On Sun, Feb 28, 2021 at 01:17:01PM +0100, Rachel Roch wrote:
>
>
>
> 28 Feb 2021, 11:28 by stu@spacehopper.org:
>
> > On 2021/02/28 11:46, Rachel Roch wrote:
> >
> >> Thank you all for the suggestions, I am currently testing a few of them.
> >>
> >> Incase it makes any difference, the underlying problem I have is I have two firewalls with BGP upstreams, one acting as primary, one as standby.?? So the problem I am seeing is the age-old problem of asymmetric traffic to the secondary firewall meaning pkg_add on the secondary doesn't work.
> >>
> >
> > You can't just get two sessions from your upstreams so they can both be
> > active rather than one in standby?
> >
>
> Maybe my wording is a little off.
>
> I do have independent sessions from FW1 and FW2 to upstream routers.
>
> The problem, I suspect, is more to do with overlapping of IP ranges being advertised to upstreams, and hence traffic never making it back to FW2 because FW1 picks it up, hence the desire to have an effective way to tell OpenBSD "send all localhost originating traffic from lo2 because the IPs on lo2 are exclusive to that host".
I have a situation like that at work which I solved using the following
rules:
# let us talk to things
match out on vlan363 to !vlan363:network !received-on any nat-to lo1
match out on vlan364 to !vlan364:network !received-on any nat-to lo1
pass out !received-on any
vlan363 and vlan364 are the links I use to talk to the rest of the
world.
There may be a less worse way to do that with the routing table now
though.
No comments:
Post a Comment