[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Headache with dual WAN and "source route verification"



> > OpenBSD 3.6-stable
> >
> > Beautiful - reply-to seems perfectly suited to address the
> problem. For some
> > reason, this change breaks inbound mail (I think all inward
> connections)
> > completely. The inbound connection arrives at the WAN1
> interface. I see it get
> > passed to the mail server on the LAN interface, and the
> mail server responds.
> > That's the last I see of the response. It does not go out
> either WAN interface
> > and is does not show up in pflog0. Perhaps I need some
> better debugging
> > techniques to learn where and why the response is dumped.
> To my simple
> > understanding, the initial inbound connection should have
> created a state for
> > the response, which would have a free pass back out the firewall.
>
> Maybe you need to add the 'reply-to' option to all of your
> 'pass-in' statements?
>
I made a syntax error by using "reply-to { if, gw }" instead of reply-to (if
gw). There wasn't any error message from pf so it probably had some
interpretation, but it sure wasn't what I intended.
Things are working almost 100% now, but there is still one case in which a
packet goes out the wrong interface. It appears that state is not created at
the original pass-in phase. In reality the state shows up as "closed:syn_sent"
though there is never any response to the incoming attempt. I see that this
case only applies when there is a static route defined which includes IP of the
connecting source. I'll do a little investigation to see if I can understand
that one better.
Thanks again for pointing out "reply-to".