[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: transparent squid and load balacing outgoing traffic still not working

On Thu, Feb 17, 2005 at 10:35:50AM -0300, Emilio Lucena wrote:
> Well, I tried to follow this recommendation, but I noticed that, although
> PF indeed changed its behaviour and distributed the traffic between both 
> external connections, the packets sent out through the other external 
> connection (not the default gateway interface), had the source IP address 
> of the default interface. As a result, they get lost or discarded by the 
> ISP.
> Now the question is how to tell PF to change the source IP address when it 
> decides to send the packet through the other interface ?
> nat on $ext_if1 from $int_if:network to any -> ($ext_if1)
> nat on $ext_if2 from $int_if:network to any -> ($ext_if2)
What happens is this. The packet first tries to go out through the
default interface. The ruleset is evaluated. First, translation rules
apply, then filter rules. You have a NAT rule that matches on the
default interface, so the source address is replaced with the default
interface's address. Then filter rules are evaluated. The route-to rule
causes re-routing.
Now the packet passes out through the second interface and causes
ruleset evaluation. First, translation rules apply. But your NAT rule
does not match, because of the source address restriction. The packet,
at this point, has the default interface's address as source, not
$int_if:network anymore. So no further NAT applies, and that's how the
packet passes out.
Try these NAT rules instead
  nat on $ext_if1 from !($ext_if1) to any -> ($ext_if1)
  nat on $ext_if2 from !($ext_if2) to any -> ($ext_if2)