[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NAT using a CARP interface



I have a host behind a pair of carp/pfsync machines. It used to be
10.100.81.183, but I moved it behind the firewalls and put 10.100.81.183 on
each firewall as carp2 (see below). When trying to connect to
www.openbsd.org, I get the following...
Mar 15 14:38:06.257369 rule 0/0(match): block in on xl0: 206.166.49.62.80 >
10.100.81.183.50173: S [tcp sum ok] 404013906:404013906(0) ack 4041476763
win 5840 <mss 1460,nop,nop,sackOK> (ttl 56, id 0, bad cksum 646c!)
SSH works due to rule #25 (pass in quick [...]), but anything else doesn't
work. 
My question is: are there any known issues with a carp for NAT'ed hosts?
Here's a snippet of my NAT/RDR rules, my pf rules, and my interface configs.
Thanks.
nat on xl0 inet from 172.19.81.183 to any -> 10.100.81.183
nat on xl0 inet from 172.19.81.128/25 to any -> (xl0) round-robin
rdr on sk1 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021
rdr on xl0 inet proto tcp from any to 10.100.81.183 port = 3389 -> 172.19.81.183 port 3389
rdr on xl0 inet proto tcp from any to 10.100.81.226 port = telnet -> 172.19.81.226 port 23
rdr on xl0 inet proto tcp from any to 10.100.81.226 port = ftp -> 172.19.81.226 port 21
rdr on xl0 inet proto tcp from any to 10.100.81.226 port = printer -> 172.19.81.226 port 515
rdr on xl0 inet proto tcp from any to 10.100.81.226 port = 9100 -> 172.19.81.226 port 9100
@0 scrub out all no-df random-id max-mss 1440 fragment reassemble
@1 scrub in all no-df min-ttl 2 fragment reassemble
@0 block return log all label "any-block-log"
@1 pass quick on lo0 all label "lo0-pass"
@2 pass quick on sk0 proto pfsync all
@3 pass on xl0 proto carp all keep state (if-bound)
@4 pass on sk1 proto carp all keep state (if-bound)
@5 block return in quick on xl0 inet from any to 255.255.255.255 label "xl0-broadcast"
@6 block return in quick on xl0 inet from 255.255.255.255 to any label "xl0-broadcast"
@7 block return in log quick on xl0 from <bogon:0> to any label "xl0-bogon"
@8 block return in log on sk1 inet from ! 172.19.81.128/25 to any label "sk1-bogon"
@9 block return in log on sk1 inet from <bogon:0> to any label "sk1-bogon"
@10 block drop in log on ! lo0 inet from 127.0.0.0/8 to any label "lo0-antispoof"
@11 block drop in log on ! lo0 inet6 from ::1 to any label "lo0-antispoof"
@12 block drop in log on ! xl0 inet from 10.100.81.128/25 to any label "xl0-antispoof"
@13 block drop in log inet from 10.100.81.202 to any label "any-antispoof"
@14 block drop in log on xl0 inet6 from fe80::201:3ff:febc:800a to any label "xl0-antispoof"
@15 block drop in log on ! sk1 inet from 172.19.81.128/25 to any label "sk1-antispoof"
@16 block drop in log inet from 172.19.81.132 to any label "any-antispoof"
@17 block drop in log on sk1 inet6 from fe80::20f:3dff:fef4:5ae6 to any label "sk1-antispoof"
@18 pass out quick inet proto tcp all flags S/SA modulate state (if-bound) label "any-pass-synack-out"
@19 pass out quick inet proto udp all keep state (if-bound) label "any-pass-udp-out"
@20 pass out quick inet proto icmp all keep state (if-bound) label "any-pass-icmp-out"
@21 pass out quick all label "any-pass-ip-out"
@22 pass in on sk1 inet proto udp from any to any port = bootps keep state (if-bound) label "sk1-bootps-in"
@23 pass in on sk1 inet proto udp from 172.19.81.128/25 to 172.19.81.132 port = domain keep state (if-bound) label "sk1-domain-udp-in"
@24 pass in on sk1 inet proto udp from 172.19.81.128/25 to 172.19.81.132 port = ntp keep state (if-bound) label "sk1-ntp-in"
@25 pass in log quick on sk1 inet proto tcp from any to any port = ssh keep state (if-bound) label "sk1-ssh-authpf-in"
@26 pass in log on sk1 inet proto icmp all icmp-type echoreq keep state (if-bound) label "sk1-icmp-echo"
@27 pass in log on xl0 inet proto icmp all icmp-type echoreq keep state (if-bound) label "xl0-icmp-echo"
