Date: Mon, 10 Dec 2007 09:11:08 -0800 From: "Michael K. Smith - Adhost" <mksmith@adhost.com> To: "shinny knight" <sh1nny_kn1ght@yahoo.com>, "Erik Norgaard" <norgaard@locolomo.org> Cc: questions@freebsd.org Subject: RE: Problem with NAT/RDR in PF Message-ID: <17838240D9A5544AAA5FF95F8D52031603067F88@ad-exh01.adhost.lan> In-Reply-To: <979954.82929.qm@web44810.mail.sp1.yahoo.com> References: <2C799BA1-729E-4990-A80F-1C840AD53D9B@adhost.com> <979954.82929.qm@web44810.mail.sp1.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--PGP_Universal_058A492C_6DE448A3_44BFDD03_80A31AF0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: QUOTED-PRINTABLE Hello Catalin: <snip> >=20 > Michael Smith <mksmith@adhost.com> wrote: >=20 >=20 > On Dec 9, 2007, at 3:34 PM, Erik Norgaard wrote: >=20 > > Michael Smith wrote: > >> Hello All: > >> I am trying to configure a round-robin group of Name Servers > that > >> respond on to and from a single address. > >> I want the following to occur: > >> 1) DNS query from 10.211.128.1 to 10.212.1.1 is redirected to > a > >> pool of name servers > >> 2) One of the name servers responds to the query > >> 3) The response shows a source address of 10.212.1.1, not the > >> actual name server > > <snip> >=20 >=20 > Hello Mike, >=20 >=20 > If I understand correctly your environment I think you should change > the NAT rule from: >=20 > nat on $vlan821_if from $nr_net to $mail_net -> 10.212.1.1 >=20 > to: >=20 > nat on $vlan6_if from $nr_net to $mail_net -> 10.212.1.1 >=20 > Let us know if this is solving the issue. >=20 I'm still seeing the same issue. Here's the output from pfctl -sa | grep 1= 0.212.1.1 nat on vlan6 inet from 10.212.1.0/24 to 10.211.0.0/16 -> 10.212.1.1 rdr on vlan6 inet proto udp from any to 10.212.1.1 port =3D domain -> <nr_r= oundrobin> round-robin rdr on vlan6 inet proto tcp from any to 10.212.1.1 port =3D domain -> <nr_r= oundrobin> round-robin vlan6 udp 10.212.1.11:53 <- 10.212.1.1:53 <- 10.211.128.146:54108 NO_= TRAFFIC:SINGLE It looks like the redirect is happening correctly, but the NAT isn't workin= g in reverse. The 10.212.1.1 address is in the subnet on $vlan821. Will t= his break NAT? That is, does NAT have to have an address on $vlan6? Regards, Mike --PGP_Universal_058A492C_6DE448A3_44BFDD03_80A31AF0 Content-Type: application/pgp-signature; name="PGP.sig" Content-Transfer-Encoding: 7BIT Content-Disposition: attachment; filename="PGP.sig" -----BEGIN PGP SIGNATURE----- Version: 9.7.0 (Build 867) iQEVAwUBR11zK/TXQhZ+XcVAAQgT+ggArxVYtfu6E2euMnFKZHUtvWbeu3ZHKh42 g6XvkrYNqCa0hrfIrM4S2UeDms4yo+C2zmuM5gOtZgCKuSB+R67upAdMTLBgr5Mz lVtUFSlevUZtNkQhP2krLKDtf9asfKfqDKmfVMlK3CZM9vijbJRGlq+FzuYxQ5Y5 F5C2I/O5GpGEladnh1DKN9jpYKt7WhCS1ZuCxNGPLUADFc4CltkjnHvdcfbDVi7h 8V/YNTwQsI4cTktu1IODH6k/jev4IH/mPaMS8VrzNmRLo8lr7O3FSofn/e0UFgus lpNN9FDNsTLpG0OMm/C2n3Qsak06NPqqu6Rtqe6Fvpqy/9zTieylQw== =rEd8 -----END PGP SIGNATURE----- --PGP_Universal_058A492C_6DE448A3_44BFDD03_80A31AF0--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?17838240D9A5544AAA5FF95F8D52031603067F88>