Twinguard for multiple IP nets

eRacks Forums » support

Twinguard for multiple IP nets

(37 posts)

Started 2 years ago by kenneth2k1
Latest reply from kenneth2k1

Tags:

1 2 Next »

kenneth2k1
Member

I am the new system admin, and the other guy who is gone now ordered the Twinguard system from eRacks. I have been reading up on CARP and what it is, but I am confused about how these are set up. I am new to this. I got an e-mail from eRacks that gave some information, but I can't really make much sense out of it. Here is the info:

# On TWIN1:
/etc/hostname.vr0: inet 10.1.2.134 255.255.255.0 NONE
/etc/hostname.vr1: inet 192.168.1.134 255.255.255.0 NONE

# On TWIN2:
/etc/hostname.vr0: inet 10.1.2.135 255.255.255.0 NONE
/etc/hostname.vr1: inet 192.168.1.135 255.255.255.0 NONE

# On Both systems:
/etc/hostname.carp0:
inet 10.1.2.2 255.255.255.0 10.0.0.255 vhid 1 pass foo
/etc/hostname.carp1:
inet 192.168.1.2 255.255.255.0 192.168.0.255 vhid 2 pass bar

I am assuming TWIN1 is the first system in the rack unit, and TWIN2 is the 2nd system?

I don't understand what hostname.vr0 and .vr1 are supposed to represent. on both TWIN1 and TWIN2.

I understand that hostname.carp0 must be one CARP host and carp1 is another carp host. vhid 1 has a virtual IP address of 10.0.0.255 and a password of "foo" right?

At our location we have two IP addressed networks that need to be firewalled. I will call them .1 and .2. So do I hook .1 into one computer of the rack unit, and plug .2 into the other computer of the rack unit, and then go out to my network? Also, is there any kind of port forwarding that I have to set up so that the Ineternet can communicate with our servers?

Thanks for any help or advice you can give.

Posted 2 years ago #
joe
Moderator

Kenneth,

1) TWIN1 an TWIN2 are your systems' hostnames - you can use the command:

uname -a

to see the hostname of the system.

2) vr0 and vr1 are your NICs on each system, and /etc/hostiname.vr0 and /etc/hostname.vr1 are the instrutions on how to configure them at bootp. see:

man hostname.if

to read up further on it.

3) Your assumptions about CARP are incorrect - here are some good links to get you started learning about CARP:

http://www.countersiege.com/doc/pfsync-carp/
http://www.openbsd.org/faq/pf/carp.html
http://www.openbsd.org/faq/faq6.html#CARP

And here are some additional CARP resources:
http://www.openbsd.org/cgi-bin/man.cgi?query=carp&sektion=4
http://www.openbsd.org/cgi-bin/man.cgi?query=ifconfig&sektion=8 (see the CARP subsection)
http://www.kernel-panic.it/openbsd/carp/carp4.html

4) Regarding your network setup and topology, without knowing more about your network and your individual needs, it is hard to comment on your proposal - other than to say that if you plug .1 into one computer (1/2 of your TwinGuard) and .2 into the other computer (the other 1/2 of your TG), then they won't be able to talk to or see each other (unless you set up explicit routing rules or tunneling through the external network, which wouldn't really be the best way to do it).

5) IP (v4) Forwarding is turned on by default in both halves of your TG.

NAT or Port Forwarding is your responsibility to set up through the pf (Packet Filter) firewall rules.

6) Here is a good reference on OpenBSD's PacketFilter:

http://www.benzedrine.cx/pf.html

Let us know if you need more help.

Cheers,
Joe

Posted 2 years ago #
kenneth2k1
Member

Thanks for your help, Joe.

I appreciate the literature, I will certainly read over it again.

I see that where I think I was wrong was that I need a carp group for the WAN and one for the LAN.

I have two internal networks. The two nets are 172.20.1.1 and 172.20.255.1. Let's say the external IP is 10.0.0.1 So from what I was told by the eRacks person is that I can hook into, say, TWIN 1 and use a crossover cable to hook into TWIN 2, and then go out of TWIN 2 to my network.

So would I want to do this??

1. Configure carp for LAN on TWIN 1 and TWIN 2:

ifconfig carp0 172.20.1.1 netmask 255.255.0.0

2. Then config carp for WAN on both:

ifconfig carp1 10.0.0.1 netmask 255.255.255.0

I know there's more settings in there, but right now I am just trying to get a grasp of the fundamentals.

