From owner-freebsd-pf@FreeBSD.ORG Sun Nov 25 12:20:35 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 91BE7E3B for ; Sun, 25 Nov 2012 12:20:35 +0000 (UTC) (envelope-from rush.ru@gmail.com) Received: from mail-pa0-f54.google.com (mail-pa0-f54.google.com [209.85.220.54]) by mx1.freebsd.org (Postfix) with ESMTP id 630918FC15 for ; Sun, 25 Nov 2012 12:20:35 +0000 (UTC) Received: by mail-pa0-f54.google.com with SMTP id bi5so1721202pad.13 for ; Sun, 25 Nov 2012 04:20:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=prupntwaGKTlD2azFqKkJ1HDUUW3pjiBlwVMHxb8tCQ=; b=XUQ1IJh0ILxGX6SmmHvs+eDy+YQv3QzWNKYIBIgfZYT3izrZagDGQgMnCM6D2qn4Jh oKrOzztTD148u/o9DARSmwsYUHVs/h7x6kMIxX1N8PacK4yAdSPlkPaPZbkbKcxZIpIQ f4vddm/sjJoycwDKh2id2ltBvAxrGUejnsInsy1x3c+jY4bkVK5B4CttDmxX3Pn+eyG6 CDtIZDjKUEQB9ncglyhUUtJ3e+75sjbmatOoSfvL4xlir1xFiULhJpnSoZncPlBjHIu+ /RBStsrXJPr9tSHvJef1jbwKnylNZzlST3VFFvaFdfrEYmEKFvFOAYj7Uty8FTNd1XzR AU8w== MIME-Version: 1.0 Received: by 10.66.73.132 with SMTP id l4mr24595394pav.48.1353846034780; Sun, 25 Nov 2012 04:20:34 -0800 (PST) Received: by 10.68.81.9 with HTTP; Sun, 25 Nov 2012 04:20:34 -0800 (PST) Date: Sun, 25 Nov 2012 18:20:34 +0600 Message-ID: Subject: Problem with route-to option From: Shaymardanov Rushan To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Nov 2012 12:20:35 -0000 Hello. I have a problem using pf in Freebsd 9.0. I'm using frebsd box as gateway and I have 2 ISP. I'd like to route some clients via second provider and a'm using pf's route-to fuction for it: ( ... ) nat on ng0 inet from 172.18.100.254 to any -> xx.xx.xx.157 (...) pass in route-to (ng0 10.0.0.1) inet from 172.18.100.254 to any tag SUBS (...) Packets are routed correctly (via ng0), and nat works well, but IP checksum is bad and I don't receive any response: gw# tcpdump -i ng0 -s 0 -v -n icmp tcpdump: listening on ng0, link-type NULL (BSD loopback), capture size 65535 bytes 18:11:54.456027 IP (tos 0x0, ttl 128, id 218, offset 0, flags [none], proto ICMP (1), length 60, bad cksum 9390 (->9093)!) xx.xx.xx.157 > 8.8.8.8: ICMP echo request, id 3993, seq 171, length 40 18:11:59.480968 IP (tos 0x0, ttl 128, id 219, offset 0, flags [none], proto ICMP (1), length 60, bad cksum 9290 (->9092)!) xx.xx.xx.157 > 8.8.8.8: ICMP echo request, id 3993, seq 172, length 40 18:12:04.506907 IP (tos 0x0, ttl 128, id 220, offset 0, flags [none], proto ICMP (1), length 60, bad cksum 9190 (->9091)!) xx.xx.xx.157 > 8.8.8.8: ICMP echo request, id 3993, seq 173, length 40 Without route-to (if for example I change routing table for particular destination address), checksums are good and traffic passes correctly. Rushan Shaymardanov