documentation:examples:multi-tenant_ha_pf_firewalls
Differences
This shows you the differences between two versions of the page.
Last revision | |||
— | documentation:examples:multi-tenant_ha_pf_firewalls [2019/03/15 17:57] – external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Multi-tenant HA pf firewalls | ||
+ | ===== Network Diagram ===== | ||
+ | |||
+ | {{: | ||
+ | |||
+ | ===== Starting the lab ===== | ||
+ | |||
+ | More information on these BSDRP lab scripts available on [[documentation: | ||
+ | |||
+ | Example with the bhyve lab script: | ||
+ | |||
+ | < | ||
+ | # tools/ | ||
+ | BSD Router Project (http:// | ||
+ | Setting-up a virtual lab with 5 VM(s): | ||
+ | - Working directory: /tmp/BSDRP | ||
+ | - Each VM have 1 core(s) and 256M RAM | ||
+ | - Emulated NIC: virtio-net | ||
+ | - Switch mode: bridge + tap | ||
+ | - 3 LAN(s) between all VM | ||
+ | - Full mesh Ethernet links between each VM | ||
+ | VM 1 have the following NIC: | ||
+ | - vtnet0 connected to VM 2 | ||
+ | - vtnet1 connected to VM 3 | ||
+ | - vtnet2 connected to VM 4 | ||
+ | - vtnet3 connected to VM 5 | ||
+ | - vtnet4 connected to LAN number 1 | ||
+ | - vtnet5 connected to LAN number 2 | ||
+ | VM 2 have the following NIC: | ||
+ | - vtnet0 connected to VM 1 | ||
+ | - vtnet1 connected to VM 3 | ||
+ | - vtnet2 connected to VM 4 | ||
+ | - vtnet3 connected to VM 5 | ||
+ | - vtnet4 connected to LAN number 1 | ||
+ | - vtnet5 connected to LAN number 2 | ||
+ | VM 3 have the following NIC: | ||
+ | - vtnet0 connected to VM 1 | ||
+ | - vtnet1 connected to VM 2 | ||
+ | - vtnet2 connected to VM 4 | ||
+ | - vtnet3 connected to VM 5 | ||
+ | - vtnet4 connected to LAN number 1 | ||
+ | - vtnet5 connected to LAN number 2 | ||
+ | VM 4 have the following NIC: | ||
+ | - vtnet0 connected to VM 1 | ||
+ | - vtnet1 connected to VM 2 | ||
+ | - vtnet2 connected to VM 3 | ||
+ | - vtnet3 connected to VM 5 | ||
+ | - vtnet4 connected to LAN number 1 | ||
+ | - vtnet5 connected to LAN number 2 | ||
+ | VM 5 have the following NIC: | ||
+ | - vtnet0 connected to VM 1 | ||
+ | - vtnet1 connected to VM 2 | ||
+ | - vtnet2 connected to VM 3 | ||
+ | - vtnet3 connected to VM 4 | ||
+ | - vtnet4 connected to LAN number 1 | ||
+ | - vtnet5 connected to LAN number 2 | ||
+ | For connecting to VM' | ||
+ | - VM 1 : cu -l / | ||
+ | - VM 2 : cu -l / | ||
+ | - VM 3 : cu -l / | ||
+ | - VM 4 : cu -l / | ||
+ | - VM 5 : cu -l / | ||
+ | </ | ||
+ | |||
+ | ===== Configuring Routers ===== | ||
+ | |||
+ | ==== With BSDRP' | ||
+ | |||
+ | All these routers can be rapidly configured with [[https:// | ||
+ | < | ||
+ | labconfig jailpf_vm[VM-NUMBER] | ||
+ | </ | ||
+ | Or you can do it step-by-step like described. | ||
+ | ==== Public server (VM3) ==== | ||
+ | |||
+ | < | ||
+ | sysrc hostname=VM3 | ||
+ | hostname VM3 | ||
+ | sysrc ifconfig_vtnet4=" | ||
