Date: Thu, 11 Feb 2010 23:38:56 +0100 From: geoffroy desvernay <dgeo@centrale-marseille.fr> To: Albert Shih <Albert.Shih@obspm.fr> Cc: freebsd-pf@freebsd.org Subject: Re: How make the route-to working ? Message-ID: <4B748700.70409@centrale-marseille.fr> In-Reply-To: <20100205123254.GN11310@obspm.fr> References: <20100205123254.GN11310@obspm.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigF08A8D6BCEF39083733F24BD
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Albert Shih a =E9crit :
> Hi all,
>=20
> I've a problem with route-to.
>=20
> I've a server with 2 interfaces, and I'm running jail on this server. E=
ach
> interface have is own public IP address.
>=20
> eth0 -- IP0 eth1 -- IP1
>=20
> and I've a default route (for example in IP0 subnet).
>=20
> So if the jail is in the IP0 subnet no problem everything work.
>=20
> Now if I put a jail in IP1 subnet, and some client try to connect to th=
is
> jail the answer come out through eth0 because of the default route (sup=
pose
> the client is not on my subnet).
>=20
> I don't want that. I want the answer come out through the eth1
>=20
> I'm trying to use pf to do that and put in my pf.conf something like=20
>=20
> pass in all
> pass out all
> pass out on eth0 route-to {(eth0 IP0_Gateway)} from <IP0> to ! IP0_subn=
et
> pass out on eth1 route-to {(eth1 IP1_Gateway)} from <IP1> to ! IP1_subn=
et
>=20
> but it's not working, if I run a tcpdump on the host I can see the
> incoming packet come in from eth1 and the outgoing come out on eth0.=20
>=20
> And if I try do remove default route the outgoing packet don't come out=
=2E...
>=20
> Any help ?=20
>=20
> Regards.
>=20
>=20
Hi,
I'm using that for the same case:
You just have to catch packets on the interface they would go normally:
pass out on *eth0* route-to {(eth1 IP1_Gateway)} from <IP1> to !eth1:netw=
ork
The other rule is not needed in this case
You may also try instead a 'reply-to' rule on eth1's inbound, as David
DeSimone suggested.
A third and cleaner solution would be to use multiple routing-tables -
see setfib(1) and 'options ROUTETABLES' of the kernel...
HTH
--=20
*Geoffroy Desvernay*
C.R.I - Administration syst=E8mes et r=E9seaux
Ecole Centrale de Marseille
--------------enigF08A8D6BCEF39083733F24BD
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBCAAGBQJLdIcDAAoJEC0NWrh8JT1S7DcH/jHajcn6ik1Xa6Kt+qM2jdVA
NYF6+DW/jWuxs8/QdkX6wv3uUONGmVnmxDbdMchKG+cWHCxQz15rM1CGXtKnP/cf
SwGDo8HxHLSX9pBrJ+9NNNn1cFuA5RC5f8RZAV23vDbaIWVL10VEymTKq2v94P0j
UJ9hP1mCGwpfVhasDt2b0ToTev+3dubRcS8axExANKpcNnn5sCNP1lt9Ckr/CGY4
rrVP68OsThER+9NIUQKvY8cHqm1aAnxFUicFrLEKW6ah9b3LQsj4WhnIc7YMjMYp
5pmnDvtdZUh+FreRdHzMTxrhw4TFGiuPOkd0XKRGxuS0/+NKGS4Jzy1sa2xdXiM=
=5U3n
-----END PGP SIGNATURE-----
--------------enigF08A8D6BCEF39083733F24BD--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B748700.70409>