From owner-freebsd-net@FreeBSD.ORG Mon Mar 12 17:48:08 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AED8816A400 for ; Mon, 12 Mar 2007 17:48:08 +0000 (UTC) (envelope-from ale@seudns.net) Received: from connectmed.com.br (s200-189-171-55.ipb.diveo.net.br [200.189.171.55]) by mx1.freebsd.org (Postfix) with SMTP id D710B13C483 for ; Mon, 12 Mar 2007 17:48:07 +0000 (UTC) (envelope-from ale@seudns.net) Received: (qmail 24100 invoked from network); 12 Mar 2007 17:44:52 -0000 Received: from unknown (HELO caco-new) (200.189.171.49) by donald.connectmed.com.br with SMTP; 12 Mar 2007 17:44:52 -0000 Received: (qmail 35264 invoked from network); 12 Mar 2007 17:48:05 -0000 Received: from unknown (HELO ?192.168.3.109?) (192.168.3.109) by localhost with SMTP; 12 Mar 2007 17:48:04 -0000 Message-ID: <45F59254.2050907@seudns.net> Date: Mon, 12 Mar 2007 14:48:04 -0300 From: Alexandre Biancalana User-Agent: Thunderbird 1.5.0.9 (X11/20070206) MIME-Version: 1.0 To: Tom Judge References: <45F564B5.10307@seudns.net> <45F58321.5050309@tomjudge.com> <45F58758.6090103@seudns.net> <45F5889C.3010806@tomjudge.com> <45F58B94.9000308@seudns.net> <45F58D1D.8080304@tomjudge.com> In-Reply-To: <45F58D1D.8080304@tomjudge.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-net@freebsd.org Subject: Re: PF route-to behavior X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Mar 2007 17:48:08 -0000 Tom Judge wrote: > Alexandre Biancalana wrote: >> Tom Judge wrote: >>> Alexandre Biancalana wrote: >>>> Tom Judge wrote: >>>>> Alexandre Biancalana wrote: >>>>>> Hi List, >>>>>> >>>>>> >>>>>> I´m doing a firewall setup using 6-STABLE + PF with two internet >>>>>> links but I can't do the route-to rule function as I need. >>>>>> >>>>>> >>>>>> (default gw) ______ >>>>>> Link A <-----------> |int A | >>>>>> | | >>>>>> Link B <-----------> |int B | >>>>>> |______| >>>>>> FreeBSD FW >>>>>> >>>>>> A simple thing that I need to do is test the two Internet links >>>>>> to know if they are up or not. To do this I could ping or connect >>>>>> tcp ports on some external ips thought each link, using nc and >>>>>> hping I tried do this generate connections/packets from each >>>>>> network interface connected to each link but the packets always >>>>>> go out by the interface indicated by machines default route. >>>>>> >>>>>> I tried to add this rules in pf to force packets out by the right >>>>>> interface based in your source address, but this does not work, >>>>>> and the packets generated with ip of int B are going out by int A. >>>>>> >>>>>> pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b >>>>>> to any >>>>>> pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a >>>>>> to any >>>>>> > > > > My mistake, I only looked at the header of the ping man page. > > These are the rules that I would use in that situation: > > if_a=em0 > ip_a=192.168.0.2 > gw_a=192.168.0.1 > net_a=192.168.0.0/24 > if_b=em1 > ip_a=192.168.1.2 > gw_a=192.168.1.1 > net_a=192.168.1.0/24 > > > pass out log on $if_a route-to ( $if_b $gw_b ) from $ip_a to ! $net_b > pass out log on $if_b route-to ( $if_a $gw_a ) from $ip_b to ! $net_a The difference is that my rules are for internet traffic, I don't have fixed destinations....