+ | sysrc -x gateway_enable | ||
+ | sysrc -x ipv6_gateway_enable | ||
+ | sysrc inetd_enable=YES | ||
+ | sed -i -e ' | ||
+ | service netif restart | ||
+ | service routing restart | ||
+ | service inetd start | ||
+ | config save | ||
+ | </ | ||
+ | |||
+ | ==== Customer 1 workstation (VM4) ==== | ||
+ | |||
+ | < | ||
+ | sysrc hostname=VM4 | ||
+ | hostname VM4 | ||
+ | sysrc ifconfig_vtnet5=" | ||
+ | sysrc vlans_vtnet5=" | ||
+ | sysrc ifconfig_vtnet5_1=" | ||
+ | sysrc defaultrouter=" | ||
+ | sysrc -x gateway_enable | ||
+ | sysrc -x ipv6_gateway_enable | ||
+ | service netif restart | ||
+ | service routing restart | ||
+ | config save | ||
+ | </ | ||
+ | |||
+ | ==== Customer 2 workstation (VM5) ==== | ||
+ | |||
+ | < | ||
+ | sysrc hostname=VM5 | ||
+ | hostname VM5 | ||
+ | sysrc ifconfig_vtnet5=" | ||
+ | sysrc vlans_vtnet5=" | ||
+ | sysrc ifconfig_vtnet5_2=" | ||
+ | sysrc defaultrouter=" | ||
+ | sysrc -x gateway_enable | ||
+ | sysrc -x ipv6_gateway_enable | ||
+ | service netif restart | ||
+ | service routing restart | ||
+ | config save | ||
+ | </ | ||
+ | ==== First Multi-tenant firewall (VM1) ==== | ||
+ | |||
+ | < | ||
+ | sysrc hostname=VM1 | ||
+ | sysrc cloned_interfaces=" | ||
+ | sysrc ifconfig_bridge0=" | ||
+ | sysrc ifconfig_vtnet4=" | ||
+ | sysrc ifconfig_vtnet5=" | ||
+ | sysrc vlans_vtnet5=" | ||
+ | sysrc ifconfig_vtnet5_1=" | ||
+ | sysrc ifconfig_vtnet5_2=" | ||
+ | sysrc kld_list+=" | ||
+ | |||
+ | cat > / | ||
+ | [devfsrules_jailpf=4] | ||
+ | add include $devfsrules_hide_all | ||
+ | add include $devfsrules_unhide_basic | ||
+ | add include $devfsrules_unhide_login | ||
+ | add path ' | ||
+ | add path ' | ||
+ | add path ' | ||
+ | ' | ||
+ | |||
+ | hostname VM1 | ||
+ | service devfs restart | ||
+ | service netif restart | ||
+ | service kld start | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | |||
+ | === Customer 1 Firewall1 (jail11) === | ||
+ | |||
+ | < | ||
+ | tenant -c -j jail11 -i bridge0, | ||
+ | |||
+ | cat > / | ||
+ | hostname=" | ||
+ | sshd_enable=YES | ||
+ | gateway_enable=YES | ||
+ | ipv6_gateway_enable=YES | ||
+ | ifconfig_vtnet5_1=" | ||
+ | ifconfig_vtnet5_1_alias0=" | ||
+ | ifconfig_epair10b=" | ||
+ | ifconfig_epair10b_alias0=" | ||
+ | pf_enable=YES | ||
+ | pflog_enable=YES | ||
+ | pfsync_enable=YES | ||
+ | pfsync_syncdev=vtnet5.1 | ||
+ | EOF | ||
+ | |||
+ | echo " | ||
+ | cat > / | ||
+ | nat on epair10b from vtnet5.1: | ||
+ | block | ||
+ | pass quick on vtnet5.1 proto pfsync keep state (no-sync) | ||
+ | pass quick on epair10b | ||
+ | pass quick on vtnet5.1 proto carp keep state (no-sync) | ||
+ | pass log from vtnet5.1: | ||
+ | pass log from self to any | ||
+ | EOF | ||
+ | |||
+ | </ | ||
+ | |||
+ | === Customer 2 Firewall1 (jail12) === | ||
+ | |||
+ | < | ||
+ | tenant -c -j jail12 -i bridge0, | ||
+ | |||
+ | cat > / | ||
