[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Round Robin load balancing nat problem.



Hi,

My news server has a limit of two connections per IP address but I am
allowed to lease three IP addresses. I have come up with a scheme to
allow a machine on my internal network six connections but I'm having
a nat problem that is preventing me.

Im using a program called balance to forward connections in a round
robin fassion to three local ports. I would like to redirect the ports
to my isp's news server. I would source nat each connection from a
different internal port so that I can use a route-to rule in my pf
rules to send the packets out the desired interface. Unfortunately I
can't even get past step one: connecting to a localport and having it
redirected to my news server.

$telnet 127.0.0.1 119
Trying 127.0.0.1...
--Times out-----

I have two relevant rules in my nat.conf and have allowed all in and
out in my pf.conf

rl0 is my external interface
216.168.3.44 is the address of my isp's news server

rdr on lo0 from lo0 to lo0 port 119 ->  216.168.3.44 port 119
nat on rl0 from lo0 to 216.168.3.44 -> rl0

>From what I understand the first rule should do the redirecting. The
second rule should make packets that have
been redirected from 127.0.0.1:119 to 216.168.3.44 look as if they are
coming from my external interface.

When I look at my state table after trying to telnet to locahost 119 I
get this:

tcp 216.168.3.44:119 <- 127.0.0.1:119 <- 127.0.0.1:23599      
CLOSED:SYN_SENT
tcp 127.0.0.1:23599 -> 127.0.0.1:119       SYN_SENT:CLOSED
tcp 127.0.0.1:23599 -> 66.188.252.225:50057 -> 216.168.3.44:119      
TIME_WAIT:TIME_WAIT

using tcpdump on my external interface I get: 
--This SYN packet seems to indicate that the redirection rule is
working---

23:18:23.810070 c66.188.252.225.euc.wi.charter.com.50057 >
corp.supernews.com.nntp: S 2063805281:2063805281(0) win 16384 <mss
33184,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 193677086 0> (DF)
[tos 0x10]

--And the news server responds with a SYN ACK to the correct IP so I
think my nat rule is working---

23:18:23.890992 corp.supernews.com.nntp >
c66.188.252.225.euc.wi.charter.com.50057: S 1255639536:1255639536(0)
ack 2063805282 win 34752 <nop,nop,timestamp 823300003
193677086,nop,wscale 0,nop,nop,sackOK,mss 1460> (DF)

--But then my machine responds with an RST like it wasnt expecting the
connection back, which I dont get---

23:18:23.891099 c66.188.252.225.euc.wi.charter.com.50057 >
corp.supernews.com.nntp: R 2063805282:2063805282(0) win 0 (DF)

--News server keeps trying ---
23:18:29.800190 c66.188.252.225.euc.wi.charter.com.50057 >
corp.supernews.com.nntp: S 2063805281:2063805281(0) win 16384 <mss
33184,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 193677098 0> (DF)
[tos 0x10]

...

tcpdump on lo0:

23:18:23.809842 localhost.charter.net.23599 >
localhost.charter.net.nntp: S 2063805281:2063805281(0) win 16384 <mss
33184,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 193677086 0> (DF)
[tos 0x10]

--Keeps sending SYN's until timeout --

I've racked my head against this for over a week now. I've read tons
of documentation and postings including the openbsd faq and the man
pages with my system, none of which seem to be relevant. I think the
problem is that the return traffic doesn't come back through lo0 but
Im not sure why or how to make it do so. Any suggestions would be
greatly appreciated.

Thanks In Advance
Chris - ccortner_(_at_)_cvol_(_dot_)_net

---
[This E-mail scanned for viruses by Declude Virus]