Sorry for this bad web mailer formatting. I didn't want that.Am 12.10.2016 2:08
nachm. schrieb Robert Paschedag <[email protected]>:
>
> Hi all, basically, if have exactly this problem already described
> here(https://groups.google.com/forum/#!topic/bit.listserv.openbsd-pf/yZn4EUjxwfY).But
>
> because there is no answer since 2009, I'll give it a try. The setup of
> the 2 servers is also the same as in the other threadonly exception is,
> that my boxes are behind a "master" firewallwhich I do not manage. I have
> 2 OpenBSD 6.0 servers that should just act as a load balancerfor SFTP
> connections. We use DSR mode because huge files getdownloaded from the
> SFTP servers and don't want the "load" topass completly through the
> OpenBSD load balancers. Everything is working as long as I don't do a
> failover to the backup system.In this situation, I see, that the "new"
> carp master "resets" the connectionof the client. Immediatly opening a
> new SFTP sessions then works asexpected through the "new" carp master.
> This is my /etc/pf.conf (identical on both). Still testing.. # cat
> /etc/pf.conf
> carp_if = "vmx0"
> sync_if = "vmx1"# already allow pfsync and carp protocols
> pass quick on $sync_if proto pfsync keep state (no-sync)
> pass on $carp_if proto carp keep state (no-sync)# allow relayd to
> communicate with pf and set rules
> anchor "relayd/*" And this is the relayd.conf log updates
> prefork 5fx_vip = "VIP"table <fxhosts> {
> "host1"
> "host2"
> }redirect FX-SFTP {
> listen on $fx_vip port 22 interface vmx0
> route to <fxhosts> check tcp interface vmx0
> sticky-address
> }
> This is the "ruleset" (identical on both) after reloading pf # pfctl -a
> '*' -s rules
> pass quick on vmx1 proto pfsync all keep state (no-sync)
> pass on vmx0 proto carp all keep state (no-sync)
> anchor "relayd/*" all {
> anchor "FX-SFTP" all {
> pass in quick on vmx0 on rdomain 0 inet proto tcp from any to VIP port =
> 22 flags any keep state (sloppy, tcp.established 600) route-to
> <FX-SFTP>@vmx0 round-robin sticky-address
> }
> } When the first connection is made, I see the state on thebackup carp
> machine. But with slightly different content. This is on "master" all tcp
> VIP:22 <- CLIENT:43334 ESTABLISHED:ESTABLISHED
> [0 + 1] [946261580 + 2]
> age 00:00:35, expires in 00:09:37, 16:0 pkts, 913:0 bytes, anchor 2,
> rule 2, sloppy id: 57fbd5520000a2b4 creatorid: d4cdd00a "expires" is 10
> minutes (tcp.established 600) and I see the anchor and rulewhich
> generated state This in on "backup" all tcp VIP:22 <- CLIENT:43334
> ESTABLISHED:ESTABLISHED
> [0 + 1] [946261580 + 2]
> age 00:00:32, expires in 23:59:41, 0:0 pkts, 0:0 bytes, sloppy
> id: 57fbd5520000a2b4 creatorid: d4cdd00a expires is 1 day (?) and
> "backup" did not yet see any packes. Now, how can I get this to work, so
> the sessions won't be terminatedin case of a failover. Every help will be
> appreciated. Kind regards,Robert
