From owner-freebsd-pf@FreeBSD.ORG Fri Jul 14 08:48:08 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0BC9616A4DD for ; Fri, 14 Jul 2006 08:48:08 +0000 (UTC) (envelope-from nejc@skoberne.net) Received: from illusion.skoberne.net (illusion.skoberne.net [84.255.205.135]) by mx1.FreeBSD.org (Postfix) with ESMTP id 780C943D45 for ; Fri, 14 Jul 2006 08:48:07 +0000 (GMT) (envelope-from nejc@skoberne.net) Received: from localhost (localhost [127.0.0.1]) by illusion.skoberne.net (Postfix) with ESMTP id C5735B879 for ; Fri, 14 Jul 2006 10:48:06 +0200 (CEST) Received: from illusion.skoberne.net ([127.0.0.1]) by localhost (Illusion.skoberne.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 59624-04 for ; Fri, 14 Jul 2006 10:48:06 +0200 (CEST) Received: from [192.168.1.202] (stinker.skoberne.net [84.255.205.234]) by illusion.skoberne.net (Postfix) with ESMTP id 4B58FB870 for ; Fri, 14 Jul 2006 10:48:06 +0200 (CEST) Message-ID: <44B75A3D.5060108@skoberne.net> Date: Fri, 14 Jul 2006 10:47:57 +0200 From: Nejc Skoberne User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: multipart/mixed; boundary="------------050303090108010304000102" X-Virus-Scanned: amavisd-new at skoberne.net X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Multihoming with route-to X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jul 2006 08:48:08 -0000 This is a multi-part message in MIME format. --------------050303090108010304000102 Content-Type: text/plain; charset=ISO-8859-2 Content-Transfer-Encoding: 7bit Hello, I have a FreeBSD 5.3 server with 2 Internet connections: - ADSL, ($UntrustInterface): A.B.C.D, $NextHop1: a.b.c.d - VDSL, ($UntrustInterface2): E.F.G.H, $NextHop2: e.f.g.h I would like to be able to access server's services via both connections independently. ADSL connection is more like a "primary" connection, so its $NextHop1 (a.b.c.d) is also set as default route. Obviously, when I try to ping the E.F.G.H from the internet, the answer gets routed via a.b.c.d which is not what I want. So I need pf's route-to. I have this in my pf.conf: pass out on $UntrustInterface proto tcp all flags S/SA modulate state pass out on $UntrustInterface proto { udp, icmp } all keep state pass out on $UntrustInterface2 proto tcp all flags S/SA modulate state pass out on $UntrustInterface2 proto { udp, icmp } all pass out on $UntrustInterface route-to ($UntrustInterface2 $NextHop2) from $UntrustInterface2 to any keep state pass out on $UntrustInterface2 route-to ($UntrustInterface $NextHop1) from $UntrustInterface to any keep state I thought this would do the following: if I ping E.F.G.H from w.x.y.z (somewhere on the Internet), the packet goes in through $UntrustInterface2, kernel crafts the ping-reply packet and sends it out to default route via the $UntrustInterface - but since there is a route-to rule, the packet should get routed to $UntrustInterface2 and $NextHop2 instead. Is this reasoning correct? However, this does not work for me. If I ping the E.F.G.H and watch the traffic on both interfaces with tcpdump, the packet is sent to $NextHop1 via the $UntrustInterface, so it looks like the route-to rule is just ignored. How could I debug this situation properly? You can find the full pf.conf here: http://nejc.skoberne.net/pf.conf Thanks for your help. Best regards, Nejc Skoberne --------------050303090108010304000102--