Now, after CARP is done, we need to setup the firewall itself, PF — which will handle NAT, firewall-rules, port-forwards, and such things. Since we’re using CARP, we also need to keep the state of all connections in sync between the gateways (so that if a gateway fails, the clients won’t notice anything).
To do this, we’ve connected em4 on one gateway, to em4 on the other (directly, it does not go through any switches or anything like that). This is done because the pfsync protocol doesn’t provide any cryptography or authentication mechanism — this, if you don’t use a secure network, like a crossover cable, an attacker may use spoofed pfsync packets to alter the firewalls state tables and bypass filter rules.
First gateway;
root@alihlt-carp0:~$ ifconfig em4 172.30.30.1 netmask 255.255.255.0 root@alihlt-carp0:~$ ifconfig pfsync0 syncdev em4 root@alihlt-carp0:~$ ifconfig pfsync0 up root@alihlt-carp0:~$ ifconfig pfsync0 pfsync0: flags=41<UP,RUNNING> mtu 1500 priority: 0 pfsync: syncdev: em4 maxupd: 128 defer: off groups: carp pfsync root@alihlt-carp0:~$ echo "inet 172.30.30.1 255.255.255.0 172.30.30.255" > /etc/hostname.em4 root@alihlt-carp0:~$ echo "up syncdev em4" > /etc/hostname.pfsync0 |
And on the other;
root@alihlt-carp1:~$ ifconfig em4 172.30.30.2 netmask 255.255.255.0 root@alihlt-carp1:~$ ifconfig pfsync0 syncdev em4 root@alihlt-carp1:~$ ifconfig pfsync0 up root@alihlt-carp1:~$ ifconfig pfsync0 pfsync0: flags=41<UP,RUNNING> mtu 1500 priority: 0 pfsync: syncdev: em4 maxupd: 128 defer: off groups: carp pfsync root@alihlt-carp1:~$ echo "inet 172.30.30.2 255.255.255.0 172.30.30.255" > /etc/hostname.em4 root@alihlt-carp1:~$ echo "up syncdev em4" > /etc/hostname.pfsync0 |
Next part will be to configure NAT, and initial firewall-rules.