29.01.2021 22:15, Kajetan Staszkiewicz wrote: > So far so good. But what if a LB wants to access the service? > > SYN: > 1. LB sends out a packet through public interface becuase that's where > the default gateway points. > 2. Core router sends the packet to one of LBs, in this case the same one > who originated the packet. > 3. It arrives at the public interface of LB where it is matched against > a route-to pf rule. A public-side pf state is created, a tag is assigned. > 4. pf's rout-to routes it to a LB Node / target. > 5. Leaves the LB over internal interface, matches the tag, another state > is created. > > ACK: > 1. From LB Node > 2. Hits internal interface of LB, the state is already there. > 3. Normal routing decision of LB decides to send the packet to IP stack. > 4. The packet never hits the pf state on the public side of LB. > 5. The public side pf state never sees ACK from the LB Node, the state > times out very fast. > > My goal is to have loadbalanced connections to *always* behave like they > come from the Internet, that is to leave the LB and bounce off the core > router.
I'm not a pf user, so I wonder: why do you need to create any firewall state for such traffic at all? Can't you route such packets in stateless mode? I don't see any value in pf states for such packets. _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
