From owner-freebsd-net@FreeBSD.ORG Mon Mar 12 17:30:11 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4F97316A406 for ; Mon, 12 Mar 2007 17:30:11 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from s200aog11.obsmtp.com (s200aog11.obsmtp.com [207.126.144.125]) by mx1.freebsd.org (Postfix) with SMTP id 10E6513C459 for ; Mon, 12 Mar 2007 17:29:57 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from source ([217.206.187.80]) by eu1sys200aob011.postini.com ([207.126.147.11]) with SMTP; Mon, 12 Mar 2007 17:29:56 UTC Received: from [10.0.0.79] (bwb.mintel.co.uk [10.0.0.79]) by rodney.mintel.co.uk (Postfix) with ESMTP id 5900918141B; Mon, 12 Mar 2007 17:29:56 +0000 (GMT) Message-ID: <45F58D1D.8080304@tomjudge.com> Date: Mon, 12 Mar 2007 17:25:49 +0000 From: Tom Judge User-Agent: Thunderbird 1.5.0.9 (X11/20070104) MIME-Version: 1.0 To: Alexandre Biancalana References: <45F564B5.10307@seudns.net> <45F58321.5050309@tomjudge.com> <45F58758.6090103@seudns.net> <45F5889C.3010806@tomjudge.com> <45F58B94.9000308@seudns.net> In-Reply-To: <45F58B94.9000308@seudns.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-net@freebsd.org Subject: Re: PF route-to behavior X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Mar 2007 17:30:11 -0000 Alexandre Biancalana wrote: > Tom Judge wrote: >> Alexandre Biancalana wrote: >>> Tom Judge wrote: >>>> Alexandre Biancalana wrote: >>>>> Hi List, >>>>> >>>>> >>>>> I´m doing a firewall setup using 6-STABLE + PF with two internet >>>>> links but I can't do the route-to rule function as I need. >>>>> >>>>> >>>>> (default gw) ______ >>>>> Link A <-----------> |int A | >>>>> | | >>>>> Link B <-----------> |int B | >>>>> |______| >>>>> FreeBSD FW >>>>> >>>>> A simple thing that I need to do is test the two Internet links to >>>>> know if they are up or not. To do this I could ping or connect tcp >>>>> ports on some external ips thought each link, using nc and hping I >>>>> tried do this generate connections/packets from each network >>>>> interface connected to each link but the packets always go out by >>>>> the interface indicated by machines default route. >>>>> >>>>> I tried to add this rules in pf to force packets out by the right >>>>> interface based in your source address, but this does not work, and >>>>> the packets generated with ip of int B are going out by int A. >>>>> >>>>> pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b to >>>>> any >>>>> pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a to >>>>> any >>>>> > # ping -S -I > ping: invalid multicast interface: `' > > but it should be ping -S -I , for the traffic go out > by int B with int B source address right ? I tried too and the same > error happens. > > > From ping man page: > > [...] > -I iface > Source multicast packets with the given interface address. > This > flag only applies if the ping destination is a multicast > address. > [...] My mistake, I only looked at the header of the ping man page. These are the rules that I would use in that situation: if_a=em0 ip_a=192.168.0.2 gw_a=192.168.0.1 net_a=192.168.0.0/24 if_b=em1 ip_a=192.168.1.2 gw_a=192.168.1.1 net_a=192.168.1.0/24 pass out log on $if_a route-to ( $if_b $gw_b ) from $ip_a to ! $net_b pass out log on $if_b route-to ( $if_a $gw_a ) from $ip_b to ! $net_a Tom