OpenBSD 4.0+ PF + PFSYNC + CARP

xagcf

OpenBSD 4.0+ PF + PFSYNC + CARP
                                               
                                               
                                                                                                                                                                                                                        参考:
http://www.countersiege.com/doc/pfsync-carp/
由于学校的病毒比较多，用一台服务器做防火墙觉得有点压力，现在打算改用两台做
进出负载,下面的具体的操作过程！
环境:
两台OpenBSD,每台OpenBSD均有三块网卡.
机器1:
# cat /etc/hostname.carp* (carp0 ~ carp3)
复制内容到剪贴板代码:vhid 1 pass foo 10.0.0.213 255.255.0.0
vhid 2 advskew 100 pass foo 10.0.0.213 255.255.0.0
vhid 3 pass foo 192.168.22.13 255.255.255.0
vhid 4 advskew 100 pass foo 192.168.22.13 255.255.255.0# cat /etc/hostname.pcn* (pcn0 ~ pcn2)
复制内容到剪贴板代码:inet 10.0.0.211 255.255.0.0 NONE
inet 192.168.22.11 255.255.255.0 NONE
inet 192.168.23.11 255.255.255.0 NONE# cat /etc/stsctl.conf
复制内容到剪贴板代码:net.inet.carp.arpbalance=1
net.inet.ip.forwarding=1  

机器2:
# cat /etc/hostname.carp* (carp0 ~ carp3)
复制内容到剪贴板代码:vhid 1 advskew 100 pass foo 10.0.0.213 255.255.0.0
vhid 2 pass foo 10.0.0.213 255.255.0.0
vhid 3 advskew 100 pass foo 192.168.22.13 255.255.255.0
vhid 4 pass foo 192.168.22.13 255.255.255.0# cat /etc/hostname.pcn* (pcn0 ~ pcn2)
复制内容到剪贴板代码:inet 10.0.0.212 255.255.0.0 NONE
inet 192.168.22.12 255.255.255.0 NONE
inet 192.168.23.12 255.255.255.0 NONE# cat /etc/stsctl.conf
复制内容到剪贴板代码:net.inet.carp.arpbalance=1
net.inet.ip.forwarding=1   
#cat /etc/pf.conf
复制内容到剪贴板代码:ext_if  = "pcn0"
int_if  = "pcn1"
sync_if = "pcn2"
loop_if = "lo0"
nat on $ext_if from $int_if:network to any -> $ext_if
pass quick on { $sync_if } proto pfsync
pass on { $ext_if $int_if } proto carp keep state
pass in quick all keep state
pass out quick all keep statetest1# cat /etc/hostname.fxp0~fxp2复制内容到剪贴板代码:inet 10.3.2.2 255.255.254.0 NONE
inet 192.168.10.2 255.255.254.0 NONE
inet 192.168.50.2 255.255.255.0 NONEtest1# cat /etc/hostname.carp0~carp3复制内容到剪贴板代码:inet 10.3.2.254 255.255.254.0 10.3.3.255 vhid 1 pass foo
inet alias 10.3.2.253 255.255.254.0 10.3.3.255 vhid 1 pass foo
inet 10.3.2.254 255.255.254.0 10.3.3.255 vhid 2 advskew 100 pass foo
inet alias 10.3.2.253 255.255.254.0 10.3.3.255 vhid 2 advskew 100 pass foo
inet 192.168.10.1 255.255.254.0 192.168.11.255 vhid 1 pass bar
inet 192.168.10.1 255.255.254.0 192.168.11.255 vhid 2 advskew 100 pass bartest1# cat /etc/hostname.pfsync0复制内容到剪贴板代码:up syncif vr1test2# cat /etc/hostname.fxp0~fxp2复制内容到剪贴板代码:inet 10.3.2.8 255.255.254.0 NONE
inet 192.168.10.8 255.255.254.0 NONE
inet 192.168.50.8 255.255.255.0 NONEtest2# cat /etc/hostname.carp0复制内容到剪贴板代码:inet 10.3.2.254 255.255.254.0 10.3.3.255 vhid 1 advskew 100 pass foo
inet alias 10.3.2.253 255.255.254.0 10.3.3.255 vhid 1 advskew 100 pass foo
inet 10.3.2.254 255.255.254.0 10.3.3.255 vhid 2 pass foo
inet alias 10.3.2.253 255.255.254.0 10.3.3.255 vhid 2 pass foo
inet 192.168.10.1 255.255.254.0 192.168.11.255 vhid 1 advskew 100 pass bar
inet 192.168.10.1 255.255.254.0 192.168.11.255 vhid 2 pass bartest2# cat /etc/hostname.pfsync0复制内容到剪贴板代码:up syncif fxp1
               
               
               

本文来自ChinaUnix博客，如果查看原文请点：http://blog.chinaunix.net/u2/64726/showart_512879.html