Failover Firewalls with OpenBSD and CARP

Warning – this post was original created by Jason Dixon some yrs ago, its copyright is fully held by samag.com. I copied it here for a track record, If there’s any issue, please let me know. As the pictures in this post had lost already,  it’s suggested to check its PDF version here.

Firewalls are a required component in commercial and residential computer networks. For many installations, the firewall is a single point of failure between client systems and external resources. It can also become a liability when hardware or applications fail, leaving potential customers unable to reach your servers.

A properly designed and executed failover configuration for your primary firewall will address many of these concerns. This article introduces a proven method for installing redundant stateful firewalls using native OpenBSD features.

The OpenBSD project is known for creating a leading secure Unix-like operating system. They have always emphasized software robustness and security, while ensuring their code remains free for all purposes under the BSD license. A number of exciting features have been introduced to OpenBSD due to licensing disagreements. Many BSD users are familiar with the rift between Darren Reed, (the creator of IPFilter) and the OpenBSD developers. A change in the IPFilter license resulted in the rapid development of the OpenBSD PF firewall software. Not only is PF a competitor to expensive proprietary offerings, it is so successful that it has been ported to both FreeBSD and NetBSD distributions.

Within the past two years, OpenBSD recognized the need to support failover between OpenBSD firewalls. The pfsync protocol was completed, which sends state change messages via multicast over the pfsync interface. Using a secure connection (a crossover cable between systems is suggested), pfsync will notify other OpenBSD firewalls of changes to the local state table. If other firewalls are listening for the pfsync packets, they will update their own state tables with these announcements. This feature allows sessions to failover gracefully without losing connectivity or raising alerts in the firewall, providing the basic features required for stateful redundancy. However, the ability to dynamically failover to the stateful partners was still unavailable.

The Birth of CARP

The Virtual Router Redundancy Protocol (VRRP) eliminates the single point of failure in a static network by assigning a virtual gateway between multiple physical routers. This allows two or more routers to cooperate as a dynamic gateway; one will perform as the “master”, while the other system waits as a “backup”. If the master becomes unavailable, the backup will begin advertising itself as the master, allowing traffic to continue uninterrupted over the new physical path. Unfortunately, although VRRP is an IETF-standard protocol, it is also encumbered by a patent held by its author, Cisco Systems, Inc. They claim to have no intention of asserting patent claims against anyone implementing VRRP, but publicly reserve the right to assert patent claims defensively. OpenBSD needed this functionality to support failover between hosts, but the looming patent issue made VRRP a poor choice.

Based on their dedication to free software, the OpenBSD team went to work on creating a patent-free replacement for VRRP. This was released in the form of the Common Address Redundancy Protocol (CARP) in late 2003. CARP operates at the data-link and network OSI layers, using a virtual MAC and one or more virtual IP addresses. The master router of the CARP group responds to ARP requests for the virtual MAC with the shared IP address, allowing switches to quickly determine to which interface to forward traffic. CARP supports IPv4 and IPv6, load-balancing across the shared group, master preemption, and cryptographic hashing of the data-link announcements. Thanks to PF, pfsync, and CARP, users are now able to deploy truly redundant firewalls using free software and commodity hardware.

Installing OpenBSD is beyond the scope of this article, but should be familiar to NetBSD (and perhaps even Debian Linux) users. The media is available either via CD-ROM purchased from the OpenBSD store, or you can install via FTP by downloading one of the boot images. There are no CD-ROM ISO images available for download; CD-ROM and other project merchandise sales are used to support the ongoing development. The installation process usually takes no more than 10-20 minutes to complete, depending on media access and disk speed.

The scenarios presented in this article portray a typical dual-homed connection that you might encounter at any business or residence. Under most circumstances, it is suggested to incorporate a demilitarized-zone (“DMZ”) network to segregate inbound traffic to your public servers. This helps keep unwanted intruders out of your LAN. We will utilize a third interface for this example, but it will only carry pfsync notifications. Adding a DMZ is as simple as creating an additional physical and CARP interface for the DMZ.

Basic Configuration

Both systems should be configured to use unique (not shared between CARP group members) IP addresses for the physical interfaces. As of the time of this writing, code has been imported to allow CARP devices to operate without the need for a network interface. However, this code is still under heavy testing at the time of writing and should not be considered production-ready until the OpenBSD 3.7 release (May 2005).

Figure 1 shows that each firewall has a publicly routable IPv4 address for fxp0, a private RFC1918 address on fxp1, and another private address on fxp2. Each of the routing interfaces can be configured to use multiple CARP interfaces, although we will only be creating a single CARP interface on fxp1 to operate as our LAN gateway. The network settings for each physical device are stored in the /etc/hostname.fxp* files; each CARP interface has its settings stored in the corresponding /etc/hostname.carp* files. Media options are considered optional and will not be shown in the examples below. This will result in the connection duplex auto-negotiating at 100baseTX.

