From owner-freebsd-net@FreeBSD.ORG Mon Apr 16 17:02:54 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8D86916A401 for ; Mon, 16 Apr 2007 17:02:54 +0000 (UTC) (envelope-from tarkhil@webmail.sub.ru) Received: from mail.sub.ru (mail.sub.ru [88.212.205.2]) by mx1.freebsd.org (Postfix) with SMTP id BC8CD13C487 for ; Mon, 16 Apr 2007 17:02:53 +0000 (UTC) (envelope-from tarkhil@webmail.sub.ru) Received: (qmail 50968 invoked from network); 16 Apr 2007 21:08:14 +0400 Received: from unknown (HELO localhost) (88.212.205.2) by mail.sub.ru with SMTP; 16 Apr 2007 21:08:14 +0400 X-Virus-Scanned: by amavisd-new at mail.sub.ru Received: from unknown ([88.212.205.2]) by localhost (mail-new.sub.ru [88.212.205.2]) (amavisd-new, port 10024) with SMTP id S2SJm51Aji-M; Mon, 16 Apr 2007 21:08:10 +0400 (MSD) Received: from unknown (HELO ?192.168.139.47?) (tarkhil%sub.ru@192.168.139.47) by techno.sub.ru with SMTP; 16 Apr 2007 17:08:10 -0000 Message-ID: <4623AC35.7060301@webmail.sub.ru> Date: Mon, 16 Apr 2007 21:02:45 +0400 From: Alex Povolotsky User-Agent: Thunderbird 1.5.0.9 (X11/20070104) MIME-Version: 1.0 To: Max Laier References: <46226AD3.3030806@webmail.sub.ru> <200704161359.26059.max@love2party.net> In-Reply-To: <200704161359.26059.max@love2party.net> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: Please help with PF-based redirector X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Apr 2007 17:02:54 -0000 Max Laier wrote: > On Sunday 15 April 2007 20:11, Alex Povolotsky wrote: > >> Hello! >> >> I'm trying to set up a box as round-robin TCP proxy. Of course, I'm >> trying to do everything on kernel-level. >> >> This simple setup >> >> rdr on sk0 proto tcp from any to any port = smtp -> port 25 >> round-robin >> >> should work. At least, I thought so. >> >> However, attempt to connect to port 25 yielded unexpected result. pfctl >> -s state shows >> >> self tcp 89.108.94.212:25 <- 89.108.94.91:25 <- >> 89.108.94.211:56975 CLOSED:SYN_SENT >> > > Your test hosts seem to be on the same subnet. This does not work as you > seems to think. In the same broadcast domain it is not possible for the > pf box to forward the packet on behalf of the sending host (otherwise it > would confuse the recipient or the switch). Instead it emits icmp > redirects which are ignored in a normal setup. > > You have to separate the two networks in order for redirect to work the > way you want it to. > I have separated them. #pfctl -s nat rdr on rl0 proto tcp from any to any port = smtp -> port 25 round-robin # pfctl -s state No ALTQ support in kernel ALTQ related functions disabled self tcp 89.108.94.212:25 <- 10.180.210.2:25 <- 10.180.210.1:61298 CLOSED:SYN_SENT tcpdump does not show any ICMP redirect unknown-1717# tcpdump -l -n -i rl0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on rl0, link-type EN10MB (Ethernet), capture size 96 bytes 20:53:14.907833 arp who-has 10.180.210.2 tell 10.180.210.1 20:53:14.907857 arp reply 10.180.210.2 is-at 00:0e:2e:98:7e:55 20:53:14.907924 IP 10.180.210.1.57528 > 10.180.210.2.25: S 3593018807:3593018807(0) win 65535 20:53:17.907599 IP 10.180.210.1.57528 > 10.180.210.2.25: S 3593018807:3593018807(0) win 65535 20:53:21.107441 IP 10.180.210.1.57528 > 10.180.210.2.25: S 3593018807:3593018807(0) win 65535 20:53:24.307283 IP 10.180.210.1.57528 > 10.180.210.2.25: S 3593018807:3593018807(0) win 65535 20:53:27.507126 IP 10.180.210.1.57528 > 10.180.210.2.25: S 3593018807:3593018807(0) win 65535 20:53:30.706974 IP 10.180.210.1.57528 > 10.180.210.2.25: S 3593018807:3593018807(0) win 65535 ^C 8 packets captured 8 packets received by filter 0 packets dropped by kernel What am I doing wrong? Or I can only redirect routable traffic? Nope, I've added alias to "external" interface, no changes Alex