round-robin sticky-address Issues

Wed, 17 Mar 2010 16:44:51 -0700 

In doing round-robin on two egress connections on 4.6, I am expecting all
outgoing connections from a single IP to be redirected to the same
redirection address, but this is not what's happening.  In the details
below, LAN client 172.16.0.101 is being redirected out both redirection
addresses--with four established TCP states to one redirection address and
one established TCP state to the other, which I thought was not possible
with sticky-address.


Relevant pf.conf snippets:
pass in log on vr0 route-to { (vr1 72.x.y.z), (vr2 192.168.1.254) }
round-robin sticky-address inet from any to ! 172.16.0.1 flags S/SA keep
state
pass in log on vr0 route-to { (vr1 72.x.y.z), (vr2 192.168.1.254) }
round-robin sticky-address inet proto tcp from any to ! 172.16.0.1 port =
ssh flags S/SA keep state tag interac
...
pass out log on vr2 all flags S/SA keep state queue vr2_interac tagged
interac
pass out log on vr2 route-to (vr1 72.x.y.z) inet from 72.x.y.z to any flags
S/SA keep state
pass out log on vr1 all flags S/SA keep state queue vr1_interac tagged
interac
pass out log on vr1 route-to (vr2 192.168.1.254) inet from 192.168.1.65 to
any flags S/SA keep state

# pfctl -s states | grep ESTABLISHED
all tcp 76.x.y.z:5050 <- 172.16.0.101:55367       ESTABLISHED:ESTABLISHED
all tcp 72.x.y.z:55812 (172.16.0.101:55367) -> 76.x.y.z:5050
ESTABLISHED:ESTABLISHED
all tcp 68.x.y.z:443 <- 172.16.0.101:55372       ESTABLISHED:ESTABLISHED
all tcp 72.x.y.z:53949 (172.16.0.101:55372) -> 68.x.y.z:443
ESTABLISHED:ESTABLISHED
all tcp 208.x.y.z:80 <- 172.16.0.101:58751       ESTABLISHED:ESTABLISHED
all tcp 72.x.y.z:54337 (172.16.0.101:58751) -> 208.x.y.z:80
ESTABLISHED:ESTABLISHED
all tcp 216.x.y.z:80 <- 172.16.0.101:55699       ESTABLISHED:ESTABLISHED
all tcp 192.168.1.65:55021 (172.16.0.101:55699) -> 216.x.y.z:80
ESTABLISHED:ESTABLISHED
all tcp 74.x.y.z:80 <- 172.16.0.101:59518       ESTABLISHED:ESTABLISHED
all tcp 192.168.1.65:53237 (172.16.0.101:59518) -> 74.x.y.z:80
ESTABLISHED:ESTABLISHED

# pfctl -s Sources
172.16.0.101 -> 72.x.y.z ( states 2, connections 1, rate 0.0/0s )
172.16.0.101 -> 72.x.y.z ( states 2, connections 2, rate 0.0/0s )
172.16.0.101 -> 192.168.1.254 ( states 1, connections 1, rate 0.0/0s )


I would appreciate it if someone would clue me in to what I'm missing/how to
troubleshoot/fix this.

Thank you.

Reply via email to