[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Static route problem/interaction with pf



I have a system with two ISPs coming in on fxp1 and fxp2. All mail is supposed
to be handled through a static IP on fxp1. The ruleset is designed to nat all
smtp traffic going out through this public IP, and to forward all incoming smtp
to the mail server.
In the special case where mail originates from ISP2 (associated with fxp2), the
ISP2 sends mail as they should to the public IP which comes through fxp1.
However ... the system is attempting to respond through fxp2. It is as if the
state record was not matched when the incoming connection was made.
This problem only occurs when a static route is defined for the subnet that
contains ISP2's mail server.
Any suggestion as to how to fix or do this better ?
George
------------------------------
The evidence, first an incoming packet arrives from ISP2 on fxp1:
/etc >> tcpdump -n -i fxp1 src 64.X.Y.Z
tcpdump: listening on fxp1
14:32:04.053286 64.X.Y.Z.47855 > 208.M.N.O.25: S 1965835282:1965835282(0) win
5840 <mss 1460,sackOK,timestamp 776750336 0,nop,wscale 0> (DF)
In another window, the response goes out fxp2 (!)
/etc >> tcpdump -n -i fxp2 dst 64.X.Y.Z
tcpdump: listening on fxp2
14:32:04.053555 208.M.N.O.25 > 64.X.Y.Z.47855: S 3197872932:3197872932(0) ack
1965835283 win 35040 <mss 1460,nop,wscale 0,nop,nop,sackOK> (DF)
-------------------------------
Relevant rules
-------------------------------
nat on $ext_if1 from $lan_net to any port smtp -> 208.x.x.x
nat on $ext_if2 from $lan_net to any port != smtp -> 64.x.x.x
rdr on $ext_if1 proto tcp from any to 208.x.x.x port smtp -> 192.168.1.1 port
smtp
block on $ext_if1 all
block on $ext_if2 all
pass in on $ext_if1 inet proto tcp from any to 192.168.1.1 port smtp \
        flags S/SA keep state queue (q_def, q_pri) \
        label "Incoming mail connection from $srcaddr to port $dstport"
pass out on $ext_if1 proto tcp all flags S/SA keep state queue (q_def, q_pri)