From owner-freebsd-net@FreeBSD.ORG Mon Mar 12 17:10:58 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 930AB16A41B for ; Mon, 12 Mar 2007 17:10:58 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from s200aog12.obsmtp.com (s200aog12.obsmtp.com [207.126.144.126]) by mx1.freebsd.org (Postfix) with SMTP id 7DAEE13C4C2 for ; Mon, 12 Mar 2007 17:10:46 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from source ([217.206.187.80]) by eu1sys200aob012.postini.com ([207.126.147.11]) with SMTP; Mon, 12 Mar 2007 17:10:44 UTC Received: from [10.0.0.79] (bwb.mintel.co.uk [10.0.0.79]) by rodney.mintel.co.uk (Postfix) with ESMTP id 3F58B181449; Mon, 12 Mar 2007 17:10:44 +0000 (GMT) Message-ID: <45F5889C.3010806@tomjudge.com> Date: Mon, 12 Mar 2007 17:06:36 +0000 From: Tom Judge User-Agent: Thunderbird 1.5.0.9 (X11/20070104) MIME-Version: 1.0 To: Alexandre Biancalana References: <45F564B5.10307@seudns.net> <45F58321.5050309@tomjudge.com> <45F58758.6090103@seudns.net> In-Reply-To: <45F58758.6090103@seudns.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-net@freebsd.org Subject: Re: PF route-to behavior X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Mar 2007 17:10:58 -0000 Alexandre Biancalana wrote: > Tom Judge wrote: >> Alexandre Biancalana wrote: >>> Hi List, >>> >>> >>> I´m doing a firewall setup using 6-STABLE + PF with two internet >>> links but I can't do the route-to rule function as I need. >>> >>> >>> (default gw) ______ >>> Link A <-----------> |int A | >>> | | >>> Link B <-----------> |int B | >>> |______| >>> FreeBSD FW >>> >>> A simple thing that I need to do is test the two Internet links to >>> know if they are up or not. To do this I could ping or connect tcp >>> ports on some external ips thought each link, using nc and hping I >>> tried do this generate connections/packets from each network >>> interface connected to each link but the packets always go out by the >>> interface indicated by machines default route. >>> >>> I tried to add this rules in pf to force packets out by the right >>> interface based in your source address, but this does not work, and >>> the packets generated with ip of int B are going out by int A. >>> >>> pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b to any >>> pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a to any >>> >>> >>> Am I forgetting something ? Any comments ? >>> >> >> Have you tried setting the source IP address to int B when using ping >> your tcp sessions, this should force PF to do your source routing for >> you. >> >> Hope this helps >> >> Tom > > Yes, I tried the following commands: > > ping -S > nc -s > hping -I > > All the commands generate the traffic with source address of int B, but > the traffic always go out by int A... this is the problem, even with the > rules: > > pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b to any > pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a to any > > that should "correct" the interface used send this traffic out... right ?! > > I can provide more details if need, but I think that is a simple > setup... I can't see why this does not work.... any other ideas ?? > Did you try: ping -S -I Tom