I'm taking a stab at the dark here that someone can think of
something silly that I've overlooked. I've been working on a fairly
complex ruleset for a network of 10 vlans, all with CARP interfaces.
I finally realized after much chagrin that the old adage of "always
filter on the physical interface" doesn't necessarily apply when
you've got vlan (4) and carp (4) involved. After changing all of my
nat/binat translations to act on vlan0 (external) and my filter rules
to also filter on the vlan interfaces, almost everything is working.
For some reason, I have one vlan that simply refuses to pass traffic
*correctly*. I can confirm that the packets are being filtered by
the correct rules both inbound on the internal interface and outbound
on the external (pass in/out log ... keep state). I can also vouch
that the states are being created. However, for some reason, it
seems as though the system refuses to "honor" the returning packets.
For ping, it sees a few echo replies before issuing a "host
unreachable". For tcp, it acts as though the packets were lost and
simply retransmits. The only thing I can think of right now is that
perhaps it's because I'm filtering in all directions on all
interfaces, even though the state policy is left as floating. I
don't think this is relevant, however, since this behavior only
happens on a single network.
For the time being, I'm going to avoid posting the pf.conf. I know
this is a faux pas, but I'm terribly embarrassed to let anyone see it
at this point. Once I've re-introduced the anchors, perhaps. :)
Thanks,
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
