Simultaneous CARP failover for multiple interfaces

I have a pair of OpenBSD firewall/routers in a reasonably vanilla
pf + pfsync + CARP configuration, each straddling two routed networks.
The CARP interface on the internal network is the default gateway for
that subnet. The CARP interface on the external network is the default
destination for traffic aimed at the internal network.

It all works splendidly, with one exception.

In order for our firewall to operate effectively, we use 'keep state'
pf rules. We empirically determined that we must have CARP preemption
enabled, otherwise pf cannot properly establish state for new TCP
connections. If pfsync could be told to synchronize incomplete states,
this issue might go away.

Example: firewall1 is the master on the carp1 interface, and firewall2
is the master on the carp2 interface. Inbound traffic to an internal
host arrives via the carp1 interface, and return traffic arrives via
the carp2 interface. pf will not establish state for this new connection
since the inbound and return traffic are not handled by the same firewall
host.

We thus use CARP preemption to force one of the firewalls to always come
up as the master for both CARP interfaces. This is not so unresaonable,
though it might be nice if the documentation presented this use-case (or
similar) as a rationale for needing CARP preemption.

Where this presents a problem is if the current CARP master loses a single
network interface (cable unplugged, isolated hardware failure, sysadmin
failure, etc.), as opposed to the CARP master failing entirely. The slave
will appropriately assume the master role for one CARP interface, but will

inbound queueing on external interface due to multiple internal interfaces

Hello,
I know this has been discussed before, but I am not a developer (I
wish I did have the skills as I would code this myself otherwise).
I have a huge respect for all that the OpenBSD community does and this
is not a winge or a moan, please hear our woes.

Yes, of course downstream queuing is only of benefit for TCP to get
the sender to slow down etc etc, but that is exactly what we need.
IF we don't queue downstream traffic, our downstream link gets
saturated and our ISP starts to drop random packets. If we do the
downstream queuing here, we pre-emptively drop low priority packets
before saturation thus slowing the sender down before saturating the
WAN's downstream leaving headroom for VoIP etc.

We have a firewall with 4 internal interfaces for various different
subnets and 1 external WAN interface like many users have. Queuing
upload traffic is easy on the WAN interface, but downstream traffic
needs to be queued on each of the internal interfaces.
Initially this would seem fine, until you realise that if 3 of the 4
internal interfaces are idle the busy 4th interface cannot use the
entire download bandwidth available on the WAN. This is because you
can only assign a 'slice' of the total download bandwidth (summing to
100% of WAN speed) to each of the internal interfaces resulting in
very inefficient download utilisation across the internal zones.

I appreciate that we could buy 'another' 2 boxes with only two
interfaces to sit on the WAN link (both running CARP etc) but this
seems extremely inefficient, wasteful, harder to manage and simply
ugly when compared to other features of OpenBSD, to end up with 4
boxes (2 multi-zone firewalls, and 2 queue servers) to achieve

CARP ip balancing on ExtremeWare

I'm having a hell of a time using Extreme Networks Summit 400-24t
switches with IP balancing of any type.

I've tried OpenBSD 5.0 and a -current snapshot from Feb 02.  I've
tried all the modes, but none of them work.  There's not a good way
I'm aware of to do port mirroring for ip-unicast, but I don't
understand why ip-stealth isn't working.  I manually clear the
forwarding database after activating ip-stealth.

I'm just about to relegate these to dumb switch duty and try and find
some other vendor that just works.  Any chance someone else has
cracked the code on these with pf in the past?

Regards,
Kevin

handling local traffic

OpenBSD 4.9 GENERIC.MP#819 amd64

I'm not quite sure when things changed, but I can no longer apply rules 
to locally originating traffic:
     match in log on lo

now only logs local->local traffic and
     match out log received-on lo

logs nothing. The best I can do, it seems, is to
     match in tag "EXTERNAL"
     match out log tagged ""

More worrying for me, however, is the inability to control traffic being 
received by the host. I want to be able to

     pass on $dmz to port {http, https, ssh}
     block out on lo
     pass out on lo from <trusted> to port ssh

I feel I must be missing something, I'm just not sure what.

Matter with transparent proxy

Hello,

I try now to create a transparent proxy using squid and using OpenBSD 5.0
Packet Filter all by passing a bridge.

The squid run I tested the bridge walking machines located on the other side
can access the outside.

