Carp address !as source IP

Steven S. Thu, 16 Sep 2004 06:40:59 -0700

Greetings,

I'm experiencing an interesting problem and I'm googled out.


Trying to get mail from a firewall which is the carp master to an internally
hosted e-mail server.  The mail server is using a private IP address and the
firewall is using a "binat" rule to translate a public carp IP to the
private mail server ip.  When the firewall tries to send mail to the mail
server the firewall uses the carp address as the source address.

Here's some relevant info,

/etc/pf.conf:
..
email_pub="1.1.1.180/32"
email_pri="10.0.1.50/32"
..
binat from $email_pri to any -> $email_pub
..
Pass this and that...

[EMAIL PROTECTED] [~]# telnet 1.1.1.180 port 25
In another window...
[EMAIL PROTECTED] [~]# tcpdump -n -i em3 port 25
tcpdump: listening on em3
21:25:07.753097 1.1.1.180.3944 > 10.0.1.50.25: S 672757334:672757334(0) win
16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1687436245 0>
(DF) [tos 0x10]
21:25:07.753349 10.0.1.50.25 > 1.1.1.180.3944: S 634049029:634049029(0) ack
672757335 win 17520 <mss 1460,nop,wscale 0,nop,nop,timestamp 0
0,nop,nop,sackOK> (DF)
21:25:07.753376 1.1.1.180.3944 > 10.0.1.50.25: R 672757335:672757335(0) win
0 (DF)
^C

[EMAIL PROTECTED] [~]# ifconfig -a
[EMAIL PROTECTED] [~]% ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0xd
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        address: 00:04:23:09:11:28
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 172.16.0.3 netmask 0xffffff00 broadcast 172.16.0.255
        inet6 fe80::204:23ff:fe09:1128%em0 prefixlen 64 scopeid 0x1
em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        address: 00:04:23:09:11:29
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 2.1.1.13 netmask 0xfffffff8 broadcast 2.1.1.15
        inet6 fe80::204:23ff:fe09:1129%em1 prefixlen 64 scopeid 0x2
em2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        address: 00:04:23:09:11:2a
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 2.1.1.129 netmask 0xfffffff8 broadcast 2.1.1.135
        inet6 fe80::204:23ff:fe09:112a%em2 prefixlen 64 scopeid 0x3
em3: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        address: 00:04:23:09:11:2b
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 10.0.1.3 netmask 0xffffff00 broadcast 10.0.1.255
        inet6 fe80::204:23ff:fe09:112b%em3 prefixlen 64 scopeid 0x4
em4: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        address: 00:04:23:09:1a:30
        media: Ethernet autoselect
        status: no carrier
        inet 10.0.2.3 netmask 0xffffff00 broadcast 10.0.2.255
        inet6 fe80::204:23ff:fe09:1a30%em4 prefixlen 64 scopeid 0x5
em5: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
        address: 00:04:23:09:1a:31
        media: Ethernet autoselect
        status: no carrier
em6: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
        address: 00:04:23:09:1a:32
        media: Ethernet autoselect
        status: no carrier
em7: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
        address: 00:04:23:09:1a:33
        media: Ethernet autoselect
        status: no carrier
bge0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        address: 00:0d:56:fd:d1:d8
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 1.1.1.187 netmask 0xffffffe0 broadcast 1.1.1.191
        inet6 fe80::20d:56ff:fefd:d1d8%bge0 prefixlen 64 scopeid 0x9
bge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        address: 00:0d:56:fd:d1:d9
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
        inet6 fe80::20d:56ff:fefd:d1d9%bge1 prefixlen 64 scopeid 0xa
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
pfsync0: flags=41<UP,RUNNING> mtu 1348
        pfsync: syncif: bge1 maxupd: 128
enc0: flags=0<> mtu 1536
carp0: flags=41<UP,RUNNING> mtu 1500
        carp: MASTER vhid 1 advbase 1 advskew 0
        inet 1.1.1.189 netmask 0xffffffe0
carp1: flags=41<UP,RUNNING> mtu 1500
        carp: MASTER vhid 2 advbase 1 advskew 0
        inet 172.16.0.1 netmask 0xffffff00
carp16: flags=41<UP,RUNNING> mtu 1500
        carp: MASTER vhid 16 advbase 1 advskew 0
        inet 1.1.1.180 netmask 0xffffffe0
carp17: flags=41<UP,RUNNING> mtu 1500
        carp: MASTER vhid 17 advbase 1 advskew 0
        inet 1.1.1.181 netmask 0xffffffe0
carp2: flags=41<UP,RUNNING> mtu 1500
        carp: MASTER vhid 3 advbase 1 advskew 0
        inet 2.1.1.9 netmask 0xfffffff8
carp3: flags=41<UP,RUNNING> mtu 1500
        carp: MASTER vhid 4 advbase 1 advskew 0
        inet 2.1.1.131 netmask 0xfffffff8
carp4: flags=41<UP,RUNNING> mtu 1500
        carp: MASTER vhid 5 advbase 1 advskew 0
        inet 10.0.1.1 netmask 0xffffff00
carp5: flags=41<UP,RUNNING> mtu 1500
        carp: MASTER vhid 6 advbase 1 advskew 0
        inet 10.0.2.1 netmask 0xffffff00

My only thought is to try rdr and nat instead of binat, but binat seems
cleaner to me.  Any thoughts?

-Steve S.

Carp address !as source IP

Reply via email to