Re: RFC#12 - PF version
I had code doing this, and even pfctl erroring out with a nice message if kernel and userland are out of sync, but theo refused it. Why? Julf
Re: pf corrupting packet checksums?
Claudio, This is because of delayed checksum calculation in ip_output. Thanks for the explanation! Julf
Re: Redirection - feeling utterly stupid
Karl, The rule in pf is that the last pass/block match wins, unless you say otherwise with quick. Indeed. It's something that is too easy to forget when you try things. I had it right before, but got the order of the lines wrong as part of trying to get it to work. Thanks for the correction. I feel less stupid now, as it turns out I had gotten it right after all (in an earlier version of the config), the problem seems to lie with either my ADSL modem or my ISP dropping packets to port 80 - connections to port 8080 (or anything except 80) works OK. Sounds like a broken web cache... Julf
route-to round-robin using single interface?
Hi!
I have a small network, connected by 2 ADSL connections, and
want to load-share the connections. All examples of route-to
round-robin that I have seen have used 2 separate interfaces,
but as both my ADSL modems are on the same no-mans-land
network, I have been (so far unsuccessfully) trying to do
something like this:
pass in on $int_if from $int_net \
route-to { ($ext_if $isp1_gw), ($ext_if $isp2_gw) } \
round-robin sticky-address
Is that supposed to work, or does route-to round-robin only
work with 2 separate interfaces?
Appreciate any input...
Julf
Re: route-to round-robin using single interface?
Thanks for the reply, Daniel! AFAIK, it should work. Good to have that confirmed, thanks! Can you ping $isp1_gw and $isp2_gw and arp -sn is showing two different entries for them? From the firewall machine, yes, but not from machines on the internal network. What is the problem? All packets always go to $isp1_gw's MAC? Seems packets just disappear. Might be that the return packets don't make it back - will have to set up a separate test system, as I can't fiddle with the firewall during daytime. Are you using multiple clients on $int_net? Yes. Have you tried adding keep state(soure-track global) and set timeout source-track and checked with pfctl -sS? No, hadn't thought about that. Thanks - will have to try. Julf
Re: route-to round-robin using single interface?
AFAIK, it should work. And it does :) Turns out the problem had nothing to do with pf. For some reason one of the DSM routers (ZyXEL P-2601HN-F1) needed an explicit static return route, while the other, (FRITZ!Box Fon WLAN 7360) didn't. Everything works fine after adding the return route. Julf
