Hello misc,
With redirects in relayd, I thought that access the VIP from inside was
impossible.
With a classic conf (found in man relayd.conf) like this :
redirect "www" {
listen on www.example.com port 80
forward to <service> check http "/" code 200
}
Relayd will create this type of rule :
pass in quick on rdomain 0 inet proto tcp from any to XX.XX.XX.XX port =
80 flags S/SA keep state (tcp.established 600) rdr-to <www> port 80
round-robin
And servers in <www> can't "wget http://www.example.com";.
This is a typical problem of reflection which is well documented here
with several solutions : http://openbsd.org/faq/pf/rdr.html#reflect
For a classic rdr-to, I used to apply the solution "RDR-TO and NAT-TO
Combination", but with relayd i thought this was not possible (don't
know why...).
The solution is actually pretty simple, and you can nearly follow
blindly the FAQ.
The only thing is that I used the tag keyword in relayd.conf.
For example :
In relayd.conf :
redirect "www" {
listen on www.example.com port 80
forward to <service> check http "/" code 200
tag RELAYD_WWW
}
In pf.conf :
pass out on $int_if tagged RELAYD_WWW received-on $int_if nat-to $int_if
Servers in <www> (or others servers in the same LAN) can now access to
www.example.com (vip) and will be load-balanced by the firewall. The web
servers will see the IP of $int_if as the source IP.
I write this just in case someone is interested :-)
I once saw someone in misc@ who asked why he couldn't access to the VIP
from inside the LAN, and he resolved his problem by switching to relay
instead of redirect, which is maybe not what he really wanted to.
--
Mathieu
