Ok, this is something that would work for me, ideally. I've tried every combination of rules I can think of, and can't get my OpenBSD machine to reflect the packets back out the interface they came in on (including the rules outlines in the FAQ), and I'm ready to ask for help :)
So, here's my situation: I'm trying to get a machine to act as a load balancer for LDAP, without creating a separate physical network. This machine has a virtual IP (on a carp interface). I want to accept the traffic, redirect it to a backend LDAP server, then put it back out on the same network to reach the LDAP backend. I've stripped my ruleset down to just these two rules to make sure it isn't some other aspect of the firewall: pass in on $int proto tcp from $int:network to $ldap \ port ldap rdr-to $slave pass out on $int proto tcp to $slave port ldap received-on \ $int nat-to $int But these don't seem to work either. "systat rules" indicates that the packets do reach/match the second rule (I see the packet counts rise for the first rules when I try to connect, but the second rule's count remains at zero). I'm just looking for some insight or perspective on this problem. Any help is appreciated. Thanks in advance for your time. -- Bryan Burke bbu...@baburke.net
