DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 24th September 2015
da1 da1 is offline
Fdisk Soldier
 
Join Date: Feb 2009
Location: Berlin, DE
Posts: 49
Default [SOLVED] carp with (1x) public IP - NAT not working

Hello everyone,

I have an OpenBSD 5.7 amd64 machine with 3x NIC's (internet, LAN and pfsync).

The problems is that if I configure the public ip on the CARP interface, NAT doesn't work but if I configure the Ip on the physical interface, it does work.

Here is my setup:
em0 - internet (x.x.x.x)
em1 - LAN (y.y.y.y)
em2 - pfsync (we don't care about this for now)
carp0 - public IP
carp1 - private IP

/etc/hostname.em0:
Code:
up description "internet"
/etc/hostname.em1:
Code:
up description "LAN"
/etc/hostname.carp0:
Code:
inet x.x.x.x 255.255.255.x x.x.x.255 vhid 1 carpdev em0 pass passwd advskew 5
/etc/hostname.carp1:
Code:
inet y.y.y.y 255.255.255.y y.y.y.255 vhid 2 carpdev em1 pass passwd2 advskew 5
pf.conf:
Code:
### Global
ext_if="em0"
int_if="em1"


### Runtime options
set block-policy drop
set skip on lo0
set loginterface egress
set timeout interval 5
set timeout frag 20


### Scrub
match log on {$ext_if} scrub (max-mss 1440) label "scrub"


### NAT & RDR
match out on egress inet from !(egress:network) to any nat-to (egress:0)



###
### Rules           
###
block in log on $ext_if proto { tcp, udp, icmp } all label "EXT_IF block in"
pass in log on $int_if all label "INT_IF pass in"
pass out log label "DEF_PASS_OUT"


# antispoof
antispoof log quick for { lo $ext_if $int_if } label "antispoof lo/INT_IF/EXT_IF"
The rules are simple because I'm trying to figure out why does't NAT work when the public IP is on carp0 but does work when it is on em0 (same pf rules).

Any thoughts?

Last edited by da1; 25th September 2015 at 07:30 AM.
Reply With Quote
  #2   (View Single Post)  
Old 24th September 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Welcome back!

I'm going to guess that it is your use of the egress group in your nat-to rule. If the carp(4) interface is not part of the egress group, then this rule will not apply. And, normally, carp(4) interfaces are part of the carp group.

It's just a guess, of course.

----

Edited to add: the egress group is assigned to interfaces that use the default route. So if this is the problem, you may have a routing issue via the carp(4) interface.

Last edited by jggimi; 25th September 2015 at 02:08 AM.
Reply With Quote
  #3   (View Single Post)  
Old 25th September 2015
da1 da1 is offline
Fdisk Soldier
 
Join Date: Feb 2009
Location: Berlin, DE
Posts: 49
Default

Hi,

I've also tried different NAT rules, I just forgot to mention it.

Code:
- match out on carp inet from !(carp:network) to any nat-to (carp:0)
- match out on carp0 inet from !(carp0:network) to any nat-to carp0
Same result, no go.

I also went really specific but the result was the same unfortunately:
Code:
match out on carp0 inet from carp1:network to any nat-to carp0
LE: AFAIR the rules are supposed to be written for the physical interface and not the carp if.
LE2:
Code:
Ruleset Tips
Filter the physical interface. As far as PF is concerned, network traffic comes from the physical interface, not the CARP virtual interface (i.e., carp0). So, write your rule sets accordingly. Don't forget that an interface name in a PF rule can be either the name of a physical interface or an address associated with that interface. For example, this rule could be correct:

    pass in on fxp0 inet proto tcp from any to carp0 port 22 

but replacing the fxp0 with carp0 would not work as you desire.
http://www.openbsd.org/faq/pf/carp.html
Reply With Quote
  #4   (View Single Post)  
Old 25th September 2015
da1 da1 is offline
Fdisk Soldier
 
Join Date: Feb 2009
Location: Berlin, DE
Posts: 49
Default

That feeling when you realise the answer was in front of you all along but you just didn't take the time to read it )
Darn I feel stupid =))

So here is what I need:
Code:
match out on em0 inet from !(egress:network) to any nat-to carp0
It hit me after I've read the LE2 section again. I guess it also helps having a good night sleep and a fresh start of the day

PS: Good to be back
Reply With Quote
  #5   (View Single Post)  
Old 25th September 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

I use carp(4), but not on NATted interfaces. Sorry to have been no help.
Reply With Quote
  #6   (View Single Post)  
Old 25th September 2015
da1 da1 is offline
Fdisk Soldier
 
Join Date: Feb 2009
Location: Berlin, DE
Posts: 49
Default

Quote:
Originally Posted by jggimi View Post
I'm going to guess that it is your use of the egress group in your nat-to rule. If the carp(4) interface is not part of the egress group, then this rule will not apply.
You actually helped me tons. So thx for that
Reply With Quote
  #7   (View Single Post)  
Old 18th February 2017
damageG damageG is offline
Port Guard
 
Join Date: Feb 2017
Posts: 13
Default

I'm still a bit confused as to how the configuration works with the backup.

Right now I have a pair of routers and CARP is working on the internal interfaces and I want to add CARP on the public interface.

I get that doing NAT to the CARP address works on the active/master router because it has that address. The passive/backup router won't get any traffic to route so the only thing going out would be internally generated. But if the backup router has a NAT to the CARP address, won't the return path be wrong?
Reply With Quote
  #8   (View Single Post)  
Old 19th February 2017
da1 da1 is offline
Fdisk Soldier
 
Join Date: Feb 2009
Location: Berlin, DE
Posts: 49
Default

No, because the "active" IP is on the master CARP interface.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD CARP/PF nekron99 OpenBSD Security 16 8th November 2011 11:08 PM
CARP Abbass OpenBSD Security 3 13th April 2011 07:22 PM
Clustering with CARP revzalot OpenBSD General 10 17th September 2009 04:44 AM
carp configuration ohhcarp OpenBSD General 3 16th April 2009 10:50 PM


All times are GMT. The time now is 09:15 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick