>Number: 148290
>Category: kern
>Synopsis: "sticky-address" option of Packet Filter (PF) blocks connection
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Jul 01 12:50:03 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Simon "Saimoun" Lasnier
>Release: 8.0-RELEASE
>Organization:
C2B
>Environment:
FreeBSD lb-Stemp.c2bsa.local 8.0-RELEASE FreeBSD 8.0-RELEASE #1: Wed Jun 30
14:39:04 UTC 2010
r...@lb-stemp.c2bsa.local:/usr/obj/usr/src/sys/SOEKRIS i386
>Description:
When using Packet Filter (PF) for load-balancing outgoing connections with 2
addresses in the pool, the connection take randomly one of the two connections.
If we want that each source address takes always the same way, we need to put
the keyword "sticky-address" in the pass rule in pf.conf.
In a computer where the LAN is "vr1" and two WAN are "vr2" and "vr3", this rule
is used :
pass in log on vr1 route-to {(vr2 $vr2_gw),(vr3 $vr3_gw)} \
sticky-address from <lan> to !<lan>
But this option seems to allow only one computer for each connection.
When one computer is already connected with one of the two WAN, if another
computer want to access the same WAN, it cannot. But in the pflog0, pf says
that it has passed the connection, on the right rule (the one which has a
route-to).
>How-To-Repeat:
Install FreeBSD on a computer (called "FreeBSD-PC") which has at least 3
interfaces (called vr1 vr2 vr3).
We supposed that there are one LAN on 192.168.0.0/24 connected to vr1 and two
WANs which gateways are 81.42.133.1 and 146.43.222.34 connected respectively to
vr2 and vr3.
Create /etc/pf.conf and put that lines in :
pass in log on vr1 route-to { (vr2 81.42.133.1), (vr3 146.43.222.34) } \
sticky-address from 192.168.0.0/24 to !192.168.0.0/24
Launch PF :
prompt# pfctl -e
prompt# pfctl -F all -f /etc/pf.conf
Now connect two other computers to FreeBSD-PC, configure their Ethernet
interface with the network 192.168.0.0/24, and add in their route table a
default route to the FreeBSD-PC (for example "route add default 192.168.0.1" if
192.168.0.1 is the address of the FreeBSD-PC in the vr1 interface).
Then, if you tried to access to the Internet (through one of the two WAN) with
the two computers, sometimes it will work (with a good "sticky", that is to say
one computer takes always the same WAN), but sometimes one of the two computers
is blocked, packets never reach the gateway, whereas we can see "pass" in the
pflog0 interface.
>Fix:
Don't know.
>Release-Note:
>Audit-Trail:
>Unformatted:
_______________________________________________
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
