No way natting-to carp interface

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

No way natting-to carp interface

Paquitiu
Hi.
The issue is simple, I can't match the outgoing traffic to carp ip address.
When I go to some "show myip" web, it always appears the pysical one.
Never the carp one.

As my ISP provider gives us 4 ips, I use two (one for each nic of the firewalls
connected to internet) for physical interfaces and the other two for the carp
interfaces.
           

                                      Internet
                                         |
                   +--------------------/ \------------------+
                   |         carp13(em0) = 81.92.37.13       |
                   |         carp12(em0) = 81.92.37.12       |
                   |                                         |
      81.92.37.10 bge0                                      bge0 81.92.37.11
                   |                                         |
               +-------+                    10.0.0.2     +-------+
               |  fw0  |- re0 ---- CARP Pfsync ---- re0 -|  fw1  |
               +-------+  10.0.0.1                       +-------+
                   |                                         |
    192.168.28.1 bge1                                       bge1 192.169.28.2
                   |                                         |
                   |         carp28(em1) = 192.168.28.11     |
                   +--------------------\ /------------------+
                                         |
                                   Internal LAN
                                  (192.168.28/24)


Config files(from one of the two firewalls):

hostname.bge0
inet 81.92.37.10 255.255.255.248 NONE

hostname.bge1
inet 192.168.28.1 255.255.255.0 NONE

hostname.carp12
inet 81.92.37.12 255.255.255.248 81.92.37.15 balancing ip carpnodes
120:0,121:100 pass PaSSWord12

hostname.carp13
inet 81.92.37.12 255.255.255.248 81.92.37.15 balancing ip carpnodes
130:100,131:0 pass PaSSWord13

hostname.carp28
inet 192.168.28.11 255.255.255.0 192.168.28.255 balancing ip carpnodes
28:0,29:100 pass PaSSWord28

hostname.re0
inet 10.0.0.1 255.255.255.0 NONE

hostname.pfsync0
up syncdev re0

sysctl.conf
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets
net.inet.icmp.rediraccept=1 # 1=Accept ICMP redirects
net.inet.carp.preempt=1 # 1=Enable carp(4) preemption
net.inet.carp.log=3 # log level of carp(4) info, default 2
net.inet.carp.allow=1
net.inet.carp.arpbalance=0

pf.conf
priv_nets= "{127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8}"
set block-policy drop
set skip on lo

#Nat outgoing connections
match out on $ext_IF inet from !$ext_IF to any nat-to $ext_IF

#This does not work: match out on $ext_IF inet from !$ext_IF to any nat-to carp12

#Filter rules
block log all
block in quick from urpf-failed #spoofed address protection

#packet normaliztion
match in all scrub (no-df)

pass quick log on re0 inet proto pfsync keep state (no-sync)
pass in quick log on $ext_IF proto carp from carp12 to 224.0.0.18 keep state
pass in quick log on $ext_IF proto carp from carp13 to 224.0.0.18 keep state
pass in quick log on $int_IF proto carp from carp28 to 224.0.0.18 keep state
pass on { $int_IF , $ext_IF } proto carp keep state (no-sync)

block in quick on $ext_IF from $priv_nets to any
block out quick on $ext_IF from any to $priv_nets
block quick inet6

Reply | Threaded
Open this post in threaded view
|

Re: No way natting-to carp interface

Josh Hoppes
On Tue, Mar 13, 2012 at 11:15 AM, Paquitiu <[hidden email]> wrote:
> Hi.
> The issue is simple, I can't match the outgoing traffic to carp ip address.
> When I go to some "show myip" web, it always appears the pysical one.
> Never the carp one.
>
> As my ISP provider gives us 4 ips, I use two (one for each nic of the
firewalls
> connected to internet) for physical interfaces and the other two for the
carp

> interfaces.
>
>
>                                      Internet
>                                         |
>                   +--------------------/ \------------------+
>                   |         carp13(em0) = 81.92.37.13       |
>                   |         carp12(em0) = 81.92.37.12       |
>                   |                                         |
>      81.92.37.10 bge0                                      bge0 81.92.37.11
>                   |                                         |
>               +-------+                    10.0.0.2     +-------+
>               |  fw0  |- re0 ---- CARP Pfsync ---- re0 -|  fw1  |
>               +-------+  10.0.0.1                       +-------+
>                   |                                         |
>    192.168.28.1 bge1                                       bge1
192.169.28.2

