Date: Mon, 12 Mar 2007 14:48:04 -0300 From: Alexandre Biancalana <ale@seudns.net> To: Tom Judge <tom@tomjudge.com> Cc: freebsd-net@freebsd.org Subject: Re: PF route-to behavior Message-ID: <45F59254.2050907@seudns.net> In-Reply-To: <45F58D1D.8080304@tomjudge.com> References: <45F564B5.10307@seudns.net> <45F58321.5050309@tomjudge.com> <45F58758.6090103@seudns.net> <45F5889C.3010806@tomjudge.com> <45F58B94.9000308@seudns.net> <45F58D1D.8080304@tomjudge.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Tom Judge wrote: > Alexandre Biancalana wrote: >> Tom Judge wrote: >>> Alexandre Biancalana wrote: >>>> Tom Judge wrote: >>>>> Alexandre Biancalana wrote: >>>>>> Hi List, >>>>>> >>>>>> >>>>>> I´m doing a firewall setup using 6-STABLE + PF with two internet >>>>>> links but I can't do the route-to rule function as I need. >>>>>> >>>>>> >>>>>> (default gw) ______ >>>>>> Link A <-----------> |int A | >>>>>> | | >>>>>> Link B <-----------> |int B | >>>>>> |______| >>>>>> FreeBSD FW >>>>>> >>>>>> A simple thing that I need to do is test the two Internet links >>>>>> to know if they are up or not. To do this I could ping or connect >>>>>> tcp ports on some external ips thought each link, using nc and >>>>>> hping I tried do this generate connections/packets from each >>>>>> network interface connected to each link but the packets always >>>>>> go out by the interface indicated by machines default route. >>>>>> >>>>>> I tried to add this rules in pf to force packets out by the right >>>>>> interface based in your source address, but this does not work, >>>>>> and the packets generated with ip of int B are going out by int A. >>>>>> >>>>>> pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b >>>>>> to any >>>>>> pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a >>>>>> to any >>>>>> > > > > My mistake, I only looked at the header of the ping man page. > > These are the rules that I would use in that situation: > > if_a=em0 > ip_a=192.168.0.2 > gw_a=192.168.0.1 > net_a=192.168.0.0/24 > if_b=em1 > ip_a=192.168.1.2 > gw_a=192.168.1.1 > net_a=192.168.1.0/24 > > > pass out log on $if_a route-to ( $if_b $gw_b ) from $ip_a to ! $net_b > pass out log on $if_b route-to ( $if_a $gw_a ) from $ip_b to ! $net_a The difference is that my rules are for internet traffic, I don't have fixed destinations....
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45F59254.2050907>