@28 pass in on xl0 inet proto tcp from <nxious:1> to 10.100.81.202 port = ssh modulate state (if-bound) label "xl0-nxious-ssh-in"
@29 pass in log on xl0 inet proto tcp from <csrtnet:3> to 10.100.81.202 port = ssh modulate state (if-bound) label "xl0-csrtnet-ssh-in"
@30 pass in on xl0 inet proto tcp from <nxious:1> to 172.19.81.183 port = 3389 synproxy state (if-bound) label "xl0-nxious-rdesktop-in"
@31 pass in log on xl0 inet proto tcp from <csrtnet:3> to 172.19.81.183 port = 3389 synproxy state (if-bound) label "xl0-csrtnet-rdesktop-in"
@32 pass in on xl0 inet proto tcp from <csrtnet:3> to 172.19.81.226 port = ftp synproxy state (if-bound) label "xl0-csrtnet-print-in"
@33 pass in on xl0 inet proto tcp from <csrtnet:3> to 172.19.81.226 port = printer synproxy state (if-bound) label "xl0-csrtnet-print-in"
@34 pass in on xl0 inet proto tcp from <csrtnet:3> to 172.19.81.226 port = 9100 synproxy state (if-bound) label "xl0-csrtnet-print-in"
@35 pass in log on xl0 inet proto tcp from <csrtnet:3> to 172.19.81.226 port = telnet synproxy state (if-bound) label "xl0-csrtnet-telnet-in"
@36 pass in quick inet proto tcp from 172.19.81.128/25 to ! 172.19.81.132 flags S/SA modulate state (if-bound) label "any-172.19.81.128/25--in"
@37 pass in quick inet proto tcp from 172.19.81.128/25 to ! 172.19.81.132 keep state (if-bound) label "any-172.19.81.128/25--in"
@38 pass in quick inet proto udp from 172.19.81.128/25 to ! 172.19.81.132 keep state (if-bound) label "any-172.19.81.128/25--in"
@39 pass in quick inet proto icmp from 172.19.81.128/25 to ! 172.19.81.132 keep state (if-bound) label "any-172.19.81.128/25--in"
@40 pass in quick inet from 172.19.81.128/25 to ! 172.19.81.132 keep state (if-bound) label "any-172.19.81.128/25--in"
@41 pass in on xl0 inet proto tcp from any port = ftp-data to (xl0:1) user = 71 flags S/SA keep state (if-bound) label "xl0-ftp-proxy"
ifconfig -A
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
        inet 127.0.0.1 netmask 0xff000000 
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
sk0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        address: 00:0f:3d:f4:5a:e0
        description: pfsync
        media: Ethernet 100baseTX full-duplex (100baseTX half-duplex)
        status: active
        inet 192.168.255.254 netmask 0xfffffffc broadcast 192.168.255.255
        inet6 fe80::20f:3dff:fef4:5ae0%sk0 prefixlen 64 scopeid 0x1
sk1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        address: 00:0f:3d:f4:5a:e6
        description: inside
        media: Ethernet 100baseTX full-duplex
        status: active
        inet 172.19.81.132 netmask 0xffffff80 broadcast 172.19.81.255
        inet6 fe80::20f:3dff:fef4:5ae6%sk1 prefixlen 64 scopeid 0x2
xl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        address: 00:01:03:bc:80:0a
        description: outside
        media: Ethernet 100baseTX full-duplex
        status: active
        inet 10.100.81.202 netmask 0xffffff80 broadcast 10.100.81.255
        inet6 fe80::201:3ff:febc:800a%xl0 prefixlen 64 scopeid 0x3
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
pfsync0: flags=41<UP,RUNNING> mtu 1348
        pfsync: syncif: sk0 syncpeer: 224.0.0.240 maxupd: 128
enc0: flags=0<> mtu 1536
carp0: flags=41<UP,RUNNING> mtu 1500
        carp: MASTER vhid 1 advbase 1 advskew 0
        inet 10.100.81.200 netmask 0xffffff80 
carp1: flags=41<UP,RUNNING> mtu 1500
        carp: BACKUP vhid 2 advbase 1 advskew 100
        inet 172.19.81.130 netmask 0xffffff80 
carp2: flags=41<UP,RUNNING> mtu 1500
        description: carp for radium
        carp: MASTER vhid 3 advbase 1 advskew 0
        inet 10.100.81.183 netmask 0xffffff80 
carp3: flags=41<UP,RUNNING> mtu 1500
        description: carp for printer
        carp: BACKUP vhid 4 advbase 1 advskew 100
        inet 10.100.81.226 netmask 0xffffff80