On 2012-01-12, Sam Vaughan <samjvaug...@gmail.com> wrote: > I have a web server handling predominantly https traffic sitting on a DMZ > behind a CARP'd firewall of two ALIX 2D3s. > > Since the firewall is NATting traffic to the web server, the source IP of > requests arriving at the web server is always the firewall's CARP address on > the DMZ.
Do you really have to NAT the source address? That is unusual, most people just use rdr-to which only touches the destination address. > I'd like the server to see the original client IP. > > The only solution I can think of is to use relayd, pound etc. as a layer 7 > reverse proxy on the firewall that decrypts the SSL and inserts an > X-Forwarded-For header. BTW, relayd can also do transparent forwarding (i.e. maintaining the source address in the packets), even with SSL offload. http://www.mail-archive.com/misc@openbsd.org/msg102364.html