On Thu, May 04, 2006 at 01:46:59PM +0300, Hisham Mardam Bey wrote: > I have an update on the situation. Here's what I did: > > [client]-->[loadbal]-->[my 2 backends]->[samba server]
Doing this with only one interface (and bouncing incoming packets out through the same interface) sounds like asking for a headache. What happens in your case is that the pf box doesn't see the reply packets, i.e. it only sees one half of the connection (client to server). The state entries don't advance properly in this case, pf doesn't see the server advertise window sizes, etc. and starts to block packets from the client to the server. The problem is similar to the one described on http://www.openbsd.org/faq/pf/rdr.html#reflect i.e. the server sends its replies directly to the client, as the client is on the same network and the server has learned its MAC address. If you want to filter statefully, you have to make sure pf sees all packets (both directions) of connections. If and how that's possible in your case, is, well, YOUR headache. I'd not try bouncing packet out with a single interface setup, but use two interfaces, possibly bridging. ;) Daniel