The problem is that when I try to redirect traffic using packet filter to
127.0.0.1 on port squid listening (port 3128) nothing happens the machine is
on the other side can access the Internet and suffers no restrictions
previously configured in the squid.

If anyone has an idea of the problem please.

thank you
--

-- 
View this message in context: http://old.nabble.com/Matter-with-transparent-proxy-tp33128009p33128009.html
Sent from the openbsd - packet filter mailing list archive at Nabble.com.

I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it

Hi
In work place , we have over 24 computer and all of them are windows and 
, I have NAT server . this NAT server use FreeBSD 8.2 AMD 64 , and I use 
PF for NAT with FreeBSD 8.2 . after many search in google , I find this 
pf.conf

====================================================
ns# cat  /usr/local/pf/pf.conf
# $FreeBSD: src/share/examples/pf/faq-example1,v 1.1 2004/09/14 01:07:18 
mlaier Exp $
# $OpenBSD: faq-example1,v 1.2 2003/08/06 16:04:45 henning Exp $
# Edited by: mfaridi

################################ MACROS 
############################################################

ext_if          = "sk0"
int_if          = "re0"
External_net    = "10.10.10.192/27"
Local_net       = "192.168.0.0/24"
Local_Web       = "192.168.0.10"
Local_Srv       = "192.168.0.1"
Prtcol          = "{ tcp, udp }"
Admin_IP        = "{ 10.10.10.192/27, 11.11.11.0/21, 12.12.12.0/18 }"
ICMP_Types      = "{ echorep, unreach, squench, echoreq, timex }"

#Define ports for common internet services
#TCP_SRV         = "{ 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 
8443 }"
#UDP_SRV         = "{ 53 }"

problems with PF and DMZ nat

Hello all, I am replacing a Cisco ASA with an OpenBSD PF NAT box for a
couple of reasons: I'm tired of paying Cisco money just to receive
updates, tired of the license limits and the device is about six years
old.

So I have an atom server with three interfaces one for public/dmz/
internal.

The current config with the ASA is the following:

external (now fxp1) --->Firewall ---> DMZ (192.168.100.0/24) (now
fxp0) --->Inetrnal (192.168.200.0/24) (now re0).

I don't really want to re-IP the nodes in the DMZ so if possible I'd
like to keep everything the same. I've purchased the book of PF
version 2 but still need some assistance. Here is my pf.conf:

#MACROS
_int="re0"
lan="re0:network"

_dmz="fxp0"
dmz="192.168.100.0/24"

mailserver="192.168.100.2"
ftpwebserver="192.168.100.1"
RFC1918="{ 10/8 172.16/12 192.168/16 }"

#TABLES

anonymous VPN service and openbsd..

Hi, has anybody tried to setup a openvpn/pptp connection on there
OpenBSD firewall to a anonymous VPN service and redirecting only
torrent traffic trough the tunnel ?

--

-- 

Mvh
Daniel Rapp

PF load balancing

Hallo, I have two internet connections and I want to use both with a
round-robin load balancing, only for outgoing connections. I found
on the web various solutions, but I did not manage to modify them
for my scenario. One internet
connections is a normal adsl, there is a modem that I connect to the
OpenBSD router, the interface receives the dynamic IP using dhcp. The
other connection has a static IP address and gateway. Now I'm reading
the PF documentation, but while I study I need a "fast and dirty"
solution that "just works". Can someone help me?

Thanks, Elerdin.

pf reply-to problem

NAT out to two DSL modems

Hi,
I'm trying to NAT out to two DSL modems.
I have three network cards on three subnets:
re0: 192.168.4.0/24         Internal
re1: 41.134.100.222/29    DSL_A
re2: 10.10.10.5/24           DSL_B

I can NAT out to either re1 or re2, but I have to make my default
gateway point to the relevant gateway on that network.
How can I tell the route tables or the nat-to command what the gateway
machine is?

So I can do this, but ***only if my default gateway is
41.134.100.217*** (which is the gateway for that net):
pass out on re1 proto tcp from 192.168.4.0/24 to any nat-to re1

Likewise, I can do this, but once again, ***only if my default gateway
is 10.10.10.1*** (which is the gateway for that net):
pass out on re2 proto tcp from 192.168.4.0/24 to any nat-to re2

I believe I should be able to make this work without ANY default
gateway. But then where do I tell the system
what these two gateway machines are?

Thanks,
Ben