Hi! 1. ip_strict_dst_multihoming does not solve the "multihomed solaris problem" Check the forwarding table: ndd /dev/ip ipv4_ire_status
It will tell you, what default route to be used, when communicating with a client. So if a outer host first pinging your IP1, and later your IP2, the answer for the later ping will go out using the default route for IP1 (not the one for IP2). That is because of the definition on "default route" The "not complete" solution is the "fastroute" rule,like : pass out quick on inf1 to inf2:x.x.x.x from ipf2_ip to any But, a) don't use keep state rule on the rule, that let your client in. So don't do pass in quick on inf2 proto tcp from any to inf2_ip port = 22 keep state since the anwser packets will match a state table entry, and no more check are made. So the fastroute rule is skipped, also. b) the fastroute rule will bypass the nat table as well. So your clients behind that multihomed server won't get NAT'ed if the fastroute rule is applied. That's the point where you should drop the "two default route" idea. c) You will be unsuccessful when rdr rules as well. Since a NAT rule of rdr on inf2 ipf2_ip port 80 -> a.b.c.d port 80 tcp will have an effect that the answer will come back from a.b.c.d, so you you original fastroute rule won't get passed. If you write an other fastroute rule for a.b.c.d, that will skip the NAT table, so the answer packet will leave the inf2 with the source addres of a.b.c.d instead of ipf2_ip. So use 1 default route, and fail back to the other in case you detect problems. Regards, A. 2007/9/4, Thomas Backman <[EMAIL PROTECTED]>: > > On Sep 3, 2007, at 10:22 PM, Jefferson Ogata wrote: > > > On 09/03/07 13:47, Thomas Backman wrote: > >> Any hints? > >> As you might notice, I have very little idea what I'm doing here, at > >> least the ipfilter related parts, but I'd love if I could get this > >> working - it'd be a waste to not use both connections, and I'd rather > >> not switch back to Linux. > > > > You might try enabling the strong end system model: > > > > http://www.sean.de/Solaris/soltune.html#ip_strict_dst_multihoming > > Thanks, that seems like a sensible thing to do. Unfortunately, it didn't > solve my problems (but it might have gotten me a bit further). > > When I start out experimenting, I have elxl0 NAT:ed and elxl1 down. > I start up elxl1, and the NAT stops working every few HTTP requests - > my guess is that Solaris routes then to the wrong NIC and the response > (if it even gets out on the wire) is lost. However, I can't remove > any of > the (two) default routes, because they are both needed, it seems. > I haven't been able to write an ipf rule to route the NAT:ed packets > without a kernel route, is that even possible? If it is, I have the > syntax > wrong. :) > > Regards, > Thomas >
