[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT using a CARP interface



On Tue, 2005-03-15 at 14:58:04 -0600, eric proclaimed...
> nat on xl0 inet from 172.19.81.183 to any -> 10.100.81.183
I fixed this to be a binat rule 
binat on xl0 from 172.19.81.183 to any -> 10.100.81.183
I then removed the following rdr rule...
> rdr on xl0 inet proto tcp from any to 10.100.81.183 port = 3389 -> 172.19.81.183 port 3389
And made sure the following pf rules are in place..
> @30 pass in on xl0 inet proto tcp from <nxious:1> to 172.19.81.183 port = 3389 synproxy state (if-bound) label "xl0-nxious-rdesktop-in"
> @31 pass in log on xl0 inet proto tcp from <csrtnet:3> to 172.19.81.183 port = 3389 synproxy state (if-bound) label "xl0-csrtnet-rdesktop-in"
However, now I'm seeing this..
Mar 17 10:39:44.571225 rule 31/0(match): pass in on xl0:
10.19.81.182.49319 > 172.19.81.183.3389: S 3984883798:3984883798(0) win
65535 <mss 1460,nop,wscale 0,[|tcp]> (ttl 64, id 47073, bad cksum a699!)
But the connection just hangs...
I also see problems with state on a carp'ed interface...
Mar 17 10:42:22.288652 rule 0/0(match): block in on xl0: 129.128.5.191.80 > 172
19.81.183.1360: S [tcp sum ok] 2526512205:2526512205(0) ack 3779238052 win 1008
 <mss 1440> (ttl 246, id 45847, bad cksum 4caa!)
Perhaps I'm trying something that just doesn't work yet?