Date: Sat, 13 Feb 2010 05:19:20 -0600 From: "Sam Fourman Jr." <sfourman@gmail.com> To: geoffroy desvernay <dgeo@centrale-marseille.fr> Cc: Albert Shih <Albert.Shih@obspm.fr>, freebsd-pf@freebsd.org Subject: Re: How make the route-to working ? Message-ID: <11167f521002130319h42e131bbic432b4122773d383@mail.gmail.com> In-Reply-To: <4B748700.70409@centrale-marseille.fr> References: <20100205123254.GN11310@obspm.fr> <4B748700.70409@centrale-marseille.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Feb 11, 2010 at 4:38 PM, geoffroy desvernay
<dgeo@centrale-marseille.fr> wrote:
> Albert Shih a =E9crit :
>> Hi all,
>>
>> I've a problem with route-to.
>>
>> I've a server with 2 interfaces, and I'm running jail on this server. Ea=
ch
>> interface have is own public IP address.
>>
>> =A0 =A0 =A0 eth0 -- IP0 =A0 =A0 =A0 =A0 =A0 =A0 eth1 -- IP1
>>
>> and I've a default route (for example in IP0 subnet).
>>
>> So if the jail is in the IP0 subnet no problem everything work.
>>
>> Now if I put a jail in IP1 subnet, and some client try to connect to thi=
s
>> jail the answer come out through eth0 because of the default route (supp=
ose
>> the client is not on my subnet).
>>
>> I don't want that. I want the answer come out through the eth1
>>
>> I'm trying to use pf to do that and put in my pf.conf something like
>>
>> pass in all
>> pass out all
>> pass out on eth0 route-to {(eth0 IP0_Gateway)} from <IP0> to ! IP0_subne=
t
>> pass out on eth1 route-to {(eth1 IP1_Gateway)} from <IP1> to ! IP1_subne=
t
>>
>> but it's not working, if I run a tcpdump on the host I can see the
>> incoming packet come in from eth1 and the outgoing come out on eth0.
>>
>> And if I try do remove default route the outgoing packet don't come out.=
...
>>
>> Any help ?
>>
>> Regards.
>>
>>
> Hi,
>
> I'm using that for the same case:
>
> You just have to catch packets on the interface they would go normally:
>
> pass out on *eth0* route-to {(eth1 IP1_Gateway)} from <IP1> to !eth1:netw=
ork
>
> The other rule is not needed in this case
>
> You may also try instead a 'reply-to' rule on eth1's inbound, as David
> DeSimone suggested.
>
> A third and cleaner solution would be to use multiple routing-tables -
> see setfib(1) and 'options ROUTETABLES' of the kernel...
I have searched the net high and low and I can not find any good
examples on how to use multiple routing tables.
I agree that it would be cleaner do you have a example of how to do this?
if anyone has links to examples for Multiple routing tables examples
post them please.
Sam Fourman Jr.
Sam Fourman Jr.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?11167f521002130319h42e131bbic432b4122773d383>