We've been using pf for a number of years with one pf firewall serving
multiple backend servers (i.e. Load-balanced web farm). Now we've added more
backend servers with their own external ip addresses. It seems a waste to
have one firewall for low volume, specialized sites, forwarding to only one
set of servers only.
We're trying to have the same OpenBSD server redirect traffic based on the
external ip address.
What we're having difficulty with right now is getting relayd and pf to
redirect the same ports, example 80 & 443 to different backend servers based
on external ip (and domain name). It does work on ip address but not domain
names.
In pf...
We have a relayd anchors where pf will forward based on tagged names.
Nothing special here. Pf filters port range 81:442, only directing 80 & 443
to 443 (always) to the specified internal server or farm based on the
"tagged" name
The following works in relayd.conf when the ip addresses are specified (most
macro's and tables have been removed for clarity
redirect webone{
listen on 1.2.3.4 port 80:443 interface $ext_if
tag tag_one
forward to <int_ipone> port 443 check tcp
}
redirect web2{
listen on 2.3.4.5 port 80:443 interface $ext_if
tag tag_two
forward to <int_iptwo> port 443 check tcp
}
The following does not work
redirect webone{
listen on sub.sub.domain1.com port 80:443 interface $ext_if
tag tag_one
forward to <int_ipone> port 443 check tcp
}
redirect web2{
listen on $sub.sub.domain2.com port 80:443 interface $ext_if
tag tag_two
forward to <int_iptwo> port 443 check tcp
}
When this is entered, relayd -d -vv -f /etc/relayd.conf will complain that
these listen lines have "invalid virtual ip"
Am I missing something crucial here? Or is this simply a limitation of the
technology?
Any suggestions or working examples would be greatly appreciated.
Q@Q
