Date: Mon, 12 Mar 2007 17:25:49 +0000 From: Tom Judge <tom@tomjudge.com> To: Alexandre Biancalana <ale@seudns.net> Cc: freebsd-net@freebsd.org Subject: Re: PF route-to behavior Message-ID: <45F58D1D.8080304@tomjudge.com> In-Reply-To: <45F58B94.9000308@seudns.net> References: <45F564B5.10307@seudns.net> <45F58321.5050309@tomjudge.com> <45F58758.6090103@seudns.net> <45F5889C.3010806@tomjudge.com> <45F58B94.9000308@seudns.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Alexandre Biancalana wrote: > Tom Judge wrote: >> Alexandre Biancalana wrote: >>> Tom Judge wrote: >>>> Alexandre Biancalana wrote: >>>>> Hi List, >>>>> >>>>> >>>>> I´m doing a firewall setup using 6-STABLE + PF with two internet >>>>> links but I can't do the route-to rule function as I need. >>>>> >>>>> >>>>> (default gw) ______ >>>>> Link A <-----------> |int A | >>>>> | | >>>>> Link B <-----------> |int B | >>>>> |______| >>>>> FreeBSD FW >>>>> >>>>> A simple thing that I need to do is test the two Internet links to >>>>> know if they are up or not. To do this I could ping or connect tcp >>>>> ports on some external ips thought each link, using nc and hping I >>>>> tried do this generate connections/packets from each network >>>>> interface connected to each link but the packets always go out by >>>>> the interface indicated by machines default route. >>>>> >>>>> I tried to add this rules in pf to force packets out by the right >>>>> interface based in your source address, but this does not work, and >>>>> the packets generated with ip of int B are going out by int A. >>>>> >>>>> pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b to >>>>> any >>>>> pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a to >>>>> any >>>>> <SNIP/> > # ping -S <ip B addr> -I <if A> > ping: invalid multicast interface: `<if A>' > > but it should be ping -S <ip B addr> -I <if B> , for the traffic go out > by int B with int B source address right ? I tried too and the same > error happens. > > > From ping man page: > > [...] > -I iface > Source multicast packets with the given interface address. > This > flag only applies if the ping destination is a multicast > address. > [...] My mistake, I only looked at the header of the ping man page. These are the rules that I would use in that situation: if_a=em0 ip_a=192.168.0.2 gw_a=192.168.0.1 net_a=192.168.0.0/24 if_b=em1 ip_a=192.168.1.2 gw_a=192.168.1.1 net_a=192.168.1.0/24 pass out log on $if_a route-to ( $if_b $gw_b ) from $ip_a to ! $net_b pass out log on $if_b route-to ( $if_a $gw_a ) from $ip_b to ! $net_a Tom
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45F58D1D.8080304>