clustering and firewall


#1

Hi,

I’ve got two vyos 1.0.4 machines running in failover, i’m using clustering for the failover, over multiple vif’s and the external pif.
I also have lt2p over IPsec configure, with IPsec on the cluster service.

I don’t believe this part is in any way an issue, but just in case, the full cluster configuration is below.

my problem is i’m trying to use these two machines as web-facing firewalls, and I want to be as secure as possible, to this end, the default action on eth0 (external facing interface) is drop, for both inbound, and local firewalls

I’ve configured firewall rules for what I want allowed to connect locally. (global state-policy is established allow, related allow, invalid drop). I’ve applied these rules to eth0, eth1, eth1 vif 5, eth1 vif 11, and eth1 vif 40.

something on this is interfering with the cluster heartbeat traffic. is there a specific port/protocol or range of ports/protocols I need to allow? I can’t find anything in any documentation.

cluster {
dead-interval 8000
group cluster1 {
auto-failback true
monitor 192.168.2.1
monitor 192.168.100.132
primary fw1
secondary fw2
service 192.168.100.129/25/eth1.11
service 192.168.101.254/27/eth1.11
service 192.168.102.190/27/eth1.11
service 192.168.50.1/24/eth1.5
service 192.168.2.27/24/eth0
service 192.168.40.1/24/eth1.40
service ipsec
}
interface eth0
interface eth1.11
interface eth1.5
interface eth1.40
keepalive-interval 2000
monitor-dead-interval 20000
pre-shared-secret ****************
}

i’m still lab testing at the moment, which is why there are no public ip’s in the configuration.


ok. I turned up logging, and accepted all traffic from the other firewall, and found the answer in the logs, dunno why I didn’t think of that earlier.

so if anyone ever runs into this problem. the cluster service actually uses the standard Linux heartbeat by the looks of it. so it’s destination port 694, protocol udp.