From owner-freebsd-net@FreeBSD.ORG Thu Mar 6 12:17:43 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C59D91065671 for ; Thu, 6 Mar 2008 12:17:43 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.freebsd.org (Postfix) with ESMTP id 5B6DC8FC29 for ; Thu, 6 Mar 2008 12:17:43 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-037-226.pools.arcor-ip.net [88.66.37.226]) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis) id 0ML25U-1JXF2Z1ArA-0003k7; Thu, 06 Mar 2008 13:17:42 +0100 Received: (qmail 10555 invoked by uid 80); 6 Mar 2008 12:17:04 -0000 Received: from 192.168.4.151 (SquirrelMail authenticated user mlaier) by router with HTTP; Thu, 6 Mar 2008 13:17:04 +0100 (CET) Message-ID: <49906.192.168.4.151.1204805824.squirrel@router> In-Reply-To: <47CFAD07.6020008@fsn.hu> References: <47CFAD07.6020008@fsn.hu> Date: Thu, 6 Mar 2008 13:17:04 +0100 (CET) From: "Max Laier" To: "Attila Nagy" User-Agent: SquirrelMail/1.4.13 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Provags-ID: V01U2FsdGVkX1/Fp776kC5VURx9PNFn8FqtgcMDnjH1NV6rmVh Krz1VktuGkCATsK7Cnk9vs92khjGiZF6p4+n1bNh0HB8nyz+tq arhmXbdlc+u02AXnY3kag== Cc: freebsd-net@freebsd.org Subject: Re: pf reply-to broken in RELENG_7 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2008 12:17:43 -0000 Am Do, 6.03.2008, 09:36, schrieb Attila Nagy: > Hello, > > I've just upgraded some of our 6-STABLE servers to 7-STABLE to notice > that pf reply-to for directly connected IPs seems to be broken. > > I have the following relevant rule in pf.conf: > pass in on $ext_if reply-to ( $ext_if csmvip ) proto tcp from any to any > port 25 label "mxtraffic-tcp" keep state > > which routes incoming SMTP connections (to be exact, the replies to > them) to the csmvip host, which is a load balancer. This is needed > because the LB doesn't do source NAT (it does destination NAT however to > direct traffic addressed to its virtual IP to the real servers' IPs), > and the servers have a different default route than the LB. This way the > servers reply to the LB, so it can rewrite the replies' source address > to its virtual IP, so the client will see the correct IP (the LB's > virtual IP) in the address, instead of the host's real address. > > It seems that this still works in 7-STABLE for the internet (not > directly connected) hosts, but not for directly connected hosts, for > example the ones, which are in the same subnet as my servers. > To overcome this, I've had to add static ARP entries to the servers, to > tell that the clients' hardware address is the address of the load > balancer, but it would be better if the previous behaviour (as in > 6-STABLE) could be restored. > > Could anybody help to resolve this? Might be the lack of sleep and coffee, but I can't quite figure out the network layout you are talking about. Could you draw up a small example setup so I can follow? Or at least (pseudo-)IP addresses for client, load-balancer, pf-box and servers? -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News