Am Do, 6.03.2008, 09:36, schrieb Attila Nagy: > Hello, > > I've just upgraded some of our 6-STABLE servers to 7-STABLE to notice > that pf reply-to for directly connected IPs seems to be broken. > > I have the following relevant rule in pf.conf: > pass in on $ext_if reply-to ( $ext_if csmvip ) proto tcp from any to any > port 25 label "mxtraffic-tcp" keep state > > which routes incoming SMTP connections (to be exact, the replies to > them) to the csmvip host, which is a load balancer. This is needed > because the LB doesn't do source NAT (it does destination NAT however to > direct traffic addressed to its virtual IP to the real servers' IPs), > and the servers have a different default route than the LB. This way the > servers reply to the LB, so it can rewrite the replies' source address > to its virtual IP, so the client will see the correct IP (the LB's > virtual IP) in the address, instead of the host's real address. > > It seems that this still works in 7-STABLE for the internet (not > directly connected) hosts, but not for directly connected hosts, for > example the ones, which are in the same subnet as my servers. > To overcome this, I've had to add static ARP entries to the servers, to > tell that the clients' hardware address is the address of the load > balancer, but it would be better if the previous behaviour (as in > 6-STABLE) could be restored. > > Could anybody help to resolve this?
Might be the lack of sleep and coffee, but I can't quite figure out the network layout you are talking about. Could you draw up a small example setup so I can follow? Or at least (pseudo-)IP addresses for client, load-balancer, pf-box and servers? -- /"\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
