two ip with carp

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

two ip with carp

mediomen27
hi,
I have 2 firewall in cluster with carp. The following is my configuration
(8.x.x.x are examples for wan ip):
first firewall
1) bnx0 8.8.8.7 (internet)
2) bge0 192.168.100.2 (lan)
3) bnx1 pfsync
4) 10.1.1.2 dmz

carp0 8.8.8.8 (internet)
carp1 192.168.100.1 (gateway for the lan)
carp2 10.1.1.1 (gateway for the dmz)

now I want add the ip 8.8.8.10 to redirect all traffic from it to the dmz...
how should I configure it ?
I know how to redirect the traffic with pf.. my question concern how to
configure carp and the nic..
for example should I create a new carp with ip 8.8.8.10 and an alias for
the bnx0 with ip 8.8.8.11 ?

Reply | Threaded
Open this post in threaded view
|

Re: two ip with carp

Igor V. Gubenko
It's not completely clear -

4) - is the IP 10.1.1.2 on a separate interface? What did you configure
carp2 on?

Can you restate your question and/or describe how you want the traffic
to flow, as well as your network topology?

- Igor


On 2/27/17 6:07 AM, Frank White wrote:

> hi,
> I have 2 firewall in cluster with carp. The following is my configuration
> (8.x.x.x are examples for wan ip):
> first firewall
> 1) bnx0 8.8.8.7 (internet)
> 2) bge0 192.168.100.2 (lan)
> 3) bnx1 pfsync
> 4) 10.1.1.2 dmz
>
> carp0 8.8.8.8 (internet)
> carp1 192.168.100.1 (gateway for the lan)
> carp2 10.1.1.1 (gateway for the dmz)
>
> now I want add the ip 8.8.8.10 to redirect all traffic from it to the dmz...
> how should I configure it ?
> I know how to redirect the traffic with pf.. my question concern how to
> configure carp and the nic..
> for example should I create a new carp with ip 8.8.8.10 and an alias for
> the bnx0 with ip 8.8.8.11 ?

Reply | Threaded
Open this post in threaded view
|

Re: two ip with carp

mediomen27
ok.. I'll try.
I use the google dns ip as example for my static public ip address.
fw1 carp0 8.8.8.8  ## (internet shared ip <--  lan)
fw1 carp1 192.168.1.1  ## (lan shared ip default gw)
fw1 carp2 10.1.1.1  ## (dmz shared ip)
fw1 bnx0 8.8.8.7  ## (internet)
fw1 bge0 192.168.1.2  ## (lan)
fw1 bnx1 10.1.1.2  ## (dmz)
fw1 bge1 192.168.254.1 ## (pfsync)

fw2 carp0 8.8.8.8
fw2 carp1 192.168.1.1
fw2 carp2 10.1.1.1
fw2 bnx0 8.8.8.6
fw2 bge0 192.168.1.3
fw2 bnx1 10.1.1.3
fw2 bge1 192.168.1.254.2 # (pfsync)

Now I want add 8.8.8.10 static and public ip to flow the traffic to the dmz
because 8.8.8.8 flow traffic to the lan.
As I understand I have to add the following lines to IF configuration files:

fw1 hostname.carp0:  inet alias 8.8.8.10 255.255.255.255. NONE
fw1 hostname.bnx0: inet alias 8.8.8.11 255.255.255.255 NONE

fw2 hostname.carp0:  inet alias 8.8.8.10 255.255.255.255. NONE
fw2 hostname.bnx0: inet alias 8.8.8.12 255.255.255.255 NONE

is that right ?


2017-02-28 15:07 GMT+01:00 Igor V. Gubenko <[hidden email]>:

> It's not completely clear -
>
> 4) - is the IP 10.1.1.2 on a separate interface? What did you configure
> carp2 on?
>
> Can you restate your question and/or describe how you want the traffic
> to flow, as well as your network topology?
>
> - Igor
>
>
> On 2/27/17 6:07 AM, Frank White wrote:
> > hi,
> > I have 2 firewall in cluster with carp. The following is my configuration
> > (8.x.x.x are examples for wan ip):
> > first firewall
> > 1) bnx0 8.8.8.7 (internet)
> > 2) bge0 192.168.100.2 (lan)
> > 3) bnx1 pfsync
> > 4) 10.1.1.2 dmz
> >
> > carp0 8.8.8.8 (internet)
> > carp1 192.168.100.1 (gateway for the lan)
> > carp2 10.1.1.1 (gateway for the dmz)
> >
> > now I want add the ip 8.8.8.10 to redirect all traffic from it to the
> dmz...
> > how should I configure it ?
> > I know how to redirect the traffic with pf.. my question concern how to
> > configure carp and the nic..
> > for example should I create a new carp with ip 8.8.8.10 and an alias for
> > the bnx0 with ip 8.8.8.11 ?

Reply | Threaded
Open this post in threaded view
|

Re: two ip with carp

Igor V. Gubenko
Much clearer.

I've never tried CARP on an alias, but it should probably work.

However, I don't think that it can be an existing carp* interface. Use
carp3; i.e a different carp interface. Create "inet alias" in the .bnx0
file, and a new .carpX file with a different "vhid" (different from carp2).

On a side note, I've found out that the physical interfaces on WAN do
not necessarily need to have actual WAN (globally routed) IP's. So, if
you are low on globally routed IP's, you can try using RFC1918 IP's on
bnx0 (and it's aliases for DMZ). These IP's are merely needed to send
multicast for CARP.

If any of the esteemed OpenBSD developers want to call BS on the above,
please, have a go :)

Please let us know of the results.

