 
> #PF.CONF#
> pass log all
> pass log quick on { xl0 } pfsync
> pass log on { sk0 ne3 } proto carp keep state
> 
> With this configuration I can't access from client to the server through 2
> Firewalls.
> 
> 1)I can ping internal and external IP's(on firewalls) from server and from
> client.But can't ping server from client and on the contrary.
> In firewalls log I see that the icmp packet's passed.
> 2)If I reboot firewall-1 in console of firewall-2 shows this message:
> 
> /bsd: duplicate IP address 192.168.254.254  sent from Ethernet address
> 00:90:27:57:7e:71
> 
> 3)And when I reboot firewall-1(or 2) before it shutting down in console I
> see this message:
> 
> ifconfig: SIOCGIFFLAGS device not configured
> 
> Where I wrong ?