Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 16 Apr 2007 21:02:45 +0400
From:      Alex Povolotsky <tarkhil@webmail.sub.ru>
To:        Max Laier <max@love2party.net>
Cc:        freebsd-net@freebsd.org
Subject:   Re: Please help with PF-based redirector
Message-ID:  <4623AC35.7060301@webmail.sub.ru>
In-Reply-To: <200704161359.26059.max@love2party.net>
References:  <46226AD3.3030806@webmail.sub.ru> <200704161359.26059.max@love2party.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Max Laier wrote:
> On Sunday 15 April 2007 20:11, Alex Povolotsky wrote:
>   
>> Hello!
>>
>> I'm trying to set up a box as round-robin TCP proxy. Of course, I'm
>> trying to do everything on kernel-level.
>>
>> This simple setup
>>
>> rdr on sk0 proto tcp from any to any port = smtp -> <outbound> port 25
>> round-robin
>>
>> should work. At least, I thought so.
>>
>> However, attempt to connect to port 25 yielded unexpected result. pfctl
>> -s state shows
>>
>> self tcp 89.108.94.212:25 <- 89.108.94.91:25 <-
>> 89.108.94.211:56975       CLOSED:SYN_SENT
>>     
>
> Your test hosts seem to be on the same subnet.  This does not work as you 
> seems to think.  In the same broadcast domain it is not possible for the 
> pf box to forward the packet on behalf of the sending host (otherwise it 
> would confuse the recipient or the switch).  Instead it emits icmp 
> redirects which are ignored in a normal setup.
>
> You have to separate the two networks in order for redirect to work the 
> way you want it to.
>   

I have separated them.
#pfctl -s nat
rdr on rl0 proto tcp from any to any port = smtp -> <outbound> port 25 
round-robin
# pfctl -s state
No ALTQ support in kernel
ALTQ related functions disabled
self tcp 89.108.94.212:25 <- 10.180.210.2:25 <- 10.180.210.1:61298       
CLOSED:SYN_SENT

tcpdump does not show any ICMP redirect

unknown-1717# tcpdump -l -n -i rl0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on rl0, link-type EN10MB (Ethernet), capture size 96 bytes
20:53:14.907833 arp who-has 10.180.210.2 tell 10.180.210.1
20:53:14.907857 arp reply 10.180.210.2 is-at 00:0e:2e:98:7e:55
20:53:14.907924 IP 10.180.210.1.57528 > 10.180.210.2.25: S 
3593018807:3593018807(0) win 65535 <mss 1460,nop,wscale 
1,nop,nop,timestamp 285791868 0,sackOK,eol>
20:53:17.907599 IP 10.180.210.1.57528 > 10.180.210.2.25: S 
3593018807:3593018807(0) win 65535 <mss 1460,nop,wscale 
1,nop,nop,timestamp 285794868 0,sackOK,eol>
20:53:21.107441 IP 10.180.210.1.57528 > 10.180.210.2.25: S 
3593018807:3593018807(0) win 65535 <mss 1460,nop,wscale 
1,nop,nop,timestamp 285798068 0,sackOK,eol>
20:53:24.307283 IP 10.180.210.1.57528 > 10.180.210.2.25: S 
3593018807:3593018807(0) win 65535 <mss 1460,sackOK,eol>
20:53:27.507126 IP 10.180.210.1.57528 > 10.180.210.2.25: S 
3593018807:3593018807(0) win 65535 <mss 1460,sackOK,eol>
20:53:30.706974 IP 10.180.210.1.57528 > 10.180.210.2.25: S 
3593018807:3593018807(0) win 65535 <mss 1460,sackOK,eol>
^C
8 packets captured
8 packets received by filter
0 packets dropped by kernel

What am I doing wrong? Or I can only redirect routable traffic?

Nope, I've added  alias to "external" interface, no changes

Alex




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4623AC35.7060301>