[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: stalled connections between pf servers



I did a bit of experimentation over the weekend and found something interesting.
First, a very short re-hash of my problem since it's been a while since my last
post. 
A diagram: http://webpages.charter.net/cycler/network.txt
There are two subnets, one for the servers, and one for the workstations.
Traffic outbound to each internet connection is great. Traffic between each
subnet will stall/hang. If I take one router offline, and leave one router as
master for both subnets, traffic is great in all directions. 
Each router is multi-homed, and has a connection to both subnets. I have
discovered through testing (see my previous posts in this thread) that when
traffic enters one router (say hobbes) from the workstation network
(192.168.20.0), and is destined for the server network (192.168.30.0), that
traffic will exit hobbes on fxp1 and never reach calvin. Even though calvin is
master for the gateway ip (192.168.30.1) on the server network, and hobbes is
the backup. 
This means that return traffic from the server network is entering calvin
(because it is the master carp default gateway) and never going back to hobbes
either. Traffic enters the network one way, and returns along a different path. 
So what I did this weekend was to add a route-to rule stating that any traffic
entering on the workstation interface, and destined for the server subnet should
be routed to the server gateway. I also did this for the opposite (traffic
entering the server interface and destined for the workstation subnet). This
essentially works, and traffic actually goes to the proper router for the given
subnet. 
However, it is very very slow. I also found a considerable amount of blocked
traffic on say xl1 coming from 192.168.20.0 that I did not expect. Further, if I
ping across the subnets, without fail my first ping will time out, and
subsequent pings will work. 
It's almost like the traffic has two potential paths, tries the first, fails,
and resorts to the second. Am I missing some reply-to traffic here that I should
be doing some further filtering on?
-------------------------------------------------------------------------------------------
workstation_net =  "{ 192.168.20.0/24 }"
workstation_gw  = "192.168.20.1"
server_net =  "{ 192.168.30.0/24 }"
server_gw  = "192.168.30.1"
pass in log quick on $server_if route-to ($workstation_if $workstation_gw) from
$server_net  to $workstation_net keep state flags S/SA
pass in log quick on $workstation_if route-to ($server_if $server_gw) from
$workstation_net to $server_net  keep state flags S/SA
** See the original post in this thread for a full pf.conf
Steve