[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf/carp for redundant production use



Hi guys,

I got pf and carp working together. However, I have noticed that TCP oriented application doesn't get recover well when I disconnect a cable. I setup a netcat listener on a machine inside the network. Then I ran netcat from another machine outside the network. I was able to connect and was able to send some characters. However, when I disconnected the primary firewall's external interface, netcat won't work anymore until I execute netcat again that connects to the shared external ip address.

Am I missing any configuration? Looks like it's related to pf state tables not being sent to the backup firewall.

Please help.

Thanks,

Neil

Neil writes:

Hi guys,

I'm very new to carp. I used openbsd and pf about 2 yrs so I have forgotten it too. Anyways, I just finished building 2 machines with 3 nics on each machine. I got CARP working as well but have some questions.

Here is my configuration:

/*******************************************
/* FW1:
/*******************************************
external interface: fxp1 => 192.168.1.1/24
internal interface: xl0 => 172.16.0.1/16
pfsync interface fxp0 => 10.10.10.1/24


carp0: inet 172.16.0.100 255.255.0.0 172.16.255.255 carpdev xl0 vhid 1 pass lanpasswd
carp1: inet 192.168.1.100 255.255.255.0 192.168.1.255 carpdev fxp1 vhid 2 pass netpasswd
pfsync0: up syncif fxp0



/*******************************************
/* FW2:
/*******************************************
external interface: ne3 => 192.168.1.2/24
internal interface: rl0 => 172.16.0.2/16
pfsync interface fxp0 => 10.10.10.2/24


carp0: inet 172.16.0.100 255.255.0.0 172.16.255.255 carpdev rl0 vhid 1 pass lanpasswd advskew 128
carp1: inet 192.168.1.100 255.255.255.0 192.168.1.255 carpdev ne3 vhid 2 pass netpasswd advskew 128
pfsync0: up syncif fxp0


LAN shared IP: 172.16.0.100
WAN/Internet shared IP: 192.168.1.100


DIAGRAM:
EXTERNAL
+--------| 192.168.1.x |--------+
| |
fxp1| |ne3
+-----+ +-----+
| fw1 |-fxp0---10.10.10.x---fxp0-| fw2 |
+-----+ +-----+
xl0| |rl0
| |
---+--------| 172.16.x.x |--------+---
INTERNAL



1. Let say we want to do some NAT using CARP/PF setup:


web server public: 192.168.1.10
web server NAT: 172.16.1.10(real ip)


mailserver public: 192.168.1.11
mailserver NAT: 172.16.1.11(real ip)


a. How will I configure CARP?
b. How will I configure the pf.conf on both firewalls? An example will really help me a lot.
c. Do I also have to create an alias interface for the 2 machine's external interface?



2. Can someone please send me a pf.conf that can be used in production environment?


3. Am I correct that my internal mailserver's and webserver's gateway should point to 172.16.0.100?

4. What if the interface where our pfsync is configured goes bad or cable gets disconnected, what happens?

5. Other than this setup, are there anything that I can add to make it much more reliable?

Thanks in advance!

Neil