+ | hostname=jail12 | ||
+ | sshd_enable=YES | ||
+ | gateway_enable=YES | ||
+ | ipv6_gateway_enable=YES | ||
+ | ifconfig_vtnet5_2=" | ||
+ | ifconfig_vtnet5_2_alias0=" | ||
+ | ifconfig_epair20b=" | ||
+ | ifconfig_epair20b_alias0=" | ||
+ | pf_enable=YES | ||
+ | pflog_enable=YES | ||
+ | pfsync_enable=YES | ||
+ | pfsync_syncdev=vtnet5.2 | ||
+ | EOF | ||
+ | |||
+ | echo " | ||
+ | cat > / | ||
+ | nat on epair20b from vtnet5.2: | ||
+ | block | ||
+ | pass quick on vtnet5.2 proto pfsync keep state (no-sync) | ||
+ | pass quick on epair20b | ||
+ | pass quick on vtnet5.2 proto carp keep state (no-sync) | ||
+ | pass log from vtnet5.2: | ||
+ | pass log from self to any | ||
+ | EOF | ||
+ | </ | ||
+ | |||
+ | === Starting customer firewall === | ||
+ | |||
+ | < | ||
+ | service jail start | ||
+ | </ | ||
+ | ==== Second Multi-tenant firewall (VM2) ==== | ||
+ | |||
+ | < | ||
+ | sysrc hostname=VM2 | ||
+ | sysrc cloned_interfaces=" | ||
+ | sysrc ifconfig_bridge0=" | ||
+ | sysrc ifconfig_vtnet4=" | ||
+ | sysrc ifconfig_vtnet5=" | ||
+ | sysrc vlans_vtnet5=" | ||
+ | sysrc ifconfig_vtnet5_1=" | ||
+ | sysrc ifconfig_vtnet5_2=" | ||
+ | sysrc kld_list+=" | ||
+ | cat > / | ||
+ | [devfsrules_jailpf=4] | ||
+ | add include $devfsrules_hide_all | ||
+ | add include $devfsrules_unhide_basic | ||
+ | add include $devfsrules_unhide_login | ||
+ | add path ' | ||
+ | add path ' | ||
+ | add path ' | ||
+ | ' | ||
+ | |||
+ | hostname VM2 | ||
+ | service devfs restart | ||
+ | service netif restart | ||
+ | service kld start | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | === Customer 1 Firewall2 (jail21) == | ||
+ | |||
+ | < | ||
+ | tenant -c -j jail21 -i bridge0, | ||
+ | |||
+ | cat > / | ||
+ | hostname=jail21 | ||
+ | sshd_enable=YES | ||
+ | gateway_enable=YES | ||
+ | ipv6_gateway_enable=YES | ||
+ | ifconfig_vtnet5_1=" | ||
+ | ifconfig_vtnet5_1_alias0=" | ||
+ | ifconfig_epair10b=" | ||
+ | ifconfig_epair10b_alias0=" | ||
+ | pf_enable=YES | ||
+ | pflog_enable=YES | ||
+ | pfsync_enable=YES | ||
+ | pfsync_syncdev=vtnet5.1 | ||
+ | EOF | ||
+ | |||
+ | echo " | ||
+ | cat > / | ||
+ | nat on epair10b from vtnet5.1: | ||
+ | block | ||
+ | pass quick on vtnet5.1 proto pfsync keep state (no-sync) | ||
+ | pass quick on epair10b proto carp keep state (no-sync) | ||
+ | pass quick on vtnet5.1 proto carp keep state (no-sync) | ||
+ | pass log from vtnet5.1: | ||
+ | pass log from self to any | ||
+ | EOF | ||
+ | </ | ||
+ | |||
+ | === Customer 2 Firewall2 (jail22) === | ||
+ | |||
+ | < | ||
+ | tenant -c -j jail22 -i bridge0, | ||
+ | |||
+ | cat > / | ||
+ | hostname=jail22 | ||
+ | sshd_enable=YES | ||
+ | gateway_enable=YES | ||
+ | ipv6_gateway_enable=YES | ||
+ | ifconfig_vtnet5_2=" | ||
+ | ifconfig_vtnet5_2_alias0=" | ||
+ | ifconfig_epair20b=" | ||
+ | ifconfig_epair20b_alias0=" | ||
