Hi all, I want to set-up a service redirector with relayd and the reply-to feature of pf.conf, but I meet a problem: The reply-to pf rule is matched, but there is no modification of the return traffic (the firewall send the reply to the default gateway and not to the gateway forced in the reply-to). I would to know if it's a problem with my configurations files or a bug ? (I'm using OpenBSD 5.0, default kernel)
I've started with the example given on "Example 5: Service Redirector" on this web page: https://calomel.org/relayd.html. My firewall have 2 externals interfaces: em1 (10.254.12.253/24) and em4 (10.254.15.253/24). And in front of this interfaces I've got 2 routers (10.254.12.1@em1 and 10.254.15.2@em4). There are carp interfaces simulating "virtual hosts" on these externals interfaces and relayd listen on these IP (.6 on each interface). => I didn't know from where client traffic came from: This is why the "reply-to" feature of pf is used here. I'm using 10.254.15.2 as the default gateway on my firewall in my lab because for testing the reply-to because my test-client came from the 10.254.12.1 routers. Regarding my internal interface em3(10.254.12.253/24) there is only 2 web servers behind: 10.254.13.4 and 10.254.13.5. Relayd is used to load-balance traffic between them. My relayd.conf and pf.conf are pretty simple: ------- [root@fw1]~# cat /etc/relayd.conf table <web_srv> { 10.254.13.4 10.254.13.5 } redirect www { listen on 10.254.12.6 port http interface em1 listen on 10.254.15.6 port http interface em4 match tag RELAYD forward to <web_srv> check http "/" code 200 } [root@fw1]~# cat /etc/pf.conf table <web_srv> { 10.254.13.4 10.254.13.5 } anchor "relayd/*" set skip on lo pass out block in log #Relayd 'hack' for forcing reply-to pass in log on em1 inet proto tcp from any to <web_srv> port 80 flags S/SA synproxy state tagged RELAYD reply-to (em1 10.254.12.1) pass in log on em2 inet proto tcp from any to <web_srv> port 80 flags S/SA synproxy state tagged RELAYD reply-to (em4 10.254.15.2) ------- A client behind the router 10.254.12.1 that try to access the virtual server 10.254.12.6 (relayd) should have this forwarding path: client => router (12.1) => em1 of fw (return traffic marked for "reply-to" router 12.1 and not to the default router) => www server (.4 or .5) And I've got this problem when I try to initiate a TCP connection from a client (10.254.16.1) to the carp/relayd IP (10.254.12.6): ------- [root@fw1]~# tcpdump -n -e -ttt -i pflog0 tcpdump: WARNING: snaplen raised from 116 to 160 tcpdump: listening on pflog0, link-type PFLOG Nov 14 17:33:57.323450 rule 3/(match) pass in on em1: 10.254.16.1.5838 > 10.254.12.6.80: S 2719125464:2719125464(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 3417046797[|tcp]> (DF) [root@fw1]/etc# pfctl -R 3 -s rules pass in log on em1 inet proto tcp from any to <web_srv> port = www flags S/SA synproxy state tagged RELAYD reply-to 10.254.12.1@em1 [root@fw1]/etc# tcpdump -i em4 tcpdump: listening on em4, link-type EN10MB tcpdump: WARNING: compensating for unaligned libpcap packets 17:33:57.323521 arp who-has 10.254.15.2 tell 10.254.15.253 17:33:57.323826 arp reply 10.254.15.2 is-at 08:00:27:6a:65:ee 17:33:57.323879 10.254.12.6.www > 10.254.16.1.5838: S 4148897738:4148897738(0) ack 271912 5465 win 0 <mss 1460> (DF) [tos 0x10] ------- => The firewall send the reply (relayd 10.254.12.6 to client 10.254.16.1) to its default gateway (on em4) and didn't use its "reply-to" rule. How to fix that ? Thanks, Olivier