- Igor


On 2/28/17 10:01 AM, Frank White wrote:

> ok.. I'll try.
> I use the google dns ip as example for my static public ip address.
> fw1 carp0 8.8.8.8  ## (internet shared ip <--  lan)
> fw1 carp1 192.168.1.1  ## (lan shared ip default gw)
> fw1 carp2 10.1.1.1  ## (dmz shared ip)
> fw1 bnx0 8.8.8.7  ## (internet)
> fw1 bge0 192.168.1.2  ## (lan)
> fw1 bnx1 10.1.1.2  ## (dmz)
> fw1 bge1 192.168.254.1 ## (pfsync)
>
> fw2 carp0 8.8.8.8
> fw2 carp1 192.168.1.1
> fw2 carp2 10.1.1.1
> fw2 bnx0 8.8.8.6
> fw2 bge0 192.168.1.3
> fw2 bnx1 10.1.1.3
> fw2 bge1 192.168.1.254.2 # (pfsync)
>
> Now I want add 8.8.8.10 static and public ip to flow the traffic to
> the dmz because 8.8.8.8 flow traffic to the lan.
> As I understand I have to add the following lines to IF configuration
> files:
>
> fw1 hostname.carp0:  inet alias 8.8.8.10 255.255.255.255. NONE
> fw1 hostname.bnx0: inet alias 8.8.8.11 255.255.255.255 NONE
>
> fw2 hostname.carp0:  inet alias 8.8.8.10 255.255.255.255. NONE
> fw2 hostname.bnx0: inet alias 8.8.8.12 255.255.255.255 NONE
>
> is that right ?
>
>
> 2017-02-28 15:07 GMT+01:00 Igor V. Gubenko <[hidden email]
> <mailto:[hidden email]>>:
>
>     It's not completely clear -
>
>     4) - is the IP 10.1.1.2 on a separate interface? What did you
>     configure
>     carp2 on?
>
>     Can you restate your question and/or describe how you want the traffic
>     to flow, as well as your network topology?
>
>     - Igor
>
>
>     On 2/27/17 6:07 AM, Frank White wrote:
>     > hi,
>     > I have 2 firewall in cluster with carp. The following is my
>     configuration
>     > (8.x.x.x are examples for wan ip):
>     > first firewall
>     > 1) bnx0 8.8.8.7 (internet)
>     > 2) bge0 192.168.100.2 (lan)
>     > 3) bnx1 pfsync
>     > 4) 10.1.1.2 dmz
>     >
>     > carp0 8.8.8.8 (internet)
>     > carp1 192.168.100.1 (gateway for the lan)
>     > carp2 10.1.1.1 (gateway for the dmz)
>     >
>     > now I want add the ip 8.8.8.10 to redirect all traffic from it
>     to the dmz...
>     > how should I configure it ?
>     > I know how to redirect the traffic with pf.. my question concern
>     how to
>     > configure carp and the nic..
>     > for example should I create a new carp with ip 8.8.8.10 and an
>     alias for
>     > the bnx0 with ip 8.8.8.11 ?

Reply | Threaded
Open this post in threaded view
|

Re: two ip with carp

Maxim Bourmistrov-5
In reply to this post by mediomen27
Just create carp3 and configure it the same way as carp0, except for the
password.
No aliases what so ever. Later in pf.conf do a nat-to from dnz to carp3.

fw1# ifconfig trunk0
trunk0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:25:90:f9:74:b0
        index 7 priority 0 llprio 3
        trunk: trunkproto lacp
        trunk id: [(8000,00:25:90:f9:74:b0,403C,0000,0000),
                 (0001,1c:aa:07:01:9b:80,0001,0000,0000)]
                trunkport ix3 active,collecting,distributing
                trunkport ix0 active,collecting,distributing
        groups: trunk egress
        media: Ethernet autoselect
        status: active
        inet 155.4.x.121 netmask 0xffffff80 broadcast 155.4.x.127

fw1# ifconfig carp165
carp165: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:5e:00:01:a5
        description: VIP65
        index 53 priority 15 llprio 3
        carp: MASTER carpdev trunk0 vhid 165 advbase 1 advskew 0
        groups: carp
        status: master
        inet 155.4.x.65 netmask 0xffffff80 broadcast 155.4.x.127

fw1# ifconfig carp167
carp167: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:5e:00:01:a7
        description: VIP67
        index 75 priority 15 llprio 3
        carp: MASTER carpdev trunk0 vhid 167 advbase 1 advskew 0
        groups: carp
        status: master
        inet 155.4.x.67 netmask 0xffffff80 broadcast 155.4.x.127

fw1# cat /etc/hostname.carp165
inet 155.4.x.65 255.255.255.128 155.4.x.127 -inet6 vhid 165 advbase 1 advskew
0 carpdev trunk0 pass abc1234 description VIP65

fw1# cat /etc/hostname.carp167
inet 155.4.x.67 255.255.255.128 155.4.x.127 -inet6 vhid 167 advbase 1 advskew
0 carpdev trunk0 pass 1234abc description VIP67



> 27 feb. 2017 kl. 12:07 skrev Frank White <[hidden email]>:
>
> hi,
> I have 2 firewall in cluster with carp. The following is my configuration
> (8.x.x.x are examples for wan ip):
> first firewall
> 1) bnx0 8.8.8.7 (internet)
> 2) bge0 192.168.100.2 (lan)
> 3) bnx1 pfsync
> 4) 10.1.1.2 dmz
>
> carp0 8.8.8.8 (internet)
> carp1 192.168.100.1 (gateway for the lan)
> carp2 10.1.1.1 (gateway for the dmz)
>
> now I want add the ip 8.8.8.10 to redirect all traffic from it to the
dmz...
> how should I configure it ?
> I know how to redirect the traffic with pf.. my question concern how to
> configure carp and the nic..
> for example should I create a new carp with ip 8.8.8.10 and an alias for
> the bnx0 with ip 8.8.8.11 ?