> See "ftp://ftp3.usa.openbsd.org/pub/OpenBSD/doc/pf-faq.txt";,
> especially the part about "
>
> Redirection and Reflection".
I've read that, and Split-horizon DNS isn't really applicable. However,
on two other points, I'm not so sure of:
1. TCP proxying seems like it might be overkill. I'd like to eventually
use relayd for dynamic address pools, but I was planning on keeping it
at layer 3 redirection, because I don't know if performance will be an
issue when using relayd in it's TCP proxy mode, especially given the
short, frequent, and high volume of connections (by their nature).
2. Creating a separate physical network (by making these load balancers
bridges), also seems like more than I need, but is the current fallback
if I don't get the reflection to work properly.
I realize that the FAQ page says that using the reflection method via
two rules (rdr-to and nat-to) isn't really the recommended way of doing
this ("In general, the previously mentioned solutions should be used
instead."), and if that is really the best advice for me to take, I
will, but even so, I'm still curious as to what I'm doing wrong, since
packet reflection should still work.
--
Bryan Burke
bbu...@baburke.net
