From owner-freebsd-questions@freebsd.org Wed Mar 10 05:01:22 2021 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D7F3857D717 for ; Wed, 10 Mar 2021 05:01:22 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DwKfp0bSXz4WCX for ; Wed, 10 Mar 2021 05:01:21 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: by mail-ej1-x635.google.com with SMTP id bm21so35354965ejb.4 for ; Tue, 09 Mar 2021 21:01:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iT/DmppikbUsxjQmjY1BHSWu06+hUHFnbkau+uQ0Gjk=; b=pTQBW5GzSICdSlTp49GAWOeBpPn5R4a+b3sDnFFm6F0xKNUHAx5HlQ2f6UodjStjTL uXHLj3QEJT0Qs97UJXy9GPp+gglXDF/1Veg3451KJd6IOZA+/+qbKITd/QunMG/VSDKD /shVUelQThalZnh2KS4iXcM4oTenZ9aoe1MFBX8Fc/GZFvosbFOUTqTHjPCR6FTcCZZr 26erIMVa+h2CdgAKv79P2YitqgxVyFKCbnPO18A9CZzyGoYMtXFp9lCw4SRnKM2lsnN+ QdIfly5VsG1o/1lSEpEkWw4vXqfA2YWvwPUSrHX08KmUWIZbXmKox9s9NW9I9yT7/fln Edew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iT/DmppikbUsxjQmjY1BHSWu06+hUHFnbkau+uQ0Gjk=; b=ci1OUV97tCq3DWWjwaXyvo7e+GmFVXlgMU700mkCvQYII1sPm/iZTmwMHqhuHFl3rq NxMu9WMQh1y533Vii10MN82IK8m2Qda7yIIcj6cW6Tw+xilC3+wmFr5JE8VRhe2So8wF e48h08KVISayY1BSg81/cF01rlzjvN0uM3i3b3CwrQ/sNAp0uNLh6wHrAVd6QeQzT74z RESe/d/KXc8qzPPzTZdyeCilL5pFQAB8dLmqY1RwYMoVr6PEMfjBXRnKfCFHpV0/wNFl qkufWGRIVmRXvv0bIhpW8eyhhyyRvoqdXK4cg6dr3KM1/2qj8AjbTVSf9zv4xEf7dP2Q cL0A== X-Gm-Message-State: AOAM531asD0mOxF1vOgxcgIwF5QfNR5UtM+JKSbKRSzXmASxUpyWaiFG KtUFyyQjjCjJBq0HchsMAxAqdXMPd414y30N2II= X-Google-Smtp-Source: ABdhPJzVXPodIZ6xG4cm/0STjy4Msm9i5CoUtJ/+GYYuWmBaK8Q7xUEqk/aG6DvSIwGcAeTP3JEinLWOCHcLJiyIROc= X-Received: by 2002:a17:907:3f26:: with SMTP id hq38mr1632696ejc.374.1615352480516; Tue, 09 Mar 2021 21:01:20 -0800 (PST) MIME-Version: 1.0 References: <8635x6vli2.fsf@gmail.com> <86y2exubbq.fsf@gmail.com> In-Reply-To: <86y2exubbq.fsf@gmail.com> From: Ultima Date: Tue, 9 Mar 2021 21:01:09 -0800 Message-ID: Subject: Re: PF - reply-to To: Ludovit Koren Cc: FreeBSD Mailing List X-Rspamd-Queue-Id: 4DwKfp0bSXz4WCX X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=pTQBW5Gz; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of ultima1252@gmail.com designates 2a00:1450:4864:20::635 as permitted sender) smtp.mailfrom=ultima1252@gmail.com X-Spamd-Result: default: False [-4.00 / 15.00]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RBL_DBL_DONT_QUERY_IPS(0.00)[2a00:1450:4864:20::635:from]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; SPAMHAUS_ZRD(0.00)[2a00:1450:4864:20::635:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::635:from]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-questions] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Mar 2021 05:01:22 -0000 Hello Ludovit, I'm going to need to see pf.conf and routing table to help further. Feel free to obfuscate if required. It may also help if you ask the freebsd-net and freebsd-pf mailing list as well. Best regards, Richard Gallamore On Mon, Mar 8, 2021 at 3:36 AM Ludovit Koren wrote: > >>>>> Ultima writes: > > > Hey Ludovit, > > More details would be helpful. There can be a few reasons why it is > not working that I can see. > > > 1. Do you have an rdr rule to redirect to $web_addr for the pass > rule? > > yes, I have a rdr rule. but there are rules without rdr and it seems > they are not working either. > > > 2. Rules out of order > > I do not understand. I have definitions, nat, rdr, and rules. > > > 3. Conflicting rules. > > I did not find any. > > > The best way to debug this would be logging the rules and watching > where the traffic is going via tcpdump. > > I did exactly what you suggest. The block rule logged reset packet from > the source of the web traffic. As soon as I changed the default router, > everything have started to work with the same unchanged pf.conf. > > Regards, > > lk > > > > Best regards, > > Richard Gallamore > > > On Sun, Mar 7, 2021 at 10:58 AM Ludovit Koren < > ludovit.koren@gmail.com> wrote: > > > Hi all, > > > we have 2 Internet connections coming on the same interface. One is > > primarily used for incoming connections and services that we > provide to > > Internet (web, mail). The other connection is primarily used for > > browsing (cache/proxy) and DNS. There are 2 different routers. > > > I am using FreeBSD 12.2-STABLE r369178 and PF. The question is which > > router should I set as default router. I suppose, I can use reply-to > > and/or route-to, respectively. If I use (default router $router2): > > > pass in on $ext_if reply-to (bge0 $router1) inet proto tcp from any > to $web_addr port 443 keep state > > > it is not working. The following setup is working (default router > $router1): > > > pass out on $ext_if route-to (bge0 $router2) inet proto tcp from > any to any keep state > > > Is it bug or I do not understand the manual page correctly? > > > Thank you very much. > > > Regards, > > lk > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > > > -- > A: Because it fouls the order in which people normally read text. > Q: Why is top-posting such a bad thing? > A: Top-posting. > Q: What is the most annoying thing on usenet and in e-mail? > >