Each CARP interface must be configured with a virtual host ID (vhid) and virtual host IP address. The vhid must be unique among CARP interfaces on the same network segment. The advbase and advskew parameters are optional and are used to control how frequently a master host sends advertisements. A custom advskew setting will result in fewer advertisements, forcing the host into the backup role. The pass parameter is recommended as it is used to authenticate CARP advertisements between group members. The commands to manually enable the CARP interfaces are:

test1# ifconfig carp0 66.77.24.5 netmask 255.255.255.0 vhid 1 pass foo
test1# ifconfig carp1 10.0.0.1 netmask 255.255.255.0 vhid 1 pass bar

test2# ifconfig carp0 66.77.24.5 netmask 255.255.255.0 vhid 1 pass foo
test2# ifconfig carp1 10.0.0.1 netmask 255.255.255.0 vhid 1 pass bar

To enable the pfsync interface, we only need to pass ifconfig the “up syncif” keywords and the associated interface. However, in those cases where a dedicated pair of interfaces is not available for crossover connectivity, the syncpeer keyword can be used to designate a peer network address. If this is the desired effect, all pfsync traffic should be encrypted across enc0, the OpenBSD IPSec virtual interface. For our purposes, we will simply rely on passing unencrypted messages across the dedicated crossover between fxp2 on each firewall:

test1# ifconfig pfsync0 syncif fxp2

test2# ifconfig pfsync0 syncif fxp2

In situations where a preferred master is wanted, preemption can be enabled. We need to raise the advskew for the intended backup host. Once that is complete, both systems must enable preemption via the net.inet.carp.preempt sysctl variable. The sysctl changes must be stored permanently in /etc/sysctl.conf, and the advskew updates should be made to the hostname.carp* files on the backup host:

test2# ifconfig carp0 advskew 100
test2# ifconfig carp1 advskew 100
test2# sysctl -w net.inet.carp.preempt=1
net.inet.carp.preempt 0 -> 1

test1# sysctl -w net.inet.carp.preempt=1
net.inet.carp.preempt 0 -> 1

Listing 1 reveals the basic PF ruleset that will allow our firewall pair to block unwanted traffic. This example only allows outbound Network Address Translation (NAT) connections bound to the external interface, as well as connections initiated from the firewall itself. We must also allow pfsync traffic on fxp2 and CARP traffic on fxp0 and fxp1. Once the pf.conf has been saved, the new configuration should be tested for syntax errors. A quiet return prompt indicates a successful ruleset parsing:

test1# pfctl -nf /etc/pf.conf
test1#

test2# pfctl -nf /etc/pf.conf
test2#

With no errors reported, we can enable the ruleset:

test1# pfctl -f /etc/pf.conf

test2# pfctl -f /etc/pf.conf

Please note that all of the aforementioned network settings will need to be preserved in static configuration files. The output of these files can be seen in Listing 2

.Testing the Configuration

Running tcpdump on each CARP-enabled physical interface should reveal the master host multicasting its CARP advertisements. A sample capture from the LAN segment is shown below. Note that we want to look for packets matching protocol number 112. Although this is recognized as VRRP on many systems, OpenBSD has updated the /etc/protocols file to reflect this as CARP traffic:

test1# tcpdump -nvi fxp0 -c3 proto 112
tcpdump: listening on fxp0
20:32:55.110102 carp 10.0.0.2 > 224.0.0.18: CARPv2-advertise 36:
  vhid=1 advbase=1 advskew=0 (DF) [tos 0x10] (ttl 255, id 15586)
20:32:56.120098 carp 10.0.0.2 > 224.0.0.18: CARPv2-advertise 36:
  vhid=1 advbase=1 advskew=0 (DF) [tos 0x10] (ttl 255, id 8283)
20:32:57.130095 carp 10.0.0.2 > 224.0.0.18: CARPv2-advertise 36:
  vhid=1 advbase=1 advskew=0 (DF) [tos 0x10] (ttl 255, id 18372)

