Problem with NAT/RDR in PF

shinny knight sh1nny_kn1ght at
Tue Dec 11 02:56:03 PST 2007

"Michael K. Smith - Adhost" <mksmith at> wrote:  Hello Catalin:

> Michael Smith wrote:
> On Dec 9, 2007, at 3:34 PM, Erik Norgaard wrote:
> > Michael Smith wrote:
> >> Hello All:
> >> I am trying to configure a round-robin group of Name Servers
> that
> >> respond on to and from a single address.
> >> I want the following to occur:
> >> 1) DNS query from to is redirected to
> a
> >> pool of name servers
> >> 2) One of the name servers responds to the query
> >> 3) The response shows a source address of, not the
> >> actual name server
> >

> Hello Mike,
> If I understand correctly your environment I think you should change
> the NAT rule from:
> nat on $vlan821_if from $nr_net to $mail_net ->
> to:
> nat on $vlan6_if from $nr_net to $mail_net ->
> Let us know if this is solving the issue.

I'm still seeing the same issue. Here's the output from pfctl -sa | grep

nat on vlan6 inet from to ->
rdr on vlan6 inet proto udp from any to port = domain -> round-robin
rdr on vlan6 inet proto tcp from any to port = domain -> round-robin
vlan6 udp <- <- NO_TRAFFIC:SINGLE

It looks like the redirect is happening correctly, but the NAT isn't working in reverse. The address is in the subnet on $vlan821. Will this break NAT? That is, does NAT have to have an address on $vlan6?


Hello Mike,
  Ok, I understand better now.
  I saw that DNS queries are going to an IP address located in $vlan821 range.
  Is it possible to make queries to an IP within $vlan6 range?
  May I suggest adding another IP from 12.211.1.x on $vlan6 interface or use the interface IP and send queries to it?
  If it is possible then your rules should look like this:

nat on $vlan6_if from $nr_net to $mail_net -> 10.211.1.x

rdr on $vlan6_if proto { udp tcp } from any to 10.211.1.x port 53 ->    <nr_roundrobin> round-robin
  I'm also using PF load-balancing rules and were working fine for me for more than 1 year.
  However, the drawback is that PF is not polling your remote systems to check if the service is available. It will keep sending packets to that one untill you will manually remove the IP from round-robin table.
  One workaround is to create a script and run it from cron that it will check for service availability and remove/add IP to round-robin table as required.
  Let me know if above solution is solving your issue.

Looking for last minute shopping deals?  Find them fast with Yahoo! Search.

More information about the freebsd-questions mailing list