RE: Problem with NAT/RDR in PF
Michael K. Smith - Adhost [EMAIL PROTECTED] wrote: Hello Catalin:
Michael Smith wrote:
On Dec 9, 2007, at 3:34 PM, Erik Norgaard wrote:
Michael Smith wrote:
Hello All:
I am trying to configure a round-robin group of Name Servers
that
respond on to and from a single address.
I want the following to occur:
1) DNS query from 10.211.128.1 to 10.212.1.1 is redirected to
a
pool of name servers
2) One of the name servers responds to the query
3) The response shows a source address of 10.212.1.1, not the
actual name server
Hello Mike,
If I understand correctly your environment I think you should change
the NAT rule from:
nat on $vlan821_if from $nr_net to $mail_net - 10.212.1.1
to:
nat on $vlan6_if from $nr_net to $mail_net - 10.212.1.1
Let us know if this is solving the issue.
I'm still seeing the same issue. Here's the output from pfctl -sa | grep
10.212.1.1
nat on vlan6 inet from 10.212.1.0/24 to 10.211.0.0/16 - 10.212.1.1
rdr on vlan6 inet proto udp from any to 10.212.1.1 port = domain - round-robin
rdr on vlan6 inet proto tcp from any to 10.212.1.1 port = domain - round-robin
vlan6 udp 10.212.1.11:53 - 10.212.1.1:53 - 10.211.128.146:54108
NO_TRAFFIC:SINGLE
It looks like the redirect is happening correctly, but the NAT isn't working in
reverse. The 10.212.1.1 address is in the subnet on $vlan821. Will this break
NAT? That is, does NAT have to have an address on $vlan6?
Regards,
Mike
Hello Mike,
Ok, I understand better now.
I saw that DNS queries are going to an IP address located in $vlan821 range.
Is it possible to make queries to an IP within $vlan6 range?
May I suggest adding another IP from 12.211.1.x on $vlan6 interface or use
the interface IP and send queries to it?
If it is possible then your rules should look like this:
nat on $vlan6_if from $nr_net to $mail_net - 10.211.1.x
rdr on $vlan6_if proto { udp tcp } from any to 10.211.1.x port 53 -
nr_roundrobin round-robin
I'm also using PF load-balancing rules and were working fine for me for more
than 1 year.
However, the drawback is that PF is not polling your remote systems to check
if the service is available. It will keep sending packets to that one untill
you will manually remove the IP from round-robin table.
One workaround is to create a script and run it from cron that it will check
for service availability and remove/add IP to round-robin table as required.
Let me know if above solution is solving your issue.
BR,
Catalin
-
Looking for last minute shopping deals? Find them fast with Yahoo! Search.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem with NAT/RDR in PF
Michael Smith [EMAIL PROTECTED] wrote: On Dec 9, 2007, at 3:34 PM, Erik Norgaard wrote: Michael Smith wrote: Hello All: I am trying to configure a round-robin group of Name Servers that respond on to and from a single address. I want the following to occur: 1) DNS query from 10.211.128.1 to 10.212.1.1 is redirected to a pool of name servers 2) One of the name servers responds to the query 3) The response shows a source address of 10.212.1.1, not the actual name server I know this does not answer your question, but, what's the point? DNS isn't exactly the kind of task that knocks over a server. If you want redundancy, then the correct way to do it is to add NS entries to your zone files. I simply let my register transfer the zone file daily, works fine. If you need to update the zone file regularly just reduce the max age of the zone. Hello Erik: Well, aside from doing a *lot* of queries, it's nice to have a single IP address fronting a set of servers so I can pull one out for maintenance at any time and it doesn't affect name resolution for the clients. Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Hello Mike, If I understand correctly your environment I think you should change the NAT rule from: nat on $vlan821_if from $nr_net to $mail_net - 10.212.1.1 to: nat on $vlan6_if from $nr_net to $mail_net - 10.212.1.1 Let us know if this is solving the issue. BR, Catalin - Looking for last minute shopping deals? Find them fast with Yahoo! Search. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Problem with NAT/RDR in PF
