Hi,
I have a server with 2 vlan interfaces + 2 carped interfaces.
Replies for blocked connections (tcp reset or icmp port unreachable) are
coming out through the wrong interface (ie always on default gw).
Near the end of my pf.conf I have the following rules:
@49: block return in quick log on $vlan10_if from <local_net> reply-to
($vlan10_if $vlan10_gw)
@50: block return in quick log on $vlan20_if from <local_net> reply-to
($vlan20_if $vlan20_gw)
Default gw is on vlan10 interface.
When I try to connect on second interface (vlan20) the returns are
coming from first interface
(vlan10).
pflog:
Aug 03 11:12:17.442169 rule 50/(match) block in on vlan20:
10.1.1.1.50818 > 10.1.20.3.4000: S 644386329:644386329(0) win 14600 <mss
1460,sackOK,timestamp 861260278 0,nop,wscale 4> (DF) [tos 0x10]
tcpdump on vlan20:
11:19:17.673638 10.1.1.1.50834 > 10.1.20.3.4000: S
381640153:381640153(0) win 14600 <mss 1460,sackOK,timestamp 861365336
0,nop,wscale 4> (DF) [tos 0x10]
tcpdump on vlan10:
11:19:17.673656 10.1.20.3.4000 > 10.1.1.1.18.50834: R 0:0(0) ack
381640154 win 0 (DF) [tos 0x10]
The problem must be that there is no state created (from pf.conf(5)
"reply-to is useful only in rules that create state")
Similar for udp packets (icmp port unreachable)
Is there a way to sort this out and route packets to the correct interface?
Thanks
G