+ | pf_enable=YES | ||
+ | pflog_enable=YES | ||
+ | pfsync_enable=YES | ||
+ | pfsync_syncdev=vtnet5.2 | ||
+ | EOF | ||
+ | |||
+ | echo " | ||
+ | cat > / | ||
+ | nat on epair20b from vtnet5.2: | ||
+ | block | ||
+ | pass quick on vtnet5.2 proto pfsync keep state (no-sync) | ||
+ | pass quick on epair20b | ||
+ | pass quick on vtnet5.2 | ||
+ | pass log from vtnet5.2: | ||
+ | pass log from self to any | ||
+ | EOF | ||
+ | </ | ||
+ | |||
+ | === Starting customer firewall === | ||
+ | |||
+ | < | ||
+ | service jail start | ||
+ | </ | ||
+ | ===== Checking firewalls status ===== | ||
+ | |||
+ | ==== carp state ==== | ||
+ | === Customer 1 === | ||
+ | |||
+ | Check that on VM1 jail11 is in carp master state: | ||
+ | |||
+ | < | ||
+ | [root@VM1]~# | ||
+ | carp: MASTER vhid 2 advbase 1 advskew 100 | ||
+ | carp: MASTER vhid 1 advbase 1 advskew 100 | ||
+ | </ | ||
+ | |||
+ | And on VM2 that jail21 in backup state: | ||
+ | |||
+ | < | ||
+ | [root@VM2]~# | ||
+ | carp: BACKUP vhid 2 advbase 1 advskew 200 | ||
+ | carp: BACKUP vhid 1 advbase 1 advskew 200 | ||
+ | </ | ||
+ | === Customer 2 === | ||
+ | |||
+ | Check on VM1 that jail12 is in carp backup state: | ||
+ | |||
+ | < | ||
+ | [root@VM1]~# | ||
+ | carp: BACKUP vhid 2 advbase 1 advskew 200 | ||
+ | carp: BACKUP vhid 1 advbase 1 advskew 200 | ||
+ | </ | ||
+ | |||
+ | And on VM2 that jail22 in master state: | ||
+ | |||
+ | < | ||
+ | [root@VM2]~# | ||
+ | carp: MASTER vhid 2 advbase 1 advskew 100 | ||
+ | carp: MASTER vhid 1 advbase 1 advskew 100 | ||
+ | </ | ||
+ | |||
+ | ==== pfsync ==== | ||
+ | === Customer 1 === | ||
+ | |||
+ | Generate a flow from VM4 (customer 1 workstation) to VM3 (Internet server): | ||
+ | |||
+ | < | ||
+ | [root@VM4]~# | ||
+ | Trying 2.2.2.3... | ||
+ | Connected to 2.2.2.3. | ||
+ | Escape character is ' | ||
+ | echo | ||
+ | echo | ||
+ | </ | ||
+ | |||
+ | And still connected, check state tables on jail11: | ||
+ | < | ||
+ | [root@VM1]~# | ||
+ | all carp 10.0.0.252 -> 224.0.0.18 | ||
+ | all carp 2.2.2.11 -> 224.0.0.18 | ||
+ | all carp 224.0.0.18 <- 2.2.2.22 | ||
+ | all tcp 2.2.2.3:7 <- 10.0.0.4: | ||
+ | all tcp 2.2.2.1: | ||
+ | </ | ||
+ | |||
+ | And state table should be synced on jail21 too: | ||
+ | < | ||
+ | [root@VM2]~# | ||
+ | all tcp 2.2.2.3:7 <- 10.0.0.4: | ||
+ | all tcp 2.2.2.1: | ||
+ | all carp 224.0.0.18 <- 10.0.0.252 | ||
+ | all carp 224.0.0.18 <- 2.2.2.11 | ||
+ | all carp 224.0.0.18 <- 2.2.2.22 | ||
+ | </ | ||
+ | |||
+ | === Customer 2 === | ||
+ | |||
+ | Generate a flow from VM5 (customer 2 workstation) to VM3 (Internet server): | ||
+ | |||
+ | < | ||
+ | [root@VM5]~# | ||
+ | Trying 2.2.2.3... | ||
+ | Connected to 2.2.2.3. | ||
+ | Escape character is ' | ||
+ | echo | ||
+ | echo | ||
+ | </ | ||
+ | |||
+ | And still connected, check state tables on VM2/jail22: | ||
+ | < | ||
+ | [root@VM2]~# | ||