So that would take care of one network, the 172.20.1.1, but what do I do now to set up the other 172.20.255.1 network?

Also, I can set IP numbers in the carp groups with the ifconfig, but if I restart, they get reset. One document told me this:

To make these settings permanent after reboot, we just need to edit the /etc/hostname.carp* and /etc/sysctl.conf files:

/etc/hostname.carp0

inet 172.16.0.202 255.255.255.0 172.16.0.255 vhid 1 pass password1 advbase 1 advskew 0

/etc/hostname.carp1

inet 172.16.240.202 255.255.255.0 172.16.240.255 vhid 2 pass password2 advbase 1 advskew 0

/etc/sysctl.conf

[...]
net.inet.carp.preempt=1

The addresses above are from the example, but how do I get to the /etc/sysctl.conf file? When I type it in, it says "Permission Denied."

Thanks again for the help.

Posted 2 years ago #
joe
Moderator

Kenneth,

Firstly, your steps 1&2 above look OK for configuring the inner & outer networks for the two twinguard units.

Secondly, questions: Do your 172.20.1 and 172.20.255 networks need to talk to each other, through the Twinguard? What about 172.16.0 and 172.16.240? How many total networks do you have? How many need to talk to each other? This will seriously impact your network design! Do you have a network diagram?

Thirdly, your permanent IP settings do indeed go in the /etc/hostname.<if>n files, where <if> is your two or three character NIC chipset identifier/manufacturer, and the n is the number (usually 0 or 1 in this case).

Fourthly, the advbase and advskew parameters are typically not necessary unless you're in a more complex load balancing situation.

Fifthly, you need to use a text editor to edit text files (!). As far as editors are concerned:

vi is always built in to every unix/linux system, but is not intuitive (unless you're used to it after 30 years :)

Other choices include emacs (also an old-school unix editor), and newer, more accessible editors more appropriate for newbies include nano and joe. (no relation :-) There are lots of others as well - you can look in the OpenBSD packages list, for example.

Posted 2 years ago #
kenneth2k1
Member

Thanks for the reply. No, the two networks, 172.20.1 and 172.20.255 don't need to talk to each other, and in fact, I will need to set up different rules for each one. We only have two internal networks. The other two 172.16.0 and 240 were given in the example for making the IP settings permanent.

Posted 2 years ago #
joe
Moderator

Kenneth,

In that case, you could have CARP on the WAN only (CARP1 in your most recent example above, 10.0.0.1) and have the two TGs serve the two internal networks independently.

You could also just use two external IPs and not use CARP at all -

Depends on your needs for your networks, IP address allocations, etc.

Posted 2 years ago #
kenneth2k1
Member

Ok, thanks a lot. I think I am almost getting there. Something I forgot to mention, we have two internal networks, however we also have two public IPs, and one needs to be routed to an internal server. Currently, our fw rules set that 208.57.255.189 get routed to 172.20.255.189. Then we have another external IP, .187. I guess we could have one that dealt with one network, and one that dealt with the other. I just need to get into pfw and see if I can make it work.

So, would I still config two carps, and set IPs for all the interfaces?

On TWIN 1
ifconfig carp1
208.57.255.189 netmask 255.255.255.0

ifconfig re0
172.20.255.1 netmask 255.255.255.0

Ifconfig re1
172.20.255.1 netmask 255.255.255.0

On TWIN 2

ifconfig carp2
208.57.255.187 netmask 255.255.255.0

ifconfig re0
172.20.1.1 netmask 255.255.255.0

ifconfig re1
172.20.1.1 netmask 255.255.255.0

I see what you mean about not having to use carp at all now, because there is no failover to one system or the other. In that case, I can just set the interfaces to the external IPs then?

Posted 2 years ago #
admin
Key Master

Firstly, in your most recent example above, you would not want to config both internal and external interfaces (re0 and re1) with the same IP. (How would the packets know which direction to go?! This would confuse the system tremendously :-)

Secondly, it sounds like you don't need CARP in your case - you would just use one system for the .187 network, and the other for the .189 network, and set the external interfaces to the 208.xxx network, and the internal interfaces to the respective 172.xxx networks, and then set up your pf rules.

