CARP LAN outgoing IP address

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

CARP LAN outgoing IP address

Gábri Máté-2
Dear List,

I have two firewalls with ngnix serving a few apache servers. I have to use
CARP on the LAN side so i don't have to change the default gateway on the web
servers when one of the firewalls goes down.
My problem is, that in the apache logs i see the firewalls physical IP address
not the CARP address. Lets say CARP is 192.168.1.100, firewall1 is
192.168.1.1 and firewall2 is 192.168.1.2. If a connection is through
firewall1, then in the apache logs i see 192.168.1.1.
This is normal, but is there a way to make the outgoing package to have the
internal CARP device's address as source IP? I've read through the ngnix docs
but found nothing helpful. I think the key is in PF.
Thank You for your help and advice!

--
Gabri Mate
[hidden email]
http://www.duosol.hu
Tel: 20/589-5456

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc ]

Reply | Threaded
Open this post in threaded view
|

Re: CARP LAN outgoing IP address

Gábri Máté-2
Ezzel a datummal: Friday 18 April 2008 21.29.18 ezt mrta:
> On Fri, Apr 18, 2008 at 11:48 AM, Gabri Mati <[hidden email]> wrote:
> >  This is normal, but is there a way to make the outgoing package to have
> > the internal CARP device's address as source IP?
>
> What would this accomplish?  If one of the nginx machines goes down,
> the TCP sessions won't be able to failover to the other carp peer.
> I'd prefer to see in my logs which proxy a request came from so I can
> better diagnose if a particular machine is misbehaving.

You're right, but we need the carp'd IP for statistics on the web servers. If
one of the machines goes down then the user just have to hit the refresh
button and she has access to the content again.

--
Gabri Mate
[hidden email]
http://www.duosol.hu
Tel: 20/589-5456

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc ]

Reply | Threaded
Open this post in threaded view
|

Re: CARP LAN outgoing IP address

Claer
On Fri, Apr 18 2008 at 32:21, G?bri M?t? wrote:

> Ezzel a datummal: Friday 18 April 2008 21.29.18 ezt mrta:
> > On Fri, Apr 18, 2008 at 11:48 AM, Gabri Mati <[hidden email]> wrote:
> > >  This is normal, but is there a way to make the outgoing package to have
> > > the internal CARP device's address as source IP?
> >
> > What would this accomplish?  If one of the nginx machines goes down,
> > the TCP sessions won't be able to failover to the other carp peer.
> > I'd prefer to see in my logs which proxy a request came from so I can
> > better diagnose if a particular machine is misbehaving.
>
> You're right, but we need the carp'd IP for statistics on the web servers. If
> one of the machines goes down then the user just have to hit the refresh
> button and she has access to the content again.
>
Did you try to NAT the LAN interface with the carp address ? It should
work for self outgoing traffic too. The problem is, if the connection is
issued from the backup firewall you will lost the connection. To bypass
this limitation, you can use ifstated and pf tables.

- If the LAN interface is in master mode : add the carp address to
  the NAT table

- If the LAN interface is in backup mode : remove the carp address from
  the nat table

Claer

Reply | Threaded
Open this post in threaded view
|

Re: CARP LAN outgoing IP address

Gábri Máté-2
Ezzel a datummal: Saturday 19 April 2008 10.39.29 Claer ezt mrta:
> On Fri, Apr 18 2008 at 32:21, G?bri M?t? wrote:
> > Ezzel a datummal: Friday 18 April 2008 21.29.18 ezt mrta:
> > > On Fri, Apr 18, 2008 at 11:48 AM, Gabri Mati <[hidden email]>
wrote:

> > > >  This is normal, but is there a way to make the outgoing package to
> > > > have the internal CARP device's address as source IP?
> > >
> > > What would this accomplish?  If one of the nginx machines goes down,
> > > the TCP sessions won't be able to failover to the other carp peer.
> > > I'd prefer to see in my logs which proxy a request came from so I can
> > > better diagnose if a particular machine is misbehaving.
> >
> > You're right, but we need the carp'd IP for statistics on the web
> > servers. If one of the machines goes down then the user just have to hit
> > the refresh button and she has access to the content again.
>
> Did you try to NAT the LAN interface with the carp address ? It should
> work for self outgoing traffic too. The problem is, if the connection is
> issued from the backup firewall you will lost the connection. To bypass
> this limitation, you can use ifstated and pf tables.
>
> - If the LAN interface is in master mode : add the carp address to
>   the NAT table
>
> - If the LAN interface is in backup mode : remove the carp address from
>   the nat table
>
> Claer

Thank You for all your help!

It seems that we found a workaround for this problem and we don't have to
temper with the firewall.
Mod_rpaf on the webservers will rewrite the incoming IP address.

--
Gabri Mate
[hidden email]
http://www.duosol.hu
Tel: 20/589-5456

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc ]