Date: Sat, 13 Feb 2010 09:11:24 +0100 From: geoffroy desvernay <dgeo@centrale-marseille.fr> To: Albert Shih <Albert.Shih@obspm.fr> Cc: freebsd-pf@freebsd.org Subject: Re: How make the route-to working ? Message-ID: <4B765EAC.9020201@centrale-marseille.fr> In-Reply-To: <20100212164454.GA23456@obspm.fr> References: <20100205123254.GN11310@obspm.fr> <4B748700.70409@centrale-marseille.fr> <20100212164454.GA23456@obspm.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig38FD68699B063E8A44B90C6D
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Albert Shih a =E9crit :
> Le 11/02/2010 =E0 23:38:56+0100, geoffroy desvernay a =E9crit
>> Albert Shih a =E9crit :
>>> Hi all,
>>>
>>> I've a problem with route-to.
>>>
>>> I've a server with 2 interfaces, and I'm running jail on this server.=
Each
>>> interface have is own public IP address.
>>>
>>> eth0 -- IP0 eth1 -- IP1
>>>
>>> and I've a default route (for example in IP0 subnet).
>>>
>>> So if the jail is in the IP0 subnet no problem everything work.
>>>
>>> Now if I put a jail in IP1 subnet, and some client try to connect to =
this
>>> jail the answer come out through eth0 because of the default route (s=
uppose
>>> the client is not on my subnet).
>>>
>>> I don't want that. I want the answer come out through the eth1
>>>
>>> I'm trying to use pf to do that and put in my pf.conf something like =
>>>
>>> pass in all
>>> pass out all
>>> pass out on eth0 route-to {(eth0 IP0_Gateway)} from <IP0> to ! IP0_su=
bnet
>>> pass out on eth1 route-to {(eth1 IP1_Gateway)} from <IP1> to ! IP1_su=
bnet
>>>
>>> but it's not working, if I run a tcpdump on the host I can see the
>>> incoming packet come in from eth1 and the outgoing come out on eth0. =
>>>
>>> And if I try do remove default route the outgoing packet don't come o=
ut....
>>>
>>> Any help ?=20
>>>
>>> Regards.
>>>
> Lots of thanks for your answer.=20
>=20
>> You just have to catch packets on the interface they would go normally=
:
>>
>> pass out on *eth0* route-to {(eth1 IP1_Gateway)} from <IP1> to !eth1:n=
etwork
>>
>> The other rule is not needed in this case
>>
>> You may also try instead a 'reply-to' rule on eth1's inbound, as David=
>> DeSimone suggested.
>=20
> OK now it's working. But I have some big trouble about the bandwith.=20
>=20
> Now when I try to do something like a scp, or ftp or wget from inside a=
> jail to outside, everything work fine. The traffic go to right interfac=
e,
> the answer too.=20
>=20
> But when I try to do some network connection (ssh, scp etc..) from outs=
ide
> to a jail the bandwith is catastrophic (~40kB/s on 1Gbit/s).=20
>=20
> And for you ?=20
>=20
Using this kind of setup since at least two years for ~500 real users
without complains... (three different 'ssh jails' on the same machine
with many vlans and three "default" gateways)
>> A third and cleaner solution would be to use multiple routing-tables -=
>> see setfib(1) and 'options ROUTETABLES' of the kernel...
>=20
> I already try this, I don't known how to make it work. I'm going to try=
> again.=20
>=20
I'm also planning to test this... since more than a year :-|
--=20
*Geoffroy Desvernay*
C.R.I - Administration syst=E8mes et r=E9seaux
Ecole Centrale de Marseille
--------------enig38FD68699B063E8A44B90C6D
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBCAAGBQJLdl6vAAoJEC0NWrh8JT1SPqkIAKTRkc4ovBe4QUp43f7FWnpm
lcJ4sn0WbYV5/0SopT24GxVShRpf9dcsKB3BUW0UxzZJrEhq3FLSlTUfx+if3T9T
/1eYClP3UYSlloRkJBgeDZebecgk0I6qcHPlJEVMRhzY96n3Q8qhOtOdyugw84dW
I42pMr2166KQoW12vSqQNl6c73Z82yBD9cnLNxDWs5paQ9uBZdrHUoDUx8biqSUo
/5OvDTk0I7GZl/pv1Of+Q5x/ThFZzupAoq7Z+8GX8II79LMtZxsQ9PBrqXh7a9gv
86eaUa/yL5Iz4oVyiIuE1y7IZL7HWORVNfrQu8dYvxTbQ3zMkDOvu6g71Fv2JDg=
=feiM
-----END PGP SIGNATURE-----
--------------enig38FD68699B063E8A44B90C6D--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B765EAC.9020201>