Date: Mon, 12 Mar 2007 19:01:41 +0000 From: Tom Judge <tom@tomjudge.com> To: Alexandre Biancalana <ale@seudns.net> Cc: freebsd-net@freebsd.org Subject: Re: PF route-to behavior Message-ID: <45F5A395.9010309@tomjudge.com> In-Reply-To: <45F59254.2050907@seudns.net> References: <45F564B5.10307@seudns.net> <45F58321.5050309@tomjudge.com> <45F58758.6090103@seudns.net> <45F5889C.3010806@tomjudge.com> <45F58B94.9000308@seudns.net> <45F58D1D.8080304@tomjudge.com> <45F59254.2050907@seudns.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Alexandre Biancalana wrote: > Tom Judge wrote: >> Alexandre Biancalana wrote: >>> Tom Judge wrote: >>>> Alexandre Biancalana wrote: >>>>> Tom Judge wrote: >>>>>> Alexandre Biancalana wrote: >>>>>>> Hi List, >>>>>>> >>>>>>> >>>>>>> I´m doing a firewall setup using 6-STABLE + PF with two internet >>>>>>> links but I can't do the route-to rule function as I need. >>>>>>> >>>>>>> >>>>>>> (default gw) ______ >>>>>>> Link A <-----------> |int A | >>>>>>> | | >>>>>>> Link B <-----------> |int B | >>>>>>> |______| >>>>>>> FreeBSD FW >>>>>>> >>>>>>> A simple thing that I need to do is test the two Internet links >>>>>>> to know if they are up or not. To do this I could ping or connect >>>>>>> tcp ports on some external ips thought each link, using nc and >>>>>>> hping I tried do this generate connections/packets from each >>>>>>> network interface connected to each link but the packets always >>>>>>> go out by the interface indicated by machines default route. >>>>>>> >>>>>>> I tried to add this rules in pf to force packets out by the right >>>>>>> interface based in your source address, but this does not work, >>>>>>> and the packets generated with ip of int B are going out by int A. >>>>>>> >>>>>>> pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b >>>>>>> to any >>>>>>> pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a >>>>>>> to any >>>>>>> >> >> >> >> My mistake, I only looked at the header of the ping man page. >> >> These are the rules that I would use in that situation: >> >> if_a=em0 >> ip_a=192.168.0.2 >> gw_a=192.168.0.1 >> net_a=192.168.0.0/24 >> if_b=em1 >> ip_a=192.168.1.2 >> gw_a=192.168.1.1 >> net_a=192.168.1.0/24 >> >> >> pass out log on $if_a route-to ( $if_b $gw_b ) from $ip_a to ! $net_b >> pass out log on $if_b route-to ( $if_a $gw_a ) from $ip_b to ! $net_a > > > The difference is that my rules are for internet traffic, I don't have > fixed destinations.... > > Ok so substitute the private IP addresses and networks in the rules ( and the interfaces) an you should be sorted. We use exactly the same configuration but with both public IP Addresses on one interface. Then if you connect from $ip_b to a public IP address not in $net_b you should see it routed via if_b to $gw_b. The only time I have seen these rules fail is when the IPSec code in the kernel transmits ESP packets which seem to pass though pf with some weird interfaces set or don't pass through pf at all. All other traffic generated on ip_a or ip_b will always pass to the correct ISP's router. The fact that the example rules I posted used private IP addresses is neither here nor there, if you make the appropriate changes to: ip_[ab] gw_[ab] net_[ab] if_[ab] Then the example rules should do what you want. Tom
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45F5A395.9010309>