I have set up a load-balancing PF (on a NetBSD kame box, but that hopefully won't affect anything) and have two IP I'm redirecting ports from. The first connection is a T1 and the second is an un-related DSL.
This thread may be of use: http://narcolepsy.benzedrine.cx/pf/msg02146.html
Internal: sip0: LAN 192.168.0.1/24 External: sip1: WAN 123.123.123.123/32, gw: 123.123.123.1 (T1) sip2: WAN 234.234.234.234/32, gw: 234.234.234.1 (DSL)
I have our domain name pointing at the T1's IP, and I would like my computers on the local subnet to be able to connect to the external ports on the domain name (so when I take a laptop home, I don't have to change imap servers, etc.) things are fine when pf redirects me out the T1's outbound connection, but very frequently it will redirect me out the DSL's connection, and it times out while trying to reach the T1's IP.
The subnet clients are bouncing toward the T1 just to get to a _local_ webserver? You may want to investigate internal DNS, or the other options mentioned here: http://www.openbsd.org/faq/pf/rdr.html#reflect
Immediate workaround: use a specific route-to rule for the T1 address on $int_if.
one thing I have noticed is that traceroutes appear to totally by-pass the pf machine, the first hop I see is either 123.123.123.1 or 234.234.234.1
Any ideas on how to fix this?
When pf routes packets, it doesn't decrement the TTL. No workarounds that I'm aware of.
# load balance outgoing tcp traffic from internal network.
pass in on $int_if route-to \
{ ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
proto tcp from $lan_net to any
Lack of "keep state" seems like a possible issue here.
