From owner-freebsd-pf@FreeBSD.ORG Sun Aug 14 13:31:25 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D757816A41F for ; Sun, 14 Aug 2005 13:31:25 +0000 (GMT) (envelope-from nivo+sender+38c70d@yuckfou.org) Received: from ssdd.xs4all.nl (ssdd.xs4all.nl [195.64.89.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C2C743D53 for ; Sun, 14 Aug 2005 13:31:23 +0000 (GMT) (envelope-from nivo+sender+38c70d@yuckfou.org) Received: from localhost (localhost [127.0.0.1]) by imhotep.yuckfou.org (Postfix) with ESMTP id 33235451 for ; Sun, 14 Aug 2005 15:31:37 +0200 (CEST) Received: from ssdd.xs4all.nl ([127.0.0.1]) by localhost (imhotep.yuckfou.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 19790-07 for ; Sun, 14 Aug 2005 15:31:35 +0200 (CEST) Received: by imhotep.yuckfou.org (Postfix, from userid 1000) id 69CEA43A; Sun, 14 Aug 2005 15:31:35 +0200 (CEST) Received: from [192.168.2.239] (turbata-xp.gondel.local [192.168.2.239]) by localhost.yuckfou.org (tmda-ofmipd) with ESMTP; Sun, 14 Aug 2005 15:31:28 +0200 (CEST) Message-ID: <42FF47A2.1090208@yuckfou.org> Date: Sun, 14 Aug 2005 15:31:14 +0200 User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org X-Enigmail-Version: 0.92.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit From: Nils Vogels X-Delivery-Agent: TMDA/1.0.3 (Seattle Slew) X-TMDA-Fingerprint: UvuF8JR6W87dOkgAYzPvHfsN/PI X-Virus-Scanned: amavisd-new at yuckfou.org X-Spam-Status: No, hits=-5.899 tagged_above=-999 required=6.31 tests=[ALL_TRUSTED=-3.3, BAYES_00=-2.599] X-Spam-Level: Subject: Dual-feed: PF setup troubles X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Nils Vogels List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Aug 2005 13:31:26 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi there! I've got two internet connections with two different ISP's and would like to use one for my own use, while the other serves various services from various servers inside my network and directly on the firewall. Both two connections end up at one firewall. The firewall has one default route to ISP1, and I would like to have PF find out if the packet needs to travel to ISP1 or ISP2, based on the IP address information of the request. Right now, I'm trying things like this, but for some reason the don't work: [ I have taken DNS as an example here, but there are various TCP and UDP based services that seem to have this problem. ] ISP1 = "xl0" ISP2 = "ed0" LAN = "rl0" ipv4_isp1 = "1.1.1.1/32" # My interface IP to ISP1 ipv4_isp2 = "2.2.2.2/32" # My interface IP to ISP2 ipv4_gw_isp2 = "2.2.2.1" # ISP2's gateway IP ipv4_lan_range = "172.16.0.0/16" # My local network # Set up NAT for my connections nat on $ISP1 from $ipv4_lan_range to any -> $ipv4_isp1 nat on $ISP2 from $ipv4_lan_range to any -> $ipv4_isp2 # Handle incoming traffic for my DNS server pass in quick log on $ISP2 reply-to ($ISP2 $ipv4_gw_isp2) proto udp from any port > 1023 to $ipv4_isp2 port 53 keep state # Handle outgoing traffic, originated locally pass out quick log on $ISP2 route-to ($ISP2 $ipv4_gw_isp2) proto udp from $ipv4_isp2 to any port 53 keep state Looking into the logs, I see the incoming connection coming in and being accepted, however, I do not see the outgoing originating packets being logged. When I run tcpdump to troubleshoot, I see packets with source IP $ipv4_isp2 travelling over interface $ISP1, and thus, I get no reply. I must be running into some anti-spoofing lists at ISP1. I have my nameserver bound to the interface IP adress $ipv4_isp2. Except from my setup being somewhat unusual, could someone maybe point out what I am doing wrong here ? Thanks a bunch! Nils. - -- Simple guidelines to happiness: Work like you don't need the money, love like your heart has never been broken and dance like no one can see you. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: GnuPT 2.6.2.1 by EQUIPMENTE.DE Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFC/0efMzNX/a06Wq0RAg6+AJ4wG+kl1NNv3zMZ4ZNdO/bayWG0hwCfYQXh LstDGe+xFPJ3bHUvuGSdGjE= =49OP -----END PGP SIGNATURE-----