|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
[SOLVED] carp with (1x) public IP - NAT not working
Hello everyone,
I have an OpenBSD 5.7 amd64 machine with 3x NIC's (internet, LAN and pfsync). The problems is that if I configure the public ip on the CARP interface, NAT doesn't work but if I configure the Ip on the physical interface, it does work. Here is my setup: em0 - internet (x.x.x.x) em1 - LAN (y.y.y.y) em2 - pfsync (we don't care about this for now) carp0 - public IP carp1 - private IP /etc/hostname.em0: Code:
up description "internet" Code:
up description "LAN" Code:
inet x.x.x.x 255.255.255.x x.x.x.255 vhid 1 carpdev em0 pass passwd advskew 5 Code:
inet y.y.y.y 255.255.255.y y.y.y.255 vhid 2 carpdev em1 pass passwd2 advskew 5 Code:
### Global ext_if="em0" int_if="em1" ### Runtime options set block-policy drop set skip on lo0 set loginterface egress set timeout interval 5 set timeout frag 20 ### Scrub match log on {$ext_if} scrub (max-mss 1440) label "scrub" ### NAT & RDR match out on egress inet from !(egress:network) to any nat-to (egress:0) ### ### Rules ### block in log on $ext_if proto { tcp, udp, icmp } all label "EXT_IF block in" pass in log on $int_if all label "INT_IF pass in" pass out log label "DEF_PASS_OUT" # antispoof antispoof log quick for { lo $ext_if $int_if } label "antispoof lo/INT_IF/EXT_IF" Any thoughts? Last edited by da1; 25th September 2015 at 07:30 AM. |
|
|||
Hi,
I've also tried different NAT rules, I just forgot to mention it. Code:
- match out on carp inet from !(carp:network) to any nat-to (carp:0) - match out on carp0 inet from !(carp0:network) to any nat-to carp0 I also went really specific but the result was the same unfortunately: Code:
match out on carp0 inet from carp1:network to any nat-to carp0 LE2: Code:
Ruleset Tips Filter the physical interface. As far as PF is concerned, network traffic comes from the physical interface, not the CARP virtual interface (i.e., carp0). So, write your rule sets accordingly. Don't forget that an interface name in a PF rule can be either the name of a physical interface or an address associated with that interface. For example, this rule could be correct: pass in on fxp0 inet proto tcp from any to carp0 port 22 but replacing the fxp0 with carp0 would not work as you desire. |
|
|||
That feeling when you realise the answer was in front of you all along but you just didn't take the time to read it )
Darn I feel stupid =)) So here is what I need: Code:
match out on em0 inet from !(egress:network) to any nat-to carp0 PS: Good to be back |
|
|||
You actually helped me tons. So thx for that
|
|
|||
I'm still a bit confused as to how the configuration works with the backup.
Right now I have a pair of routers and CARP is working on the internal interfaces and I want to add CARP on the public interface. I get that doing NAT to the CARP address works on the active/master router because it has that address. The passive/backup router won't get any traffic to route so the only thing going out would be internally generated. But if the backup router has a NAT to the CARP address, won't the return path be wrong? |
|
|||
No, because the "active" IP is on the master CARP interface.
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
OpenBSD CARP/PF | nekron99 | OpenBSD Security | 16 | 8th November 2011 11:08 PM |
CARP | Abbass | OpenBSD Security | 3 | 13th April 2011 07:22 PM |
Clustering with CARP | revzalot | OpenBSD General | 10 | 17th September 2009 04:44 AM |
carp configuration | ohhcarp | OpenBSD General | 3 | 16th April 2009 10:50 PM |