Posted 2 years ago #
kenneth2k1
Member

Ok, thanks. Then I will do this:

On TWIN 1

ifconfig re0
208.57.255.187 netmask 255.255.255.0

Ifconfig re1
172.20.255.1 netmask 255.255.255.0

On TWIN 2

ifconfig re0
208.57.255.189 netmask 255.255.255.0

ifconfig re1
172.20.1.1 netmask 255.255.255.0

So the re0 interfaces on each TWIN will be external, and the re1 interfaces will go to my internal network.

Sounds like I'm almost there.

Posted 2 years ago #
joe
Moderator

This certainly looks reasonable.

Posted 2 years ago #
kenneth2k1
Member

I noticed that when it sits, sometimes it shows in a blue outline that it had a kernel panic. I can't really operate in the shell at that point. I can type things but commands like reboot don't work.

Now, I noticed that it will freeze up completely when sitting idle, and be completely inaccessible either at the terminal or trying to access pfw through the web browser. This is not good. What kind of things can I check for?

Posted 2 years ago #
joe
Moderator

Sounds like it might be a heat, or power issue?

What sort of environment is the server in?

Are the vents blocked anywhere? Front, back sides?

What peripherals are plugged into it?

What type of line power is it on?

Do you have it on a surge suppressor, line conditioner, or UPS?

Posted 2 years ago #
kenneth2k1
Member

When booting, it reports that the cpu is 95 f, so I don't think it's over-heating at all. In this computer room, our thermostat is set to 68 f.

It is hooked into a regular power strip right now, and we've run other things on that same one and they've been fine.

No vents blocked on any sides.

A keyboard and vga monitor are the only things plugged into it.

We have a UPS, do you want me to plug it into that? Would that make the OS freeze?

Posted 2 years ago #
joe
Moderator

Are both halves of the Twinguard doing this or just one?

Does it do it with the network unplugged?

Do you have a Memtest86 CD?

Posted 2 years ago #
kenneth2k1
Member

I haven't checked both sides, just TWIN 1. Let me test these problems and I will get back.

Thanks again for all your help!!!

Posted 2 years ago #
kenneth2k1
Member

It seems to still be functioning since I unplugged the network cable.

Posted 2 years ago #
kenneth2k1
Member

Okay, I had a problem on the other system (TWIN 2) as well. I set up TWIN 2 the same way, was able to access the pfw page and within a couple of minutes of trying to set up my rules it stops responding. For example, just clicking the tabs up on the top of the page would give me the old "internet exporer cannot display this web page" error. It just stops working all together.

I followed the instructions and I am able to access it, what could be wrong??

Posted 2 years ago #
admin
Key Master

The most likely reason for this is that you put in place a rule which prevented you from accessing the very web server you are trying to use to update the rules - it's easy to do inadvertently!

So, where are you now with it? What rules have you put into place?

Posted 2 years ago #
kenneth2k1
Member

Well, I had not even put any rules into place. I was in the process of adding one when it froze. Before, I was able to restart the twinguard and then I could access it again. This last time, I wasn't able to so I went onto the twinguard and tried to change the IPs of my adapters. In the middle of that, it completely froze. I still have the blinking cursor, but I cannot type anything. It's like it has completely locked me out.

I have no idea what could be causing that, but I am going to need that problem to go away because I can't have the firewall just freezing up.

Posted 2 years ago #
admin
Key Master

> Well, I had not even put any rules into place. I was in the process of adding one when it froze.

What was the rule you were trying to add?

> Before, I was able to restart the twinguard and then I could access it again.
> This last time, I wasn't able to

If the rule you changed was restricting HTTP access and was saved to the hard disk (/etc/pf.conf), this would explain why.

> so I went onto the twinguard and tried to change the IPs of my adapters.
> In the middle of that, it completely froze.
> I still have the blinking cursor, but I cannot type anything.
> It's like it has completely locked me out.

Could it be your keyboard? If you were typing on the console of the machine itself, the firewall rules have nothing to do with this, of course.

Posted 2 years ago #
kenneth2k1
Member

I was adding the "default block rule" as shown in the basic configuration video. In the Edit Filter Rule, I clicked on Block from the Type drop-down, then clicked logging, but before I clicked Save and Return, I wanted to click on Log and see what it was, so I just clicked the Log tab and it didn't go anywhere. I had not even submitted changes and it wouldn't respond.

