Problem with NAT/RDR in PF
Michael K. Smith - Adhost
mksmith at adhost.com
Mon Dec 10 09:11:10 PST 2007
Hello Catalin:
<snip>
>
> Michael Smith <mksmith at adhost.com> wrote:
>
>
> On Dec 9, 2007, at 3:34 PM, Erik Norgaard wrote:
>
> > Michael Smith wrote:
> >> Hello All:
> >> I am trying to configure a round-robin group of Name Servers
> that
> >> respond on to and from a single address.
> >> I want the following to occur:
> >> 1) DNS query from 10.211.128.1 to 10.212.1.1 is redirected to
> a
> >> pool of name servers
> >> 2) One of the name servers responds to the query
> >> 3) The response shows a source address of 10.212.1.1, not the
> >> actual name server
> >
<snip>
>
>
> Hello Mike,
>
>
> If I understand correctly your environment I think you should change
> the NAT rule from:
>
> nat on $vlan821_if from $nr_net to $mail_net -> 10.212.1.1
>
> to:
>
> nat on $vlan6_if from $nr_net to $mail_net -> 10.212.1.1
>
> Let us know if this is solving the issue.
>
I'm still seeing the same issue. Here's the output from pfctl -sa | grep 10.212.1.1
nat on vlan6 inet from 10.212.1.0/24 to 10.211.0.0/16 -> 10.212.1.1
rdr on vlan6 inet proto udp from any to 10.212.1.1 port = domain -> <nr_roundrobin> round-robin
rdr on vlan6 inet proto tcp from any to 10.212.1.1 port = domain -> <nr_roundrobin> round-robin
vlan6 udp 10.212.1.11:53 <- 10.212.1.1:53 <- 10.211.128.146:54108 NO_TRAFFIC:SINGLE
It looks like the redirect is happening correctly, but the NAT isn't working in reverse. The 10.212.1.1 address is in the subnet on $vlan821. Will this break NAT? That is, does NAT have to have an address on $vlan6?
Regards,
Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 474 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20071210/8cc5510e/PGP.pgp
More information about the freebsd-questions
mailing list