On 5/4/06, Daniel Hartmeier <[EMAIL PROTECTED]> wrote:
Thanks a lot for the info Daniel.
> I have an update on the situation. Here's what I did: > > [client]-->[loadbal]-->[my 2 backends]->[samba server] Doing this with only one interface (and bouncing incoming packets out through the same interface) sounds like asking for a headache.
Indeed, and it is. (=
What happens in your case is that the pf box doesn't see the reply packets, i.e. it only sees one half of the connection (client to server). The state entries don't advance properly in this case, pf doesn't see the server advertise window sizes, etc. and starts to block packets from the client to the server. The problem is similar to the one described on http://www.openbsd.org/faq/pf/rdr.html#reflect i.e. the server sends its replies directly to the client, as the client is on the same network and the server has learned its MAC address.
That makes a lot of sense and explains a lot of the problems.
If you want to filter statefully, you have to make sure pf sees all packets (both directions) of connections. If and how that's possible in your case, is, well, YOUR headache. I'd not try bouncing packet out with a single interface setup, but use two interfaces, possibly bridging. ;)
I was thinking about something of the sort. How would I be able to use the bridge to redirect the packets though? The clients need to see a single IP as their gateway, say 172.16.2.1, and when they send packets towards that gateway, it needs to load balance their requests. If we have a bridge, how would it act and what exactly would it do? -- Hisham Mardam Bey MSc (Computer Science) http://hisham.cc/ +9613609386 Codito Ergo Sum (I Code Therefore I Am)
