On 2008-09-16, Insan Praja SW <[EMAIL PROTECTED]> wrote: > I got 2 upstreams, when I start prepending my ASNumber to my one of my > upstream, I can magically access www.bsdly.net :D, even without > prepending, in/out to your net is only using 1 upstream. So, it must be > something on the other side. All my routers are openbsd 4.4-current, armed > with BGPd and PF enabled. This may got something todo with stateful nature > of PF, which I'm trying to manage :D
Very likely. I'm just using very simple PF rules on my border routers, just a few block rules to keep some junk off the network and for anti- spoofing, then stateless pass rules for the rest. I don't think of this as firewalling, I have separate machines to do that, and I make sure the routing to those is symmetric (using ospfd to announce the networks on carp interfaces). I tried to make some ascii art to demonstrate this, but I knew things were going wrong when I started trying to draw a cloud... If you turn off your prepends and run tcpdump on your routers, you'll probably see that traffic for bsdly.net goes out of one router, and the return traffic comes via another. That ties in with traceroute working and TCP not working.
