[prev in list] [next in list] [prev in thread] [next in thread]
List: openbsd-pf
Subject: route-to curiosity
From: ed <ed () ednevitible ! co ! uk>
Date: 2005-09-10 20:13:22
Message-ID: 20050910211322.0d76f994 () workstation
[Download RAW message or body]
Hello all,
I have a question about route-to. I would like to know if the following
situation would work, and if there is any advice you can give on this:
I would like to provide some resilience to a group of servers behind a
pf NAT. If you could visualise the top three boxes as different /24
network connections on the external interface. At the middle I have a pf
box with a IP address in each network, and an IP in the internal network
on the internal network interface. At the bottom there are two computers
with three alias IP addresses, one to correlate with each of the
external connections.
+------------+ +------------+ +------------+
| 1.2.3.1/24 | | 2.3.4.1/24 | | 3.4.5.1/24 |
+------------+ +------------+ +------------+
\ | /
\ | /
\ | /
\ | /
+-------------+
| 1.2.3.5/24 |
| 2.3.4.5/24 |
| 3.4.5.5/24 |
| 10.1.7.5/24 |
+-------------+
/ \
/ \
/ \
10.1.7.6/24 10.1.7.9/24
10.1.7.7/24 10.1.7.10/24
10.1.7.8/24 10.1.7.11/24
With rules such as:
rdr pass on $ext_if from any to 1.2.3.10 port 80 -> 10.1.7.6
Would the TCP connection be routed via it's inbound route, or do I have
to create a new route-to rule to cater for this?
Would I be better off creating three new network ranges 10.N.x.y to make
route-to simple, if possible?
As I understand it, pf is stateful, so do I even need to think about
route-to in order to accomplish this?
--
http://edd.link9.net - http://irc.is-cool.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic