From owner-freebsd-pf@FreeBSD.ORG Thu Sep 13 02:00:33 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4D74116A41A for ; Thu, 13 Sep 2007 02:00:33 +0000 (UTC) (envelope-from skridsko@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.239]) by mx1.freebsd.org (Postfix) with ESMTP id 1933913C45B for ; Thu, 13 Sep 2007 02:00:32 +0000 (UTC) (envelope-from skridsko@gmail.com) Received: by wx-out-0506.google.com with SMTP id i29so329351wxd for ; Wed, 12 Sep 2007 19:00:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=P4n3uhwnjQI4tJV+evZbMEtQ4frg27923mlKJdJgjl4=; b=YRg7ImZf8yeHBnDq6CxpXfwvfANLdkOhdIM9uV8HW/4G26M/coNT20HE0fh5l66irRsZX3pk/vUXIecmISx6hRTEpGQBDgO68TaRLORd9XdNgIqAAAvj/TRbGLzNCKpUf6DqO73kIMpIJmvXIw27W66cnMM3sxKvOD0flaSXDts= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=BZiBDojB5O0of45AIKRlnIJVt9ebx1372B9ZE2pspLRWLGi+rbiC9ymtDvYPDTcdy2meNJAD3X9OPL1R7R7I3CUGbN3sFzGhmda8lQAIHHI3oxhKjP55nAe8zo2iIbk3i5g7IVpU6NM4V5OyyT5GOSGwVJ34LwRDvJWztU0bQoY= Received: by 10.90.49.1 with SMTP id w1mr385126agw.1189647148920; Wed, 12 Sep 2007 18:32:28 -0700 (PDT) Received: by 10.70.33.5 with HTTP; Wed, 12 Sep 2007 18:32:28 -0700 (PDT) Message-ID: <319abcb30709121832i7d0100e6ibe2b98294030c63e@mail.gmail.com> Date: Thu, 13 Sep 2007 09:32:28 +0800 From: "skridsko grafstrom" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Problem with pf route-to in jail X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Sep 2007 02:00:33 -0000 Encountered a weird problem with pf, but before going into that, a description of my network, Network interfaces - 1) lnc0 - ethernet interface, inet 192.168.1.2 netmask 255.255.255.0 2) ng0 - netgraph pptp interface, 10.0.0.2 -> 10.0.0.1 point-to-point 3) vlan0 - virtual interface, inet 172.16.1.1 netmask 255.255.255.255 Default gateway - 192.168.1.1 I have a jail running on vlan0 IP, ie. 172.16.1.1 and I want to route all traffic from the jail thru ng0, ie, all jail traffic goes thru pptp. Since I'm unable to change the default route for the jail, I resorted to using pf. Below are my rules, nat on ng0 from vlan0 to any -> ng0 rdr on ng0 from any to ng0 -> vlan0 pass out route-to ng0 from vlan0 to !vlan0 This works, but only partially, with the following observations, 1) Ping works, but only for the first packet, subsequent packets are lost ping -c4 google.com PING google.com (64.233.187.99): 56 data bytes 64 bytes from 64.233.187.99: icmp_seq=0 ttl=244 time=278.728 ms --- google.com ping statistics --- 4 packets transmitted, 1 packets received, 75% packet loss round-trip min/avg/max/stddev = 278.728/278.728/278.728/0.000 ms 2) DNS resolutions work fine, as do traceroutes (a sign of UDP working?) 3) Using nc to connect to a remote listening port shows successful connection but no data can be sent subsequently in the same nc session. Anyone can help with what's going on here? Or provide a better solution on how to achieve the setup I want? Thanks!