Probably you run into this situation: client (10.0.5.233) -> firewall (10.0.5.200) -> rdr -> server (10.0.5.81)
No servers see's that packet came in from the same subnet and goes directly to the client which does not expect reply from 10.0.5.81 it expects reply from 10.0.5.200. You may want to read this: http://www.openbsd.org/faq/pf/rdr.html#reflect On 10/16/07, Vladimir <[EMAIL PROTECTED]> wrote: > > I have an existing firewall that already load balances our web server > traffic from an external IP across two web servers that are on the > internal network. I would like to set up "internal load balancing" since > I have webservices internally I would like to provide to the rest of the > cluster. These services should not be exposed to the external world. So > for such a purpose I added an alias to an existing carp interface for > 10.0.5.200 > > carp50: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > lladdr 00:00:5e:00:01:96 > carp: MASTER carpdev vlan50 vhid 150 advbase 1 advskew 100 > groups: carp > inet6 fe80::200:5eff:fe00:196%carp50 prefixlen 64 scopeid 0x10 > inet 10.0.5.1 netmask 0xffffff00 broadcast 10.0.5.255 > inet 10.0.5.200 netmask 0xffffff00 broadcast 10.0.5.255 > > I would like to "load balance" that traffic across two other web servers > that are on e.g. 10.0.5.81 and 10.0.5.82. For the time being I added a > following RDR rule > > rdr pass on $if_local proto tcp to 10.0.5.200 port $ports_web -> 10.0.5.81 > > Unfortunately I can't connect to 10.0.5.200. For example if from another > server on the network I do > > $ telnet 10.0.5.81 80 > Trying 10.0.5.81... > Connected to web1.local (10.0.5.81). > Escape character is '^]'. > > However if I do > > $ telnet 10.0.5.200 80 > Trying 10.0.5.200... > telnet: connect to address 10.0.5.200: Connection refused > telnet: Unable to connect to remote host: Connection refused > > Sniffing on carp50 shows no activity. I suppose there may be some > "routing confusion" however I even tried setting up another totally > different physical interface, created carp10 and IP 10.0.1.200 > redirecting to 10.0.5.81 with the same effect. > > Any help would be appreciated. > > Thanks, > > Vladimir
