pf, load-balancing attempt blocks incoming mail
This is a discussion on pf, load-balancing attempt blocks incoming mail within the comp.unix.bsd.openbsd.misc forums, part of the OpenBSD category; --> Hello, Having some trouble here with mail when I try to implement outbound load-balancing. I am following the example ...
| |||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-16-2008, 06:08 AM
| ||||
| ||||
 pf, load-balancing attempt blocks incoming mail Hello, Having some trouble here with mail when I try to implement outbound load-balancing. I am following the example for outbound load balancing in the pf User's Guide. But I have changed it to be be special for SMTP, to ensure that all mail is sent and received from the same IP which is advertized by DNS. I'll implement a more redundant solution after getting this working. The problem is that the system can send mail, but cannot receive it. The mail server sees incoming messages but cannot send a response because its response is blocked at the private interface! It reports an error writing to the socket because the connection was reset by the other side. However, the mail server is capable of initiating an outgoing connection to send mail. Any helpful explanation for the source of the problem or a way to debug it would be much appreciated. George ----------------------- pfctl -g -s all ... ----------------------- STATES: self tcp 192.168.1.1:25 <- a.b.c.195:25 <- d.e.f.49:15323 CLOSED:SYN_SENT LABEL COUNTERS: Blocked in on int_if 364 26 1158 Blocked out on int_if 341 0 0 ----------------------- Relevant rules from pf.conf ----------------------- nat on $ext_if1 from 192.168.1.0/24 to any port smtp -> a.b.c.195 nat on $ext_if1 from 192.168.1.0/24 to any port != smtp -> a.b.c.199 rdr on $ext_if1 proto tcp from any to a.b.c.195 port smtp -> 192.168.1.1 port smtp # default: block all block in log on $int_if from any to any label "Blocked in on int_if" block out log on $int_if from any to any label "Blocked out on int_if" block in on { $ext_if1, $ext_if2 } block out on { $ext_if1, $ext_if2 } pass in quick on $int_if route-to \ ($ext_if1 $ext_gw1) \ proto tcp from any to any port = smtp flags S/SA keep state pass in on $int_if route-to \ { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ proto tcp from any to any flags S/SA keep state pass out on $int_if from any to $lan_net pass out on $ext_if1 proto tcp all flags S/SA keep state queue (q_def1, q_pri1) pass out on $ext_if2 proto tcp all flags S/SA keep state queue (q_def2, q_pri2)      |
Linear Mode
