Date: Fri, 04 Feb 2005 09:39:17 -0700 From: "Stephane Raimbault" <segr@hotmail.com> To: freebsd-pf@freebsd.org Subject: Re: route-to rule. Message-ID: <BAY24-F11B00E592881E3F1C7164BCC700@phx.gbl> In-Reply-To: <BAY24-F23B5EDFAA04BD9C64A5FC1CC780@phx.gbl>
next in thread | previous in thread | raw e-mail | index | archive | help
Any other suggestions for this problem? Or am I hitting the limitations of pf? A bug perhaps? >From: "Stephane Raimbault" <segr@hotmail.com> >To: dionch@freemail.gr, freebsd-pf@freebsd.org >Subject: Re: route-to rule. >Date: Thu, 27 Jan 2005 11:25:32 -0700 > >Okay, with the syntax cleaned up this is what I have: > >set state-policy if-bound > >int_if="rl0" >int_net="10.1.0.0/24" >ext_if1="rl1" >ext_gw1="<ISP#1 Gateway IP>" >ext_if2="rl2" >ext_gw2="<ISP#2 Gateway IP>" >vpn_if="tun0" >vpn_gw="172.16.0.1" > >isp1 = "(" $ext_if1 $ext_gw1 ")" >isp2 = "(" $ext_if2 $ext_gw2 ")" >vpn = "(" $vpn_if $vpn_gw ")" > >server1_int="10.1.0.20" >server1_out="63.252.160.219" >server2_int="10.1.0.21" >server2_out="63.252.160.222" >server3_int="10.1.0.22" >server3_out="63.252.160.221" >server4_int="10.1.0.23" >server4_out="63.252.160.220" > >nat on $ext_if1 from $int_net to any -> ($ext_if1:0) >nat on $ext_if2 from $int_net to any -> ($ext_if2:0) >binat on $ext_if1 from $server1_int to any -> $server1_out >binat on $ext_if1 from $server2_int to any -> $server2_out >binat on $ext_if1 from $server3_int to any -> $server3_out >binat on $ext_if1 from $server4_int to any -> $server4_out > >pass in quick on $int_if inet from $int_net to $int_net keep state >pass out quick on $int_if inet from $int_net to $int_net keep state > >pass in on $ext_if1 tag $ext_if1 keep state >pass out on $ext_if1 route-to $ext_if1 keep state >pass out quick on $int_if reply-to $ext_if1 tagged $ext_if1 keep state > >pass in on $ext_if2 tag $ext_if2 keep state >pass out on $ext_if2 route-to $ext_if2 keep state >pass out quick on $int_if reply-to $ext_if2 tagged $ext_if2 keep state > >pass in on $vpn_if tag $vpn_if keep state >pass out on $vpn_if route-to $vpn_if keep state >pass out quick on $vpn_if reply-to $vpn_if tagged $vpn_if keep state > >pass in quick on $int_if route-to $isp1 from >{$server1_int,$server2_int,$server3_int,$server4_int} to {!10.0.0.0/26, >!$int_net} keep state >pass in quick on $int_if route-to $vpn from $int_net to 10.0.0.0/26 keep >state >pass in on $int_if route-to $isp2 from $int_net to {!10.0.0.0/26, >!$int_net} keep state > > >I tried this out and it was not a success. It seemend like nothing could >get anywhere. $int_net wasn't able to access the internet nor the subnets >on the otherside of the vpn. The binat'd servers were unaccessible from >the internet... and I got an arp error in the /var/log/messages about a >bunch of arp's not being on the local network... I got a stream of these >types of messages: > >Jan 27 12:12:02 router1 kernel: arplookup 69.57.244.70 failed: host is not >on local network >Jan 27 12:12:02 router1 kernel: arpresolve: can't allocate llinfo for >69.57.244.70 >Jan 27 12:12:02 router1 kernel: arplookup 12.24.195.78 failed: host is not >on local network >Jan 27 12:12:02 router1 kernel: arpresolve: can't allocate llinfo for >12.24.195.78 > > >so, we aren't quite there yet. Could I more simply change my default route >to ISP #2, and setup some sort of route-to statements specifically for the >binat's instead? Then I would also need to setup a rule for the openvpn to >go over ISP #1 instead of ISP #2. > >any suggestions... as always much apreciated. > >Thanks, >Stephane. > >>From: "Chris Dionissopoulos" <dionch@freemail.gr> >>Reply-To: "Chris Dionissopoulos" <dionch@freemail.gr> >>To: "Stephane Raimbault" <segr@hotmail.com> >>Subject: Re: route-to rule. >>Date: Thu, 27 Jan 2005 03:40:43 +0200 >> >>Try to negate(="!") each network for "to" field like: >>{ !10.0.0.0/26, !$int_net} >>Also when you change line in a rule , you must backslash at the end ("\"). >> >>Chris. >> >> >> >>>Hi Chris, Thanks for the quick response, however I'm still getting >>>syntax errors on 2 of the 3 lines now: >>> >>>pass in quick on $int_if route-to $isp1 from >>>{$server1_int,$server2_int,$server3_int,$server4_int} to !{10.0.0.0/26, >>>$int_net} keep state >>>pass in quick on $int_if route-to $vpn from $int_net to 10.0.0.0/26 keep >>>state >>>pass in on $int_if route-to $isp2 from $int_net to !{10.0.0.0/26, >>>$int_net} keep state >>> >>>/etc/pf.conf:47: syntax error >>>/etc/pf.conf:49: syntax error >>> >>>Where line 47 is the first one above and 49 is the last (3rd line) above. >>> >>>Any thoughts? I'm scratching my head bald. >>> >>>Thanks, >>>Stephane. >>> >>> >> >> >>____________________________________________________________________ >>http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου. >>http://www.freemail.gr - free email service for the Greek-speaking. > >_________________________________________________________________ >Powerful Parental Controls Let your child discover the best the Internet >has to offer. >http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines > Start enjoying all the benefits of MSN® Premium right now and get the >first two months FREE*. > >_______________________________________________ >freebsd-pf@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-pf >To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" _________________________________________________________________ Designer Mail isn't just fun to send, it's fun to receive. Use special stationery, fonts and colors. http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BAY24-F11B00E592881E3F1C7164BCC700>