Date: Tue, 11 Dec 2007 02:43:09 -0800 (PST) From: shinny knight <sh1nny_kn1ght@yahoo.com> To: "Michael K. Smith - Adhost" <mksmith@adhost.com>, Erik Norgaard <norgaard@locolomo.org> Cc: questions@freebsd.org Subject: RE: Problem with NAT/RDR in PF Message-ID: <130709.85512.qm@web44802.mail.sp1.yahoo.com> In-Reply-To: <17838240D9A5544AAA5FF95F8D52031603067F88@ad-exh01.adhost.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
"Michael K. Smith - Adhost" <mksmith@adhost.com> wrote: Hello Catalin:
>
> Michael Smith wrote:
>
>
> On Dec 9, 2007, at 3:34 PM, Erik Norgaard wrote:
>
> > Michael Smith wrote:
> >> Hello All:
> >> I am trying to configure a round-robin group of Name Servers
> that
> >> respond on to and from a single address.
> >> I want the following to occur:
> >> 1) DNS query from 10.211.128.1 to 10.212.1.1 is redirected to
> a
> >> pool of name servers
> >> 2) One of the name servers responds to the query
> >> 3) The response shows a source address of 10.212.1.1, not the
> >> actual name server
> >
>
>
> Hello Mike,
>
>
> If I understand correctly your environment I think you should change
> the NAT rule from:
>
> nat on $vlan821_if from $nr_net to $mail_net -> 10.212.1.1
>
> to:
>
> nat on $vlan6_if from $nr_net to $mail_net -> 10.212.1.1
>
> Let us know if this is solving the issue.
>
I'm still seeing the same issue. Here's the output from pfctl -sa | grep 10.212.1.1
nat on vlan6 inet from 10.212.1.0/24 to 10.211.0.0/16 -> 10.212.1.1
rdr on vlan6 inet proto udp from any to 10.212.1.1 port = domain -> round-robin
rdr on vlan6 inet proto tcp from any to 10.212.1.1 port = domain -> round-robin
vlan6 udp 10.212.1.11:53 <- 10.212.1.1:53 <- 10.211.128.146:54108 NO_TRAFFIC:SINGLE
It looks like the redirect is happening correctly, but the NAT isn't working in reverse. The 10.212.1.1 address is in the subnet on $vlan821. Will this break NAT? That is, does NAT have to have an address on $vlan6?
Regards,
Mike
Hello Mike,
Ok, I understand better now.
I saw that DNS queries are going to an IP address located in $vlan821 range.
Is it possible to make queries to an IP within $vlan6 range?
May I suggest adding another IP from 12.211.1.x on $vlan6 interface or use the interface IP and send queries to it?
If it is possible then your rules should look like this:
nat on $vlan6_if from $nr_net to $mail_net -> 10.211.1.x
rdr on $vlan6_if proto { udp tcp } from any to 10.211.1.x port 53 -> <nr_roundrobin> round-robin
I'm also using PF load-balancing rules and were working fine for me for more than 1 year.
However, the drawback is that PF is not polling your remote systems to check if the service is available. It will keep sending packets to that one untill you will manually remove the IP from round-robin table.
One workaround is to create a script and run it from cron that it will check for service availability and remove/add IP to round-robin table as required.
Let me know if above solution is solving your issue.
BR,
Catalin
---------------------------------
Looking for last minute shopping deals? Find them fast with Yahoo! Search.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?130709.85512.qm>