my PF & ICMP Issues

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

my PF & ICMP Issues

Keith-125
I have two Firewalls running OBSD 5.4 x64 that are both live and working
fine except that they are unable to ping each others IP address or the
gateway address while PF is enabled. If I quickly disable PF on the
FW-D=Backup then I am able to ping everything from that machine. I've
gone over everything I can think of but haven’t been able to figure this
out so thought I'd ask here.


FW-C = 192.168.xx.67 255.255.252.0 = Carp Master
FW-D = 192.168.xx.65 255.255.252.0 = Carp Backup

carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:5e:00:01:03
description: Carp 1 - Outside Iface
priority: 0
carp: BACKUP carpdev vlanxx vhid 3 advbase 1 advskew 10
groups: carp
status: backup
inet6 fe80::200:5eff:fe00:103%carp1 prefixlen 64 scopeid 0xa
inet 192.168.xx.62 netmask 0xfffffc00 broadcast 192.168.23.255
inet 192.168.xx.63 netmask 0xfffffc00 broadcast 192.168.23.255 = alias
inet 192.168.xx.64 netmask 0xfffffc00 broadcast 192.168.23.255 = alias
inet 192.168.xx.66 netmask 0xfffffc00 broadcast 192.168.23.255 = alias
inet 192.168.xx.70 netmask 0xfffffc00 broadcast 192.168.23.255 = alias
inet 192.168.xx.52 netmask 0xfffffc00 broadcast 192.168.23.255 = alias

Gateway = 192.168.xx.1

FW-C is active I can't disable PF on this server.

Neither FW-C or FW-D can ping the gateway when PF is enabled... If I
disable PF on FW-D then I can ping the gateway from FW-D.

Neither FW-C or FW-D can ping each others main IP (.67 or .65), If I
disable PF on FW-D then I can ping .65 & .67 from FW-D !!!

Neither firewall can ping main carp IP .62 but can ping all the aliases,
unless PF is disabled then it is ping able.

There are other machines on the 192.168.xx.x network and they can ping
all the IP's that FW-C & D have all the time...


Both firewalls have three nic's, one is dedicated for pfsync, the other
two are trunked and then there are two vlans on top of the trunk.

I stripped the PF.conf file on the down to as little as possible on the
backup firewall this afternoon figuring that it must be the PF file that
was wrong but I couldn't get it so that ping was replying. I've run
tcpdump on all the interfaces and have checked pflog0 for blocked
packets to no-avail :>(

If I am on FW-C and run ping 192.168.xx.65 then all I see on FW-D is the
echo request over and over again....

tcpdump -n -e -ttt -i vlan40
Jan 22 00:31:49.334032 00:0a:f7:3a:44:c4 00:0a:f7:3a:45:0c 0800 98:
192.168.xx.67 > 192.168.xx.65: icmp: echo request


If anyone can help then it would really be appreciated.

Thanks
Keith.

Reply | Threaded
Open this post in threaded view
|

Re: my PF & ICMP Issues

LeviaComm Networks NOC
keith wrote:

> I have two Firewalls running OBSD 5.4 x64 that are both live and working
> fine except that they are unable to ping each others IP address or the
> gateway address while PF is enabled. If I quickly disable PF on the
> FW-D=Backup then I am able to ping everything from that machine. I've
> gone over everything I can think of but haven’t been able to figure this
> out so thought I'd ask here.
>
>
> FW-C = 192.168.xx.67 255.255.252.0 = Carp Master
> FW-D = 192.168.xx.65 255.255.252.0 = Carp Backup
>
> carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> lladdr 00:00:5e:00:01:03
> description: Carp 1 - Outside Iface
> priority: 0
> carp: BACKUP carpdev vlanxx vhid 3 advbase 1 advskew 10
> groups: carp
> status: backup
> inet6 fe80::200:5eff:fe00:103%carp1 prefixlen 64 scopeid 0xa
> inet 192.168.xx.62 netmask 0xfffffc00 broadcast 192.168.23.255
> inet 192.168.xx.63 netmask 0xfffffc00 broadcast 192.168.23.255 = alias
> inet 192.168.xx.64 netmask 0xfffffc00 broadcast 192.168.23.255 = alias
> inet 192.168.xx.66 netmask 0xfffffc00 broadcast 192.168.23.255 = alias
> inet 192.168.xx.70 netmask 0xfffffc00 broadcast 192.168.23.255 = alias
> inet 192.168.xx.52 netmask 0xfffffc00 broadcast 192.168.23.255 = alias
>
> Gateway = 192.168.xx.1
>
> FW-C is active I can't disable PF on this server.
>
> Neither FW-C or FW-D can ping the gateway when PF is enabled... If I
> disable PF on FW-D then I can ping the gateway from FW-D.
>
> Neither FW-C or FW-D can ping each others main IP (.67 or .65), If I
> disable PF on FW-D then I can ping .65 & .67 from FW-D !!!
>
> Neither firewall can ping main carp IP .62 but can ping all the aliases,
> unless PF is disabled then it is ping able.
>
> There are other machines on the 192.168.xx.x network and they can ping
> all the IP's that FW-C & D have all the time...
>
>
> Both firewalls have three nic's, one is dedicated for pfsync, the other
> two are trunked and then there are two vlans on top of the trunk.
>
> I stripped the PF.conf file on the down to as little as possible on the
> backup firewall this afternoon figuring that it must be the PF file that
> was wrong but I couldn't get it so that ping was replying. I've run
> tcpdump on all the interfaces and have checked pflog0 for blocked
> packets to no-avail :>(
>
> If I am on FW-C and run ping 192.168.xx.65 then all I see on FW-D is the
> echo request over and over again....
>
> tcpdump -n -e -ttt -i vlan40
> Jan 22 00:31:49.334032 00:0a:f7:3a:44:c4 00:0a:f7:3a:45:0c 0800 98:
> 192.168.xx.67 > 192.168.xx.65: icmp: echo request
>
>
> If anyone can help then it would really be appreciated.
>
> Thanks
> Keith.
>
>
>

Please post your pf.conf file, otherwise we can't help you.