To pass traffic from a remote host 55.55.55.55 to a service behind the NAT on the box with IP 77.77.77.77 I have a standard set of rules:
where CARP is configured for 55.55.55.55 on that box, therefore 55.55.55.55 is presented on igb0:
and rules will not work.
Traffic hits only rules 00812 and 00822 when 55.55.55.55 is there on the NIC. No other counters incremented, but only for these two rules. Neither there are rules that could match the packet which leaves ipfw on the rule 00822. It's just presence of 55.55.55.55 for failover purposes creates the problem. Once removed, obviously, rules work.
I couldn't find how to improve rules for such conditions based on vhid reference, for example. The man seems doesn't mention vhid. Looks like lack of options for ipfw in case of using CARP.
Questions:
Is there any "magic" trick to say IPFW ignore CARP's IP presented on the NIC? Why does this problem exist at all; where packet after rules 00822 "stuck"/"lost"?
FreeBSD 11.3
ipfw nat 82 config ip 55.55.55.55 log same_ports unreg_only reset redirect_port tcp 10.1.1.8:48888 48888
net.inet.ip.fw.one_pass=0, though this irrelevant to the question.
Code:
00812 nat 82 tcp from 55.55.55.55 to 77.77.77.77 48888 in via igb0
00822 allow tcp from 55.55.55.55 to 10.1.1.8 48888 in via igb0
00832 nat 82 tcp from 10.1.1.8 48888 to 55.55.55.55 out via igb0
00842 allow tcp from 77.77.77.77 48888 to 55.55.55.55 out via igb0
where CARP is configured for 55.55.55.55 on that box, therefore 55.55.55.55 is presented on igb0:
Code:
igb0:
inet 77.77.77.77 netmask 0xffffffff broadcast 77.77.77.77
inet 55.55.55.55 netmask 0xffffffff broadcast 55.55.55.55 vhid 1
carp: BACKUP vhid 1 advbase 1 advskew 100
and rules will not work.
Traffic hits only rules 00812 and 00822 when 55.55.55.55 is there on the NIC. No other counters incremented, but only for these two rules. Neither there are rules that could match the packet which leaves ipfw on the rule 00822. It's just presence of 55.55.55.55 for failover purposes creates the problem. Once removed, obviously, rules work.
I couldn't find how to improve rules for such conditions based on vhid reference, for example. The man seems doesn't mention vhid. Looks like lack of options for ipfw in case of using CARP.
Questions:
Is there any "magic" trick to say IPFW ignore CARP's IP presented on the NIC? Why does this problem exist at all; where packet after rules 00822 "stuck"/"lost"?
FreeBSD 11.3
ipfw nat 82 config ip 55.55.55.55 log same_ports unreg_only reset redirect_port tcp 10.1.1.8:48888 48888
net.inet.ip.fw.one_pass=0, though this irrelevant to the question.