>                   |                                         |
>                   |         carp28(em1) = 192.168.28.11     |
>                   +--------------------\ /------------------+
>                                         |
>                                   Internal LAN
>                                  (192.168.28/24)
>
>
> Config files(from one of the two firewalls):
>
> hostname.bge0
> inet 81.92.37.10 255.255.255.248 NONE
>
> hostname.bge1
> inet 192.168.28.1 255.255.255.0 NONE
>
> hostname.carp12
> inet 81.92.37.12 255.255.255.248 81.92.37.15 balancing ip carpnodes
> 120:0,121:100 pass PaSSWord12
>
> hostname.carp13
> inet 81.92.37.12 255.255.255.248 81.92.37.15 balancing ip carpnodes
> 130:100,131:0 pass PaSSWord13
>
> hostname.carp28
> inet 192.168.28.11 255.255.255.0 192.168.28.255 balancing ip carpnodes
> 28:0,29:100 pass PaSSWord28
>
> hostname.re0
> inet 10.0.0.1 255.255.255.0 NONE
>
> hostname.pfsync0
> up syncdev re0
>
> sysctl.conf
> net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of IPv4
packets

> net.inet.icmp.rediraccept=1     # 1=Accept ICMP redirects
> net.inet.carp.preempt=1 # 1=Enable carp(4) preemption
> net.inet.carp.log=3             # log level of carp(4) info, default 2
> net.inet.carp.allow=1
> net.inet.carp.arpbalance=0
>
> pf.conf
> priv_nets= "{127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8}"
> set block-policy drop
> set skip on lo
>
> #Nat outgoing connections
> match out on $ext_IF inet from !$ext_IF to any nat-to $ext_IF
>
> #This does not work: match out on $ext_IF inet from !$ext_IF to any nat-to
carp12

>
> #Filter rules
> block log all
> block in quick from urpf-failed         #spoofed address protection
>
> #packet normaliztion
> match in all scrub (no-df)
>
> pass quick log on re0 inet proto pfsync keep state (no-sync)
> pass in quick log on $ext_IF proto carp from carp12 to 224.0.0.18 keep
state
> pass in quick log on $ext_IF proto carp from carp13 to 224.0.0.18 keep
state
> pass in quick log on $int_IF proto carp from carp28 to 224.0.0.18 keep
state
> pass on { $int_IF , $ext_IF } proto carp keep state (no-sync)
>
> block in quick on $ext_IF from $priv_nets to any
> block out quick on $ext_IF from any to $priv_nets
> block quick inet6
>

Don't try and use the carp interface as the target of nat-to, just the
IP address of the carp interface.

eg

match out on $ext_IF inet from !$ext_IF to any nat-to 81.92.37.12

Give that try and see if it works.

Reply | Threaded
Open this post in threaded view
|

Re: No way natting-to carp interface

Paquitiu
Thank you Josh for answerng so fast.

Unfortunately, I've already tried with ip, with $var, with IF name and no
way.

Reply | Threaded
Open this post in threaded view
|

Re: No way natting-to carp interface

Gordon McAllister-2
In reply to this post by Paquitiu
On Tue, Mar 13, 2012 at 9:15 AM, Paquitiu <[hidden email]> wrote:
> The issue is simple, I can't match the outgoing traffic to carp ip address.
> When I go to some "show myip" web, it always appears the pysical one.
> Never the carp one.

Have you tried '...nat-to carp12:0' ?

Regards,

---Gordon

Reply | Threaded
Open this post in threaded view
|

Re: No way natting-to carp interface

Shane Lazarus
In reply to this post by Paquitiu
Heya


On Wed, Mar 14, 2012 at 5:15 AM, Paquitiu <[hidden email]> wrote:
> Hi.
...
> hostname.carp12
> inet 81.92.37.12 255.255.255.248 81.92.37.15 balancing ip carpnodes
> 120:0,121:100 pass PaSSWord12
>
> hostname.carp13
> inet 81.92.37.12 255.255.255.248 81.92.37.15 balancing ip carpnodes
> 130:100,131:0 pass PaSSWord13
...

Any reason those two interfaces have the same IP Address?

Shane