On Sun, May 17, 2009 at 3:38 PM, Stuart Henderson <[email protected]>wrote:
> On 2009-05-17, Felipe Alfaro Solana <[email protected]> wrote: > > > > The problem with incorrectly-sourced IP datagrams seems to be NAT: > > > > nat on vr2 inet from 172.16.0.1/24 to any -> (vr2) round-robin > > > > This rule is created as: > > > > nat on $ext_if from $int_if:network to any -> ($ext_if) > > > > I understand the problem is the (vr2) round-robin. I have no idea, > however, > > how to prevent PF from using the two IP addresses (the public IP and the > IP > > alias). Any ideas how to force NAT to only use 1 IP address (the public > IP > > address)? > > (vr2:0) > > Yes and no. The problem seems to be in dhclient-script. Somehow, it has a funky behavior that leads to what I described above: the IP alias becomes the primary address and the public IP address becomes a secondary address. If I "hack" dhclient-script to always keep the IP alias a secondary address then using (vr2:0) works. -- http://www.felipe-alfaro.org/blog/disclaimer/
