Date: Mon, 08 Aug 2005 09:29:32 -0300 From: "Giovanni P. Tirloni" <gpt@tirloni.org> To: Sergey Lapin <slapinid@gmail.com> Cc: pf@freebsd.org Subject: Re: Fwd: pf problems Message-ID: <42F7502C.4070003@tirloni.org> In-Reply-To: <48239d390508080452270c8d10@mail.gmail.com> References: <48239d390508040958265ce62@mail.gmail.com> <48239d3905080504297b3ebc89@mail.gmail.com> <200508060411.05482.max@love2party.net> <48239d390508080452270c8d10@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Sergey Lapin wrote: > When pf blocks incoming packet with "block return" rule, it does not > return RST or ICMP packet to the interface from which original packet > came from but always use default gateway instead. This way if we have > default gateway set to ISP2's 2.0.0.1 and packet destined to 1.0.0.254 > comes from ISP1 interface (ext_if1) and this packet gets blocked with > "block return", the TCP RST packet with source address 1.0.0.254 will > be sent through 2.0.0.1 gateway. Obviously, ISP2 drops packets which > source does not belong to their network so basically "block return" > does not work at all. I've the same situation here and we use route-to to route everything from ISP1's network to their gateway and vice-versa. route-to re-routes a packet from 1.0.0.0/24 when it's trying to leave through the ISP2 interface and everything then gets NAT'ed properly. pass out on $ext_isp2_if route-to ($ext_isp1_if $ext_isp1_gw) from $isp1_net to any -- Giovanni P. Tirloni / gpt@tirloni.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42F7502C.4070003>