Re: nat-to random : A couple of questions

2019-04-29 Thread Stuart Henderson
On 2019-04-28, Rachel Roch  wrote:
> Hi,
>
> I've read the delightful manual but its a little terse in this area, so I 
> hope some knowledgeable soul can enlighten me:
>
> 1) Looking at tcpdumps, I've noticed (on 6.5 have no prior experience with 
> nat-to random to compare against) that 'random' seems to operate more like 
> 'round-robin'  (e.g. if I send traffic, pause, send traffic again it just 
> loops through the IP pool in order). 

Unsure about this.

> 2) I'm unclear when 'sticky-address' should be appended to random ? In my 
> mind I'm thinking about, say, "secure websites" which may track your 
> (apparent) source-IP during the time you are logged in, and if it changes you 
> could be booted out.  Or am I overthinking things and 'sticky-address' is 
> potentially less useful than I think it might be ?

Yes this is definitely still a problem in some cases. In particular some banks
(and some other sites) restrict sessions to a single source IP.

> Finally, is there any reason why there isn't (yet?) a more intelligent 
> mapping ? (e.g. similar to the options in LACP ... e.g. source plus 
> destination, not just source).

I've not seen that suggested before. I imagine tracking source+destination
would be a huge drain on memory though (and might not help in many situations
which want a "sticky" address)..




Re: nat-to random : A couple of questions

2019-04-29 Thread Bohdan Tashchuk
> 1) Looking at tcpdumps, I've noticed (on 6.5 have no prior experience
> with nat-to random to compare against) that 'random' seems to operate
> more like 'round-robin'

I can't speak to the rest of your questions. But I can share something
about a very similar issue. A few releases ago I ran into a this same
bug, not with nat-to, but with rdr-to. I haven't confirmed this
behavior in the most recent release.

I am keeping locally generated ntp traffic from going out to Apple's
internet ntp servers, instead serving them locally from my OpenBSD
firewall. I use a pf configuration something like this:

   pass in quick on $iif proto udp from any
to "17.0.0.0/8" port ntp rdr-to "127.17.42.0/28" random

My local ntpd listens on those 16 ports. Here are some comments
from my pf.conf which summarize why, at least for me, round robin
behavior is better than random:

# Note that rdr-to with CIDR target address only works with random
# keyword, and behaves like round-robin. With all other keywords the
# target address is borked, behaving like 0.0.0.0, 0.0.0.1, 0.0.0.2,
# etc.
# However, rdr-to with a 16-entry table target, 16 distinct addresses,
# works correctly in all modes, random is truly random. N.B. we
# definitely don't want truly random, because it sometimes results
# in duplicate target addresses, which causes lost reply packets.


A restatement of the above pf file comment:

1) for rdr-to, for CIDR target addresses, only "random" works.
All other modes are borked. "random" behaves like "round-robin".

2) for rdr-to, when the target address is a table, all modes work.
"random" is truly random.

3) for some setups, truly random target addresses will cause
creation of duplicate target addresses. That's bad, because some
replies will be lost.


In conclusion:

Are you sure you really need random behavior for your application?
Depending on what you are doing, round-robin may actually be better!
You didn't post your pf configuration so I don't know what you're
trying to do.

I hope you can gleam something from my rdr-to issue to help you
with your nat-to issue.



nat-to random : A couple of questions

2019-04-28 Thread Rachel Roch
Hi,

I've read the delightful manual but its a little terse in this area, so I hope 
some knowledgeable soul can enlighten me:

1) Looking at tcpdumps, I've noticed (on 6.5 have no prior experience with 
nat-to random to compare against) that 'random' seems to operate more like 
'round-robin'  (e.g. if I send traffic, pause, send traffic again it just loops 
through the IP pool in order). 

2) I'm unclear when 'sticky-address' should be appended to random ? In my mind 
I'm thinking about, say, "secure websites" which may track your (apparent) 
source-IP during the time you are logged in, and if it changes you could be 
booted out.  Or am I overthinking things and 'sticky-address' is potentially 
less useful than I think it might be ?

Finally, is there any reason why there isn't (yet?) a more intelligent mapping 
? (e.g. similar to the options in LACP ... e.g. source plus destination, not 
just source).

Thanks !

Rachel