Date: Mon, 12 Mar 2007 19:07:34 -0300 From: Alexandre Biancalana <ale@seudns.net> To: freebsd-net@freebsd.org Subject: Re: PF route-to behavior Message-ID: <45F5CF26.6070100@seudns.net> In-Reply-To: <45F5A395.9010309@tomjudge.com> References: <45F564B5.10307@seudns.net> <45F58321.5050309@tomjudge.com> <45F58758.6090103@seudns.net> <45F5889C.3010806@tomjudge.com> <45F58B94.9000308@seudns.net> <45F58D1D.8080304@tomjudge.com> <45F59254.2050907@seudns.net> <45F5A395.9010309@tomjudge.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Tom Judge wrote: > Alexandre Biancalana wrote: >> Tom Judge wrote: >>> Alexandre Biancalana wrote: >>>> Tom Judge wrote: >>>>> Alexandre Biancalana wrote: >>>>>> Tom Judge wrote: >>>>>>> Alexandre Biancalana wrote: >>>>>>>> Hi List, >>>>>>>> >>>>>>>> >>>>>>>> I´m doing a firewall setup using 6-STABLE + PF with two >>>>>>>> internet links but I can't do the route-to rule function as I >>>>>>>> need. >>>>>>>> >>>>>>>> >>>>>>>> (default gw) ______ >>>>>>>> Link A <-----------> |int A | >>>>>>>> | | >>>>>>>> Link B <-----------> |int B | >>>>>>>> |______| >>>>>>>> FreeBSD FW >>>>>>>> >>>>>>>> A simple thing that I need to do is test the two Internet links >>>>>>>> to know if they are up or not. To do this I could ping or >>>>>>>> connect tcp ports on some external ips thought each link, using >>>>>>>> nc and hping I tried do this generate connections/packets from >>>>>>>> each network interface connected to each link but the packets >>>>>>>> always go out by the interface indicated by machines default >>>>>>>> route. >>>>>>>> >>>>>>>> I tried to add this rules in pf to force packets out by the >>>>>>>> right interface based in your source address, but this does not >>>>>>>> work, and the packets generated with ip of int B are going out >>>>>>>> by int A. >>>>>>>> >>>>>>>> pass out log on $int_a route-to ( $int_b $int_b_gw ) from >>>>>>>> $int_b to any >>>>>>>> pass out log on $int_b route-to ( $int_a $int_a_gw ) from >>>>>>>> $int_a to any >>>>>>>> >>> >>> >>> >>> My mistake, I only looked at the header of the ping man page. >>> >>> These are the rules that I would use in that situation: >>> >>> if_a=em0 >>> ip_a=192.168.0.2 >>> gw_a=192.168.0.1 >>> net_a=192.168.0.0/24 >>> if_b=em1 >>> ip_a=192.168.1.2 >>> gw_a=192.168.1.1 >>> net_a=192.168.1.0/24 >>> >>> >>> pass out log on $if_a route-to ( $if_b $gw_b ) from $ip_a to ! $net_b >>> pass out log on $if_b route-to ( $if_a $gw_a ) from $ip_b to ! $net_a >> >> >> The difference is that my rules are for internet traffic, I don't >> have fixed destinations.... >> >> > > Ok so substitute the private IP addresses and networks in the rules ( > and the interfaces) an you should be sorted. We use exactly the same > configuration but with both public IP Addresses on one interface. > Then if you connect from $ip_b to a public IP address not in $net_b > you should see it routed via if_b to $gw_b. The only time I have seen > these rules fail is when the IPSec code in the kernel transmits ESP > packets which seem to pass though pf with some weird interfaces set or > don't pass through pf at all. All other traffic generated on ip_a or > ip_b will always pass to the correct ISP's router. > > The fact that the example rules I posted used private IP addresses is > neither here nor there, if you make the appropriate changes to: > > ip_[ab] > gw_[ab] > net_[ab] > if_[ab] > > Then the example rules should do what you want. > I understand that, I just don't see much difference in your rules and my rules example... the both examples should work... but here none off then work..... Adding a static destination route to an external host via gw_b and ping with int_a address, the packet exit by int_b with int_a source address... the same behavior... I tried your way: pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b to ! int_b:network pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a to ! int_a:network # pfctl -vv -sr @28 pass out log on int_a route-to (int_b int_b_gw) inet from int_b_ip to ! int_b:network [ Evaluations: 88 Packets: 0 Bytes: 0 States: 0 ] @29 pass out log on int_b route-to (int_a int_a_gw) inet from int_a to ! int_a:network [ Evaluations: 80 Packets: 0 Bytes: 0 States: 0 ] Any more hints ?! Alexandre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45F5CF26.6070100>