Date: Mon, 12 Mar 2007 14:19:16 -0300 From: Alexandre Biancalana <ale@seudns.net> To: Tom Judge <tom@tomjudge.com> Cc: freebsd-net@freebsd.org Subject: Re: PF route-to behavior Message-ID: <45F58B94.9000308@seudns.net> In-Reply-To: <45F5889C.3010806@tomjudge.com> References: <45F564B5.10307@seudns.net> <45F58321.5050309@tomjudge.com> <45F58758.6090103@seudns.net> <45F5889C.3010806@tomjudge.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Tom Judge wrote: > Alexandre Biancalana wrote: >> Tom Judge wrote: >>> Alexandre Biancalana wrote: >>>> Hi List, >>>> >>>> >>>> I´m doing a firewall setup using 6-STABLE + PF with two internet >>>> links but I can't do the route-to rule function as I need. >>>> >>>> >>>> (default gw) ______ >>>> Link A <-----------> |int A | >>>> | | >>>> Link B <-----------> |int B | >>>> |______| >>>> FreeBSD FW >>>> >>>> A simple thing that I need to do is test the two Internet links to >>>> know if they are up or not. To do this I could ping or connect tcp >>>> ports on some external ips thought each link, using nc and hping I >>>> tried do this generate connections/packets from each network >>>> interface connected to each link but the packets always go out by >>>> the interface indicated by machines default route. >>>> >>>> I tried to add this rules in pf to force packets out by the right >>>> interface based in your source address, but this does not work, and >>>> the packets generated with ip of int B are going out by int A. >>>> >>>> pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b to >>>> any >>>> pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a to >>>> any >>>> >>>> >>>> Am I forgetting something ? Any comments ? >>>> >>> >>> Have you tried setting the source IP address to int B when using >>> ping your tcp sessions, this should force PF to do your source >>> routing for you. >>> >>> Hope this helps >>> >>> Tom >> >> Yes, I tried the following commands: >> >> ping -S <int B address> >> nc -s <int B address> >> hping -I <int B> >> >> All the commands generate the traffic with source address of int B, >> but the traffic always go out by int A... this is the problem, even >> with the rules: >> >> pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b to any >> pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a to any >> >> that should "correct" the interface used send this traffic out... >> right ?! >> >> I can provide more details if need, but I think that is a simple >> setup... I can't see why this does not work.... any other ideas ?? >> > > > Did you try: > > ping -S <ip B addr> -I <if A> # ping -S <ip B addr> -I <if A> ping: invalid multicast interface: `<if A>' but it should be ping -S <ip B addr> -I <if B> , for the traffic go out by int B with int B source address right ? I tried too and the same error happens. From ping man page: [...] -I iface Source multicast packets with the given interface address. This flag only applies if the ping destination is a multicast address. [...]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45F58B94.9000308>