Stuart Henderson wrote: ... >> [EMAIL PROTECTED] pfctl -s rules |grep 10.4 >> pass in quick on fxp2 inet from 10.10.0.0/16 to 10.4.0.0/16 >> pass out quick on fxp2 inet from 10.4.0.0/16 to 10.10.0.0/16 > > I suspect you will need to allow the packets through in order to get > the redirects sent. Are you allowing the outbound from 10.10 > to 10.4 to > pass in another rule that you didn't include? If not, that's likely to > be the problem. If you're not sure, make sure blocked packets > are logged, > then monitor pflog0.
There was nothing in pflog and here are my drop rules. I have 'pass out all keep state' rule at the head of the ruleset (possible issue?). I'll be testing further to find out more later tonight. After some further research I see I'll also need an rdr for the ICMP to source them from the carp interface as opposed to the real ip. [EMAIL PROTECTED] pfctl -s rules | grep block block drop in quick on ! lo inet from 127.0.0.0/8 to any block drop in quick on ! lo inet6 from ::1 to any block drop in quick inet from 127.0.0.1 to any block drop in quick inet6 from ::1 to any block drop in quick on lo0 inet6 from fe80::1 to any block drop in quick on ! fxp2 inet from 10.10.0.0/16 to any block drop in quick inet from 10.10.0.251 to any block drop in quick on fxp2 inet6 from fe80::202:a5ff:fe60:5850 to any block drop in log all block drop in quick inet from any to 255.255.255.255 block drop in quick inet from any to 10.255.255.255 block drop in quick inet from any to 10.10.255.255 block drop in quick on fxp2 proto tcp from any to any port = epmap block drop in quick on fxp2 proto udp from any to any port = epmap block drop in quick on fxp2 proto tcp from any to any port = netbios-ns block drop in quick on fxp2 proto udp from any to any port = netbios-ns block drop in quick on fxp2 proto udp from any to any port = netbios-dgm block drop in quick on fxp2 proto tcp from any to any port = netbios-ssn block drop in quick on fxp2 proto tcp from any to any port = microsoft-ds block drop in quick on fxp2 proto udp from any to any port = ssdp block drop in quick on fxp2 proto udp from any to any port = 5000
