I got that snippet from the pf book. What should I change it to?
On Tue, Nov 18, 2008 at 4:32 AM, Marco Pfatschbacher <[EMAIL PROTECTED]> wrote:
> On Thu, Nov 13, 2008 at 05:51:49PM -0800, Vivek Ayer wrote:
>> Yay! I got ssh and http to work on the CARP interface. Thanks.
>>
>> However, the httpd redirect is not working just yet on the CARP
>> interface for one of the computers. Does IP balancing mess up
>> redirect?
>
> Well, that depends.
> IP balancing computes a commutative hash of the source and destination
> IP to decide which node accepts the packet.
> If you do a rdr, you modify the destination, thus the hash is
> different and the returning packet might end up on another node,
> which has no knowledge about the pf-NAT state.
>
> However, if you also NAT the outgoing packet to an address that
> belongs to one node only, you'll get the reply.
> That of course means that you won't have the client's original IP
> address for your apache access logs.
>
> IP balancing is no silver bullet.
> I designed as a simple solution to build a cluster of load
> balanced servers without the need of a separate load balancer.
> A pf pair with no nat/rdr is also easy to build. Translation is hard.
>
>> Here's my current pf.conf:
> [...]
>> # Basic CARP/pfsync pass rules
>> pass on $carpdevs proto carp keep state
>
> this ^^^ is still wrong, btw. But your other rules seem to cover
> that traffic already anyway.