It could be the keyboard, but the Num Lock light goes on and off when I hit it. I will try a different keyboard, but why would I still not be able to access the pfw page even when I restart? Like I said, I was able to access it and before any changes were made, it stopped responding.

Should I walk through the steps again in the startup guide you posted?

Posted 2 years ago #
admin
Key Master

You can always use less /etc/pf.conf from the console, to look and see what the current rules are, and if anything got saved.

The caps-lock/num-lock/scroll-lock test (to see if the lights go on and off!) is always a good test to see if the CPU is still awake and the keyboard is connected, even if the system is otherwise unresponsive, yes.

Still trying to understand what's causing the behavior you're seeing.

Apache should come up on startup, and so pfw should be accessible at startup.

The ps ax command should show several httpd (the http daemon, that's Apache) processes.

Have you set up Apache with SSL, and a certificate? (Not required, but more secure).

Posted 2 years ago #
kenneth2k1
Member

Everything in the pf.conf file is commented. I assume it means the line is commented if it has the "#" at the beginning? So whatever is in those lines would not apply since it's commented, right?

I'm sure it's not the keyboard, but has not froze up yet this morning. However I cannot even ping it at this point. I have just one interface plugged into the network. I get a link light and I can even do

ifconfig re

and it shows both adapters. It gives me a status on the one that's connected. I haven't changed any of the IPs or the hostname files. What could have possibly happened to this thing? I am wondering if I should send it back?

Posted 2 years ago #
admin
Key Master

Yes # indicates a comment. So this means nothing was saved, yet, to your pf.conf file.

What IP addresses and netmasks are shown by the ifconfig command?

Posted 2 years ago #
kenneth2k1
Member

re0
IP: 172.20.255.15
Netmask: 0xffff0000

re1
IP: 172.20.255.16
Netmask: 0xffff0000

The netmask seems to be showing that, but I know I configured it with 255.255.0.0, and that's what shows in the hostname files also.

Posted 2 years ago #
admin
Key Master

1) You've configured both your NICs with the same subnet! This won't work.

Your earlier post, above, indicates you wanted to have the external/WAN IP (208.57.255.x) set up on re0. Also your earlier netmasks, above, are 24-bit, whereas the ones you've just shown are 16-bit.

2) 255.255.0.0 is the same netmask as 0xffff0000 - the second one is in hexadecimal.

Posted 2 years ago #
kenneth2k1
Member

Well, one NIC was only plugged in at a time, so they were never ran in series.

The netmasks are a typo on my part. All the adapters and the hostname files have been set with 255.255.0.0, as it is on our network.

Posted 2 years ago #
admin
Key Master

But, if you had 2 NICs configured wtih the same subnet, the kernel can't figure out which one to send to (!) this would account for why there were no responses to the pings!

The way you have stated your configuration, previously, was with two /24 subnets -

/24 refers to the number of bits in the netmask, so 255.25.255.0 is a /24, and 255.255.0.0 is a /16, for two examples

So, in your original configuration, you had 172.20.1.1 as one network and 172.20.255.1 as the other network, both on /24s -

But if these are both /16, then they are on the SAME SUBNET, 172.20.x.x

These things fall under the basics of networking fundamentals, there are many good resources for this available on the net. I'm just repeating them here for your benefit because they are relevant to the issues.

Posted 2 years ago #
kenneth2k1
Member

Oh, ok. That makes sense then. Sorry, all I've ever done is just plug in numbers. Let me see if I can make it work again...

Yes, it is working again. I moved the other interface to the 255.255.255.0 netmask with an IP of 10.0.0.1, which I think is just nothing.

Now I will monitor if it does not freeze up. Thanks for your help again.

Posted 2 years ago #
kenneth2k1
Member

Ok, now it's unresponsive again.

I am plugged in to re0 with 172.20.255.15 netmask 255.255.0.0. The other nic re1, which is unplugged, was set to 10.0.0.1 netmask 255.255.255.0.

blinking cursor, but I cannot type anything into the console, and the pfw stopped working.

Posted 2 years ago #

RSS feed for this topic

1 2 Next »

Reply »

You must log in to post.