Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 14 Jul 2006 10:47:57 +0200
From:      Nejc Skoberne <nejc@skoberne.net>
To:        freebsd-pf@freebsd.org
Subject:   Multihoming with route-to
Message-ID:  <44B75A3D.5060108@skoberne.net>
next in thread | raw e-mail | index | archive | help 
This is a multi-part message in MIME format.
--------------050303090108010304000102
Content-Type: text/plain; charset=ISO-8859-2
Content-Transfer-Encoding: 7bit

Hello,

I have a FreeBSD 5.3 server with 2 Internet connections:

- ADSL, ($UntrustInterface): A.B.C.D, $NextHop1: a.b.c.d
- VDSL, ($UntrustInterface2): E.F.G.H, $NextHop2: e.f.g.h

I would like to be able to access server's services via both connections independently.
ADSL connection is more like a "primary" connection, so its $NextHop1 (a.b.c.d) is also
set as default route. Obviously, when I try to ping the E.F.G.H from the internet, the
answer gets routed via a.b.c.d which is not what I want. So I need pf's route-to.

I have this in my pf.conf:

pass out on $UntrustInterface proto tcp all flags S/SA modulate state
pass out on $UntrustInterface proto { udp, icmp } all keep state
pass out on $UntrustInterface2 proto tcp all flags S/SA modulate state
pass out on $UntrustInterface2 proto { udp, icmp } all

pass out on $UntrustInterface route-to ($UntrustInterface2 $NextHop2) from
  $UntrustInterface2 to any keep state
pass out on $UntrustInterface2 route-to ($UntrustInterface $NextHop1) from
  $UntrustInterface to any keep state

I thought this would do the following: if I ping E.F.G.H from w.x.y.z (somewhere on the
Internet), the packet goes in through $UntrustInterface2, kernel crafts the ping-reply
packet and sends it out to default route via the $UntrustInterface - but since there is
a route-to rule, the packet should get routed to $UntrustInterface2 and $NextHop2
instead. Is this reasoning correct?

However, this does not work for me. If I ping the E.F.G.H and watch the traffic on
both interfaces with tcpdump, the packet is sent to $NextHop1 via the $UntrustInterface,
so it looks like the route-to rule is just ignored.

How could I debug this situation properly?

You can find the full pf.conf here: http://nejc.skoberne.net/pf.conf

Thanks for your help.

Best regards,
Nejc Skoberne

--------------050303090108010304000102--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44B75A3D.5060108>