On 14 Sep 2017, at 16:21, Dave Cottlehuber wrote:
Outgoing traffic (from a jail) via PF NAT over a LAGG/LACP sometimes
has
the *backup* CARP IP address assigned to it.
###############################
######## running configs ######
pfctl indeed shows its a round-robin
###############################
# pfctl -vnf /etc/pf.conf
protocols = "{ tcp, udp, icmp }"
extl_if = "lagg0"
intl_if = "lo0"
jail_if = "lo1"
intl_net = "lo0:network"
jail_net = "lo1:network"
internet = "lagg0:network"
set limit states 200000
set limit frags 80000
set limit src-nodes 80000
set timeout adaptive.start 180000
set timeout adaptive.end 200000
scrub in all fragment reassemble
nat on lagg0 inet proto tcp from 10.241.0.0/16 to any -> (lagg0)
round-robin
nat on lagg0 inet proto tcp from 10.241.0.1 to any -> (lagg0)
round-robin
I think this is your problem. You’re telling pf to nat to the IP
address of lagg0, but lagg0 has multiple addresses assigned.
‘(lagg0:0)’ should work, or just use the IP address.
Regards,
Kristof
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