The ifconfig command will convey the state of our physical, CARP, and pfsync interfaces. Passing the -A parameter to ifconfig will also show the state of all address aliases for each of our interfaces:

test1# ifconfig -A
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        address: 00:d0:b7:bf:c6:95
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 66.77.24.2 netmask 0xffffff00 broadcast 66.77.24.255
        inet6 fe80::202:b3ff:fe0a:ce04%fxp0 prefixlen 64 scopeid 0x1
fxp1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        address: 00:02:b3:0a:d1:28
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 10.0.0.2 netmask 0xffffff00 broadcast 10.0.0.255
        inet6 fe80::202:b3ff:fe16:a957%fxp1 prefixlen 64 scopeid 0x2
fxp2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        address: 00:c0:4f:46:8d:ec
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 10.255.255.2 netmask 0xffffff00 broadcast 10.255.255.255
        inet6 fe80::2c0:4fff:fe46:9448%fxp2 prefixlen 64 scopeid 0x3
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
pfsync0: flags=41<UP,RUNNING> mtu 1348
        pfsync: syncif: fxp2 syncpeer: 224.0.0.240 maxupd: 128
enc0: flags=0<> mtu 1536
carp0: flags=41<UP,RUNNING> mtu 1500
        carp: MASTER vhid 1 advbase 1 advskew 0
        inet 66.77.24.5 netmask 0xffffff00
carp1: flags=41<UP,RUNNING> mtu 1500
        carp: MASTER vhid 1 advbase 1 advskew 0
        inet 10.0.0.1 netmask 0xffffff00

The output clearly shows that both carp0 and carp1 on this system are serving as master of the group. Since preemption is enabled, this system will always retain the master role while it is able to advertise itself as available. If a designated “backup” firewall has accepted the master role, it will immediately relinquish that responsibility upon receiving advertisements from the system with the lower advskew. This behavior can also be monitored using the tcpdump techniques revealed earlier. Tcpdump can also be used to observe the pfsync state messages:

test1# tcpdump -nvvettti fxp2
Jan 31 21:18:22.135400 0:c0:4f:46:94:48 1:0:5e:0:0:f0 0800 262:
  10.255.255.2 > 224.0.0.240: PFSYNCv2 count 1: INS ST:
 (DF) [tos 0x10] (ttl 255, id 58487)
Jan 31 21:18:23.130035 0:c0:4f:46:94:48 1:0:5e:0:0:f0 0800 302:
  10.255.255.2 > 224.0.0.240: PFSYNCv2 count 3: UPD ST COMP:
 (DF) [tos 0x10] (ttl 255, id 64429)
Jan 31 21:18:25.940527 0:c0:4f:46:94:48 1:0:5e:0:0:f0 0800 70:
  10.255.255.2 > 224.0.0.240: PFSYNCv2 count 2: DEL ST COMP:
        id: 41f3a32500007f5b creatorid: d0491513
        id: 41f3a32500007fe1 creatorid: d0491513
 (DF) [tos 0x10] (ttl 255, id 59638)
^C

All LAN workstations should be configured to use the internal CARP address as their network gateway. Then if the master firewall becomes unavailable, any existing connections will be immediately resumed by the next possible failover member. Simple tests — such as Web browsing and ping — should be performed to verify that clients are able to traverse the gateway.

Once basic connectivity and routing are confirmed, more advanced tests should be initiated to confirm stateful failover capabilities. SCP is an excellent tool for this test. Make sure to use a sufficiently large test file such that it will still be transferring when you unplug the cable. Immediately following the physical disconnect, you may experience a brief 1-2 second delay as the failover occurs. The session should abruptly resume, revealing that the connection has been preserved. After you plug the cable back in, traffic should immediately “bounce” to the preemptive master and continue unassumingly. By running pftop from the ports collection, you can watch the traffic “move” from one machine to the other.

Advanced Configuration

The next design introduces a method for load balancing connections between the redundant pair and a pool of internal servers. To distribute the load across both firewalls, a second CARP interface must be created on each firewall’s external and internal interfaces. Each firewall will serve as master and one as backup for each CARP interface. The net.inet.carp.arpbalance sysctl variable must also be enabled. An address alias is also being added to support additional services:

test1# ifconfig carp0 66.77.24.5 netmask 255.255.255.0 vhid 1 pass foo
test1# ifconfig carp0 alias 66.77.24.10 netmask 255.255.255.0 vhid 1 pass foo
test1# ifconfig carp1 66.77.24.5 netmask 255.255.255.0 vhid 2 advskew
  100 pass foo
test1# ifconfig carp1 alias 66.77.24.10 netmask 255.255.255.0 vhid 2
  advskew 100 pass foo
test1# ifconfig carp2 10.0.0.1 netmask 255.255.255.0 vhid 1 pass bar
test1# ifconfig carp3 10.0.0.1 netmask 255.255.255.0 vhid 2 advskew 100
  pass bar
test1# sysctl -w net.inet.carp.arpbalance=1
net.inet.carp.arpbalance: 0 -> 1

test2# ifconfig carp0 66.77.24.5 netmask 255.255.255.0 vhid 1 advskew
  100 pass foo
test2# ifconfig carp0 alias 66.77.24.10 netmask 255.255.255.0 vhid
  1 advskew 100 pass foo
test2# ifconfig carp1 66.77.24.5 netmask 255.255.255.0 vhid 2 pass foo
test2# ifconfig carp1 alias 66.77.24.10 netmask 255.255.255.0 vhid 2 pass foo
test2# ifconfig carp2 10.0.0.1 netmask 255.255.255.0 vhid 1 advskew
  100 pass bar
test2# ifconfig carp3 10.0.0.1 netmask 255.255.255.0 vhid 2 pass bar
test2# sysctl -w net.inet.carp.arpbalance=1
net.inet.carp.arpbalance: 0 -> 1

