Max Laier wrote:
On Sunday 15 April 2007 20:11, Alex Povolotsky wrote:
Hello!
I'm trying to set up a box as round-robin TCP proxy. Of course, I'm
trying to do everything on kernel-level.
This simple setup
rdr on sk0 proto tcp from any to any port = smtp -> <outbound> port 25
round-robin
should work. At least, I thought so.
However, attempt to connect to port 25 yielded unexpected result. pfctl
-s state shows
self tcp 89.108.94.212:25 <- 89.108.94.91:25 <-
89.108.94.211:56975 CLOSED:SYN_SENT
Your test hosts seem to be on the same subnet. This does not work as you
seems to think. In the same broadcast domain it is not possible for the
pf box to forward the packet on behalf of the sending host (otherwise it
would confuse the recipient or the switch). Instead it emits icmp
redirects which are ignored in a normal setup.
You have to separate the two networks in order for redirect to work the
way you want it to.
I have separated them.
#pfctl -s nat
rdr on rl0 proto tcp from any to any port = smtp -> <outbound> port 25
round-robin
# pfctl -s state
No ALTQ support in kernel
ALTQ related functions disabled
self tcp 89.108.94.212:25 <- 10.180.210.2:25 <- 10.180.210.1:61298
CLOSED:SYN_SENT
tcpdump does not show any ICMP redirect
unknown-1717# tcpdump -l -n -i rl0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on rl0, link-type EN10MB (Ethernet), capture size 96 bytes
20:53:14.907833 arp who-has 10.180.210.2 tell 10.180.210.1
20:53:14.907857 arp reply 10.180.210.2 is-at 00:0e:2e:98:7e:55
20:53:14.907924 IP 10.180.210.1.57528 > 10.180.210.2.25: S
3593018807:3593018807(0) win 65535 <mss 1460,nop,wscale
1,nop,nop,timestamp 285791868 0,sackOK,eol>
20:53:17.907599 IP 10.180.210.1.57528 > 10.180.210.2.25: S
3593018807:3593018807(0) win 65535 <mss 1460,nop,wscale
1,nop,nop,timestamp 285794868 0,sackOK,eol>
20:53:21.107441 IP 10.180.210.1.57528 > 10.180.210.2.25: S
3593018807:3593018807(0) win 65535 <mss 1460,nop,wscale
1,nop,nop,timestamp 285798068 0,sackOK,eol>
20:53:24.307283 IP 10.180.210.1.57528 > 10.180.210.2.25: S
3593018807:3593018807(0) win 65535 <mss 1460,sackOK,eol>
20:53:27.507126 IP 10.180.210.1.57528 > 10.180.210.2.25: S
3593018807:3593018807(0) win 65535 <mss 1460,sackOK,eol>
20:53:30.706974 IP 10.180.210.1.57528 > 10.180.210.2.25: S
3593018807:3593018807(0) win 65535 <mss 1460,sackOK,eol>
^C
8 packets captured
8 packets received by filter
0 packets dropped by kernel
What am I doing wrong? Or I can only redirect routable traffic?
Nope, I've added alias to "external" interface, no changes
Alex
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
