Date: Thu, 6 Mar 2008 13:17:04 +0100 (CET) From: "Max Laier" <max@love2party.net> To: "Attila Nagy" <bra@fsn.hu> Cc: freebsd-net@freebsd.org Subject: Re: pf reply-to broken in RELENG_7 Message-ID: <49906.192.168.4.151.1204805824.squirrel@router> In-Reply-To: <47CFAD07.6020008@fsn.hu> References: <47CFAD07.6020008@fsn.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
Am Do, 6.03.2008, 09:36, schrieb Attila Nagy: > Hello, > > I've just upgraded some of our 6-STABLE servers to 7-STABLE to notice > that pf reply-to for directly connected IPs seems to be broken. > > I have the following relevant rule in pf.conf: > pass in on $ext_if reply-to ( $ext_if csmvip ) proto tcp from any to any > port 25 label "mxtraffic-tcp" keep state > > which routes incoming SMTP connections (to be exact, the replies to > them) to the csmvip host, which is a load balancer. This is needed > because the LB doesn't do source NAT (it does destination NAT however to > direct traffic addressed to its virtual IP to the real servers' IPs), > and the servers have a different default route than the LB. This way the > servers reply to the LB, so it can rewrite the replies' source address > to its virtual IP, so the client will see the correct IP (the LB's > virtual IP) in the address, instead of the host's real address. > > It seems that this still works in 7-STABLE for the internet (not > directly connected) hosts, but not for directly connected hosts, for > example the ones, which are in the same subnet as my servers. > To overcome this, I've had to add static ARP entries to the servers, to > tell that the clients' hardware address is the address of the load > balancer, but it would be better if the previous behaviour (as in > 6-STABLE) could be restored. > > Could anybody help to resolve this? Might be the lack of sleep and coffee, but I can't quite figure out the network layout you are talking about. Could you draw up a small example setup so I can follow? Or at least (pseudo-)IP addresses for client, load-balancer, pf-box and servers? -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49906.192.168.4.151.1204805824.squirrel>