Reviewing the output of ifconfig, we are able to confirm the presence of the new interfaces and aliases:

test1# ifconfig -A
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        address: 00:d0:b7:bf:c6:95
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 66.77.24.2 netmask 0xffffff00 broadcast 66.77.24.255
        inet6 fe80::2d0:b7ff:febf:c695%fxp0 prefixlen 64 scopeid 0x1
fxp1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        address: 00:02:b3:0a:d1:28
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 10.0.0.2 netmask 0xffffff00 broadcast 10.0.0.255
        inet6 fe80::202:b3ff:fe0a:d128%fxp1 prefixlen 64 scopeid 0x2
fxp2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        address: 00:c0:4f:46:8d:ec
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 10.255.255.1 netmask 0xffffff00 broadcast 10.255.255.255
        inet6 fe80::2c0:4fff:fe46:8dec%fxp2 prefixlen 64 scopeid 0x3
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
pfsync0: flags=41<UP,RUNNING> mtu 1348
        pfsync: syncif: fxp2 syncpeer: 224.0.0.240 maxupd: 128
enc0: flags=0<> mtu 1536
carp0: flags=41<UP,RUNNING> mtu 1500
        carp: MASTER vhid 1 advbase 1 advskew 0
        inet 66.77.24.5 netmask 0xffffff00
        inet 66.77.24.10 netmask 0xffffff00
carp1: flags=41<UP,RUNNING> mtu 1500
        carp: BACKUP vhid 2 advbase 1 advskew 100
        inet 66.77.24.5 netmask 0xffffff00
        inet 66.77.24.10 netmask 0xffffff00
carp2: flags=41<UP,RUNNING> mtu 1500
        carp: MASTER vhid 1 advbase 1 advskew 0
        inet 10.0.0.1 netmask 0xffffff00
carp3: flags=41<UP,RUNNING> mtu 1500
        carp: BACKUP vhid 2 advbase 1 advskew 100
        inet 10.0.0.1 netmask 0xffffff00

The diagram in Figure 2 shows that we have added three HTTP servers and one SMTP server. Each of the Web servers has a private IP address, but they all use the same public address via NAT. Outbound connections will cause the source address to be translated; inbound connections will be redirected to one of the destination addresses, mapping packets based on a hash of the source address. This will allow the firewalls to persistently send traffic from one client to the same server. The SMTP server also has a private address, but its traffic is translated via bidirectional mapping (binat) to a new external carp interface. The revised pf.conf can be viewed in Listing 3. A compilation of all the revised network settings are detailed in Listing 4.

With arpbalance enabled, incoming packets will be distributed between the two firewalls in a round-robin fashion. New connections are tracked via the source-hash option to the rdr translation rule. This ensures that future packets originating from the same client are passed on to the same internal server. Additional load-balancing techniques can be used on the internal HTTP pool by incorporating CARP on each of the pool members. This way, we not only allow traffic to be distributed between all three hosts, but we provide failover capabilities as well, just like that of the firewall pair.

Summary

Through the use of native OpenBSD utilities, we have a high-availability firewall solution based on commodity hardware that competes favorably with commercial offerings costing thousands of dollars more. The practical applications for CARP are limitless, as it can be used anywhere that load-balancing needs exist. It has been ported to userland on Linux kernels 2.4 and 2.6, NetBSD and FreeBSD, making it an ideal redundancy tool no matter what Unix-like system you use. But combine CARP with the enhanced security of OpenBSD, PF and pfsync, and you have a stateful firewall that won’t let you or your customers down.

Resources

OpenBSD — http://www.openbsd.org/

OpenBSD FAQ — http://www.openbsd.org/faq/index.html

PF — http://www.benzedrine.cx/pf.html

PF User’s Guide — http://www.openbsd.org/faq/pf/index.html

Userland CARP — http://www.ucarp.org/

VRRP RFC 3768 — http://www.benzedrine.cx/pf.html

Share Button

One thought on “Failover Firewalls with OpenBSD and CARP

Leave a comment

Your email address will not be published. Required fields are marked *