Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 16 Sep 2004 04:11:46 -0000
From:      sam <samwun@hgdbroadband.com>
To:        pf4freebsd@freelists.org
Subject:   [pf4freebsd] Re: pf and ipfw
Message-ID:  <411AEBFE.4040104@hgdbroadband.com>
In-Reply-To: <411AEAE5.9080106@mra.co.id>
References:  <411722A1.1020108@mra.co.id> <200408091840.53308.max@love2party.net> <4118C330.8090609@mra.co.id> <200408111550.56346.max@love2party.net> <411AEAE5.9080106@mra.co.id>
next in thread | previous in thread | raw e-mail | index | archive | help 
Muhammad Reza wrote:

> Max Laier wrote:
>
>> On Tuesday 10 August 2004 14:44, Muhammad Reza wrote:
>>  
>>
>>> #  nat outgoing connections on each internet interface
>>> nat on $ext_if1 from $lan_net to any -> $gw1
>>> nat on $ext_if2 from $lan_net to any -> $gw2
>>> nat on $ext_if1 from $dmz_net to any -> $gw1
>>> nat on $ext_if2 from $dmz_net to any -> $gw2
>>>
>>> # smtp access from outside
>>> rdr on $ext_if proto tcp from any to $server_ext port smtp ->
>>> $server_dmz port smtp
>>>   
>>
>>
>> That can't work! For a client connecting to your smtp that would look 
>> like the following:
>> 1) $client:cport connects to $server_ext:25
>> 2) pf RDRs to $server_dmz:25
>> 3) $server_dmz:sport replies to $client:cport
>> 4) pf NATs to on of $gw1:sport1 or $gw2:sport2
>> 5) $client does not recognize as it is expecting to receive a reply 
>> from $server_ext and not from $gw1 or $gw2
>>
>> You have to make sure that replies from $server_dmz are translated to 
>> $server_ext.
>>
>>  
>>
> Thanks list for great response.
>
> to  make sure that replies from $server_dmz are tranlated to 
> $server_ext, i add this line (cmiiw)
>
> nat on $ext_if1 from $dmz_net to any -> $server_ext
>
> This rule says to perform NAT on the $ext_if interface for any packets 
> coming from $dmz_net and to replace the source IP address with 
> $server_ext.
>
> but still can't work :(. But if add default gateway to internet. it 
> redirect can work, but not with load balance.
> please help me
>
How about use "sticky" and "source-hash" in the rule?

sam

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?411AEBFE.4040104>