Re: carp + pfsync trouble
From: Giaco (giaco_at_giaco.net)
Date: 08/10/04
- Previous message: Raphaël G.: "OpenBSD 3.5 on E250, crashes after install"
- In reply to: sam wood: "Re: carp + pfsync trouble"
- Next in thread: wonder: "Re: carp + pfsync trouble"
- Reply: wonder: "Re: carp + pfsync trouble"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Tue, 10 Aug 2004 16:38:57 +0200
----- Original Message -----
From: "sam wood" <samwood@xxx.com>
Newsgroups: comp.unix.bsd.openbsd.misc
Sent: Tuesday, August 10, 2004 7:41 AM
Subject: Re: carp + pfsync trouble
> Giaco wrote:
>
> > Hi all
> >
> > I am trying to setup a carp + pfsync failover firewall system.
> > I have setup 2 fw with preempt.
> > If I do a pfctl -ss in both firewalls I see that pfsync work correctly,
but
> > I have this problem:
> > when I turn off the master firewall network connections stop themself,
and
> > If I turn on master fw again, network connection restart.
> > For example If I do a ping www.openbsd.org in the client and I turn off
the
> > master ping stop.
> > I noticed that using control C and doing a new ping (with the master
> > offline) it works.
> > Turning off and on the slave is completely transparent to the client.
> >
> > Any Idea ?
> >
> Is hard to say what problem is this without seeing your configuration.
> Can you post your pf.conf conf file?
>
> sam
>
> > Thanks again
> >
> > Giacomo
> >
> >
this is my pf.conf (the same in both firewalls):
ext_if="ne3"
int_if="rl0"
sync_if="rl1"
table <spamd> persist
table <spamd-white> persist
scrub in
nat on $ext_if from !($ext_if) -> ($ext_if:0)
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
rdr pass on $ext_if proto tcp from <spamd> to port smtp \
-> 127.0.0.1 port spamd
rdr pass on $ext_if proto tcp from !<spamd-white> to port smtp \
-> 127.0.0.1 port spamd
pass in quick all keep state
pass out quick all keep state
block in log
pass out keep state
pass quick on $sync_if proto pfsync
pass on { $int_if $ext_if } proto carp keep state
pass quick on { lo $int_if }
antispoof quick for { lo $int_if }
pass in on $ext_if proto tcp to ($ext_if) port ssh keep state
pass in on $ext_if proto tcp to ($ext_if) port > 49151 user proxy keep state
pass in log on $ext_if proto tcp to ($ext_if) port smtp keep state
pass out log on $ext_if proto tcp from ($ext_if) to port smtp keep state
carp interfaces:
# cat /etc/hostname.carp0
inet 192.168.0.253 255.255.255.0 192.168.0.255 vhid 1 advskew 100 pass prova
# cat /etc/hostname.carp1
inet 172.16.0.254 255.255.255.0 172.16.0.255 vhid 2 advskew 100 pass prova
# cat /etc/hostname.pfsync0
up syncif rl1
the pfctl -ss show that connections migrate from a firewall to another.
I've tried with and without preempt option.
thanks
Giacomo
- Previous message: Raphaël G.: "OpenBSD 3.5 on E250, crashes after install"
- In reply to: sam wood: "Re: carp + pfsync trouble"
- Next in thread: wonder: "Re: carp + pfsync trouble"
- Reply: wonder: "Re: carp + pfsync trouble"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