Hello Catalin: snip Michael Smith [EMAIL PROTECTED] wrote: On Dec 9, 2007, at 3:34 PM, Erik Norgaard wrote: Michael Smith wrote: Hello All: I am trying to configure a round-robin group of Name Servers that respond on to and from a single address. I want the following to occur: 1) DNS query from 10.211.128.1 to 10.212.1.1 is redirected to a pool of name servers 2) One of the name servers responds to the query 3) The response shows a source address of 10.212.1.1, not the actual name server snip Hello Mike, If I understand correctly your environment I think you should change the NAT rule from: nat on $vlan821_if from $nr_net to $mail_net - 10.212.1.1 to: nat on $vlan6_if from $nr_net to $mail_net - 10.212.1.1 Let us know if this is solving the issue. I'm still seeing the same issue. Here's the output from pfctl -sa | grep 10.212.1.1 nat on vlan6 inet from 10.212.1.0/24 to 10.211.0.0/16 - 10.212.1.1 rdr on vlan6 inet proto udp from any to 10.212.1.1 port = domain - nr_roundrobin round-robin rdr on vlan6 inet proto tcp from any to 10.212.1.1 port = domain - nr_roundrobin round-robin vlan6 udp 10.212.1.11:53 - 10.212.1.1:53 - 10.211.128.146:54108 NO_TRAFFIC:SINGLE It looks like the redirect is happening correctly, but the NAT isn't working in reverse. The 10.212.1.1 address is in the subnet on $vlan821. Will this break NAT? That is, does NAT have to have an address on $vlan6? Regards, Mike PGP.sig Description: PGP signature
Re: Problem with NAT/RDR in PF
Michael Smith wrote: I simply let my register transfer the zone file daily, works fine. If you need to update the zone file regularly just reduce the max age of the zone. Hello Erik: Well, aside from doing a *lot* of queries, it's nice to have a single IP address fronting a set of servers so I can pull one out for maintenance at any time and it doesn't affect name resolution for the clients. Well, if you search google for pf round robin load balance you will find this first: http://www.openbsd.org/faq/pf/pools.html There is an example of how to do just what you want, although they use a web server in the example. Cheers, Erik -- Erik Nørgaard Ph: +34.666334818 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem with NAT/RDR in PF
Michael Smith wrote: Hello All: I am trying to configure a round-robin group of Name Servers that respond on to and from a single address. I want the following to occur: 1) DNS query from 10.211.128.1 to 10.212.1.1 is redirected to a pool of name servers 2) One of the name servers responds to the query 3) The response shows a source address of 10.212.1.1, not the actual name server I know this does not answer your question, but, what's the point? DNS isn't exactly the kind of task that knocks over a server. If you want redundancy, then the correct way to do it is to add NS entries to your zone files. I simply let my register transfer the zone file daily, works fine. If you need to update the zone file regularly just reduce the max age of the zone. Cheers, Erik -- Erik Nørgaard Ph: +34.666334818 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem with NAT/RDR in PF
On Dec 9, 2007, at 3:34 PM, Erik Norgaard wrote: Michael Smith wrote: Hello All: I am trying to configure a round-robin group of Name Servers that respond on to and from a single address. I want the following to occur: 1) DNS query from 10.211.128.1 to 10.212.1.1 is redirected to a pool of name servers 2) One of the name servers responds to the query 3) The response shows a source address of 10.212.1.1, not the actual name server I know this does not answer your question, but, what's the point? DNS isn't exactly the kind of task that knocks over a server. If you want redundancy, then the correct way to do it is to add NS entries to your zone files. I simply let my register transfer the zone file daily, works fine. If you need to update the zone file regularly just reduce the max age of the zone. Hello Erik: Well, aside from doing a *lot* of queries, it's nice to have a single IP address fronting a set of servers so I can pull one out for maintenance at any time and it doesn't affect name resolution for the clients. Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
