On Sun, May 17, 2009 at 3:52 PM, Claudio Jeker <cje...@diehard.n-r-g.com>wrote:
> On Sun, May 17, 2009 at 01:38:07PM +0000, Stuart Henderson wrote:
> > On 2009-05-17, Felipe Alfaro Solana <felipe.alf...@gmail.com> wrote:
> > >
> > > The problem with incorrectly-sourced IP datagrams seems to be NAT:
> > >
> > > nat on vr2 inet from 172.16.0.1/24 to any -> (vr2) round-robin
> > >
> > > This rule is created as:
> > >
> > > nat on $ext_if from $int_if:network to any -> ($ext_if)
> > >
> > > I understand the problem is the (vr2) round-robin. I have no idea,
> however,
> > > how to prevent PF from using the two IP addresses (the public IP and
> the IP
> > > alias). Any ideas how to force NAT to only use 1 IP address (the public
> IP
> > > address)?
> >
> > (vr2:0)
> >
>
> May not work correctly when an address is reassigned because of the way
> how ifconfig vr0 delete works. It can happen that after a lease refresh
> the two networks are shuffled and so (vr2:0) may get the wrong address.
I think I found the root cause and fixed it:
--- /etc/dhclient-script Sun May 17 13:30:02 2009
+++ /sbin/dhclient-script Sat Feb 28 22:33:05 2009
@@ -182,6 +182,8 @@
delete_old_address
delete_old_routes
fi
+ # XXX Why add alias we just deleted above?
+ add_new_alias
if [ -f /etc/resolv.conf.save ]; then
cat /etc/resolv.conf.save > /etc/resolv.conf
fi
this seems to avoid the problem where the addresses get shuffled and the
alias becomes the primary but, honestly, I'm not entirely sure why.
--
http://www.felipe-alfaro.org/blog/disclaimer/
