Failover with CARP in PF: Part Four (Configuration)

pfSense 2.1In this article, I continue with configuration of a hypothetical CARP setup with two redundant firewalls.

Configuring the Interfaces

In the previous article, we used ifconfig to configure the CARP interfaces. In production use, you probably want to configure these interfaces with a passphrase; e.g.:

ifconfig carp0 pass mypassphrase 50.87.147.42 vhid 1
ifconfig carp1 pass mypassphrase 192.168.10.1 vhid 2

Configurations for the network cards is placed in /etc/rc.conf, and for carp0 and carp1, we can put the following:

#External CARP Interface
ifconfig_carp0=”up 50.87.147.42/24 vhid 1 pass mypassphrase”

#Internal CARP interface
ifconfig_carp1=”up 192.168.10.1/24 vhid 2 pass mypassphrase”

We also need to configure the external and internal public interfaces:

#External Public Interface
ifconfig_if0=”inet 50.87.147.50 netmask 255.255.255.0″

#Internal Public Interface
ifconfig_if1=”inet 192.168.10.10/24 netmask 255.255.255.0″


Once the two CARP interfaces and the internal and external interfaces are configured, it is time to consider state table synchronization between the hosts in the redundancy group. With synchronized state tables on the redundant firewalls, in almost all cases the traffic will see no disruption during failover. For state table synchronization, you will need a set of properly configured pfsync interfaces.

Configuring pfsync is fairly straightforward, but it does require some planning. As I mentioned in part two of this series, it is generally a better idea to set up a separate network for the synchronization. In our hypothetical configuration, I have set aside 192.168.11.224/28 for pfsync. In this setup, a crossover cable would be good enough to connect the two Ethernet interfaces, but in setups with more than two hosts, you may want to set up a separate switch, hub, or VLAN.

In this configuration, the interfaces we are planning to use for the synchronization have been assigned IP addresses 192.168.11.225 and 192.168.11.226, respectively. With the basic TCP/IP configuration done already, we add the following lines to rc.conf:

#pfSync Interface:
ifconfig_if2=”inet 192.168.11.225 netmask 255.255.255.224″
ifconfig_pfsync0=”up syncif if2 syncpeer 192.168.11.226″

Here we have configured the if2 interface, and we configured the pfsync, enabling pfsync on the if2 interface. We could have just typed:

ifconfig_pfsync0=”up syncif if2″

But adding the syncpeer command adds an additional layer of security. By default, pfsync updates are multicast on the local network. The syncpeer options overrides that behavior and instead unicasts the update to 192.168.11.226.

Putting it All Together: A Sample rc.conf

This takes us to the end of the basic network configuration for CARP-based failover. Our hypothetical rc.conf for firewall one should look like this:

cloned_interfaces=”carp0 carp1″
network_interfaces=”lo0 if0 if1 if2 pfsync0″

gateway_enable=”YES”
┬áif_config_loo=”inet 127.0.0.1″

#External Public Interface
ifconfig_if0=”inet 50.87.147.50 netmask 255.255.255.0″

#Internal Public Interface
ifconfig_if1=”inet 192.168.10.10/24 netmask 255.255.255.0″

#External CARP Interface
ifconfig_carp0=”up 50.87.147.42/24 vhid 1 pass mypassphrase”

#Internal CARP interface
ifconfig_carp1=”up 192.168.10.1/24 vhid 2 pass mypassphrase”

#pfSync Interface:
ifconfig_if2=”inet 192.168.11.225 netmask 255.255.255.224″
ifconfig_pfsync0=”up syncif if2 syncpeer 192.168.11.226″

icmp_drop_redirects=”YES”

pf_enable=”YES”
pf_rules=”/etc/pf.conf”
pf_flags=””
pflog_enable=”YES”
pflog_logfile=”/var/log/pflog”
pflog_flags=””


The rc.conf for the second firewall is similar, but the IPs for if0, if1 and if2 are different:
cloned_interfaces=”carp0 carp1″
network_interfaces=”lo0 if0 if1 if2 pfsync0″

gateway_enable=”YES”
if_config_lo0=”inet 127.0.0.1″

#External Public Interface
ifconfig_if0=”inet 50.87.147.60 netmask 255.255.255.0″

#Internal Public Interface
ifconfig_if1=”inet 192.168.10.11/24 netmask 255.255.255.0″

#External CARP Interface
ifconfig_carp0=”up 50.87.147.42/24 vhid 1 pass mypassphrase”

#Internal CARP interface
ifconfig_carp1=”up 192.168.10.1/24 vhid 2 pass mypassphrase”

#pfSync Interface:
ifconfig_if2=”inet 192.168.11.226 netmask 255.255.255.224″
ifconfig_pfsync0=”up syncif if2 syncpeer 192.168.11.225″

icmp_drop_redirects=”YES”

pf_enable=”YES”
pf_rules=”/etc/pf.conf”
pf_flags=””
pflog_enable=”YES”
pflog_logfile=”/var/log/pflog”
pflog_flags=””

This covers the basic configuration of our hypothetical dual firewall CARP setup. In the next article, I will construct a rule set for it.

External Links:

PF: Firewall Redundancy with CARP and pfsync at openbsd.org

Redundant Failover Firewall with pf, pfsync and CARP under FreeBSD at familywilson.collectingrarecoins.com

Be Sociable, Share!

Speak Your Mind

*

© 2013 David Zientara. All rights reserved. Privacy Policy