Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 12 Mar 2007 14:01:12 -0300
From:      Alexandre Biancalana <ale@seudns.net>
To:        Tom Judge <tom@tomjudge.com>
Cc:        freebsd-net@freebsd.org
Subject:   Re: PF route-to behavior
Message-ID:  <45F58758.6090103@seudns.net>
In-Reply-To: <45F58321.5050309@tomjudge.com>
References:  <45F564B5.10307@seudns.net> <45F58321.5050309@tomjudge.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Tom Judge wrote:
> Alexandre Biancalana wrote:
>> Hi List,
>>
>>
>> I´m doing a firewall setup using 6-STABLE + PF with two internet 
>> links but I can't do the route-to rule function as I need.
>>
>>
>>          (default gw)    ______
>>  Link A <-----------> |int A  |
>>                                  |           |
>>  Link B <-----------> |int B  |
>>                                  |______|
>>                              FreeBSD FW
>>
>> A simple thing that I need to do is test the two Internet links to 
>> know if they are up or not. To do this I could ping or connect tcp 
>> ports on some external ips thought each link, using nc and hping I 
>> tried do this generate connections/packets from each network 
>> interface connected to each link but the packets always go out by the 
>> interface indicated by machines default route.
>>
>> I tried to add this rules in pf to force packets out by the right 
>> interface based in your source address, but this does not work, and 
>> the packets generated with ip of int B are going out by int A.
>>
>> pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b to any
>> pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a to any
>>
>>
>> Am I forgetting something ? Any comments ?
>>
>
> Have you tried setting the source IP address to int B when using ping 
> your tcp sessions,  this should force PF to do your source routing for 
> you.
>
> Hope this helps
>
> Tom

Yes, I tried the following commands:

 ping -S <int B address>
 nc -s <int B address>
 hping -I <int B>

All the commands generate the traffic with source address of int B, but 
the traffic always go out by int A... this is the problem, even with the 
rules:

pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b to any
pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a to any

that should "correct" the interface used send this traffic out... right ?!

I can provide more details if need, but I think that is a simple 
setup... I can't see why this does not work.... any other ideas ??

Regards,

Alexandre

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45F58758.6090103>