+ | all carp 224.0.0.18 <- 2.2.2.11 | ||
+ | all carp 10.0.0.253 -> 224.0.0.18 | ||
+ | all carp 2.2.2.22 -> 224.0.0.18 | ||
+ | all tcp 2.2.2.3:7 <- 10.0.0.5: | ||
+ | all tcp 2.2.2.2: | ||
+ | </ | ||
+ | |||
+ | And state table should be synced on VM1/jail12 too: | ||
+ | < | ||
+ | [root@VM1]~# | ||
+ | all carp 224.0.0.18 <- 2.2.2.11 | ||
+ | all carp 224.0.0.18 <- 10.0.0.253 | ||
+ | all carp 224.0.0.18 <- 2.2.2.22 | ||
+ | all pfsync 224.0.0.240 <- 10.0.0.253 | ||
+ | all tcp 2.2.2.3:7 <- 10.0.0.5: | ||
+ | all tcp 2.2.2.2: | ||
+ | </ | ||
+ | |||
+ | |||
+ | ==== pflog ==== | ||
+ | === Customer 1 === | ||
+ | |||
+ | Check log file on customer 1 master firewall (after default 60 seconds timer flush): | ||
+ | < | ||
+ | [root@jail11]~# | ||
+ | tcpdump: verbose output suppressed, use -v or -vv for full protocol decode | ||
+ | listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 262144 bytes | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | ^C | ||
+ | 4 packets captured | ||
+ | 4 packets received by filter | ||
+ | 0 packets dropped by kernel | ||
+ | </ | ||
+ | |||
+ | === Customer 2 === | ||
+ | |||
+ | < | ||
+ | [root@jail22]~# | ||
+ | tcpdump: verbose output suppressed, use -v or -vv for full protocol decode | ||
+ | listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 262144 bytes | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | ^C | ||
+ | 4 packets captured | ||
+ | 4 packets received by filter | ||
+ | 0 packets dropped by kernel | ||
+ | </ | ||
+ | |||
+ | |||
+ | ==== pflogd ==== | ||
+ | === Customer 1 === | ||
+ | |||
+ | Check log file on customer 1 master firewall jail11 (after default 60 seconds timer flush): | ||
+ | < | ||
+ | [root@jail11]~# | ||
+ | reading from file / | ||
+ | </ | ||
+ | |||
+ | Nothing?? | ||
+ | |||
+ | < | ||
+ | [root@jail11]~# | ||
+ | pflogd does not exist in /etc/rc.d or the local startup | ||
+ | directories (/ | ||
+ | [root@jail11]~# | ||
+ | pflog is running as pid 2267. | ||
+ | </ | ||
+ | |||
+ | === Customer 2 === | ||
+ | |||
+ | Check log file on customer 2 master firewall jail22 (after default 60 seconds timer flush): | ||
+ | |||
+ | < | ||
+ | [root@jail22]~# | ||
+ | reading from file / | ||
+ | [root@jail22]~# | ||
+ | pflog is running as pid 2261. | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | |||
+ | Trying to stop pflogd for forcing a flush, but can't stop it: | ||
+ | < | ||
+ | [root@jail11]~# | ||
+ | _pflogd 2269 49.6 1.3 12304 2872 - RJ | ||
+ | root 2267 0.0 1.3 12236 2868 - IsJ 09:13 0:00.00 pflogd: [priv] (pflogd) | ||
+ | root 3020 0.0 0.1 | ||
+ | [root@jail11]~# | ||
+ | Stopping pflog. | ||
+ | Waiting for PIDS: 2267 | ||
+ | load: 2.00 cmd: pwait 3032 [kqread] 28.06r 0.00u 0.00s 0% 1488k | ||
+ | </ |
documentation/examples/multi-tenant_ha_pf_firewalls.txt · Last modified: 2019/11/28 23:02 by olivier