Hi, I have created a OpenBSD 6.6 VM in the Azures cloud that I plan to use as a Firewall, I had planned on using carp but I can't get it working in Azure so I think I can use an Internal load balancer to achieve my aim of having two redundany OBSD Firewalls in Azure. The problem I have is that the Azure Internal Load Balancer requires a health probe to work. So I create a load balancer health probe and set it to the SSH service on my FW Host and set it to every 5 seconds. I can see the traffic on my FW but the health probe doesn't work and I think it's because the traffic from the Azure discover ip "168.63.129.16" that is doing the probe is coming from within the azure nextwork, hitting my internal nic and then onto the ssh service ? and then finally leaving but on the external interface.
tcpdump -n -e -ttt -i pflog0 -v tcpdump: WARNING: snaplen raised from 116 to 160 tcpdump: listening on pflog0, link-type PFLOG Apr 26 15:59:30.082436 rule 1/(match) [uid 0, pid 44293] block out on hvn0: [orig src 10.x.x.36:22, dst 168.63.129.16:54762] 10.x.x.4.65324 > 168.63.129.16.54762: S [bad tcp cksum 9d0b! -> 9e14] 252441079:252441079(0) ack 3958895254 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 6> (DF) (ttl 64, id 2960, len 52, bad ip cksum 0! -> 52f0) Rule 1 = block log all 168.63.129.16 = Azure Discovery Address 10.x.x.4 = My External IP on hvn0 10.x.x.36 = My Internal IP on hvn1 I tried changing the state rules to allow the traffic out on the external interface and I thought I had it working earlier today by changing state-policy from if-bound to floating but I can't reproduce that again for some reason... anyway it didn't seem to work. I think I really just need to force the traffic back out the Internal interface but I just don't know how to do that ? If anyone could help me it would be really appreciated. Thanks Keith
