Date: Mon, 12 Mar 2007 19:10:48 +0000 From: Tom Judge <tom@tomjudge.com> To: Alexandre Biancalana <ale@seudns.net> Cc: freebsd-net@freebsd.org Subject: Re: PF route-to behavior Message-ID: <45F5A5B8.3010307@tomjudge.com> In-Reply-To: <45F5A395.9010309@tomjudge.com> References: <45F564B5.10307@seudns.net> <45F58321.5050309@tomjudge.com> <45F58758.6090103@seudns.net> <45F5889C.3010806@tomjudge.com> <45F58B94.9000308@seudns.net> <45F58D1D.8080304@tomjudge.com> <45F59254.2050907@seudns.net> <45F5A395.9010309@tomjudge.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Tom Judge wrote: > Alexandre Biancalana wrote: >> Tom Judge wrote: >>> Alexandre Biancalana wrote: >>>> Tom Judge wrote: >>>>> Alexandre Biancalana wrote: >>>>>> Tom Judge wrote: >>>>>>> Alexandre Biancalana wrote: >>>>>>>> Hi List, >>>>>>>> >>>>>>>> >>>>>>>> I´m doing a firewall setup using 6-STABLE + PF with two internet >>>>>>>> links but I can't do the route-to rule function as I need. >>>>>>>> >>>>>>>> >>>>>>>> (default gw) ______ >>>>>>>> Link A <-----------> |int A | >>>>>>>> | | >>>>>>>> Link B <-----------> |int B | >>>>>>>> |______| >>>>>>>> FreeBSD FW >>>>>>>> >>>>>>>> A simple thing that I need to do is test the two Internet links >>>>>>>> to know if they are up or not. To do this I could ping or >>>>>>>> connect tcp ports on some external ips thought each link, using >>>>>>>> nc and hping I tried do this generate connections/packets from >>>>>>>> each network interface connected to each link but the packets >>>>>>>> always go out by the interface indicated by machines default route. >>>>>>>> >>>>>>>> I tried to add this rules in pf to force packets out by the >>>>>>>> right interface based in your source address, but this does not >>>>>>>> work, and the packets generated with ip of int B are going out >>>>>>>> by int A. >>>>>>>> >>>>>>>> pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b >>>>>>>> to any >>>>>>>> pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a >>>>>>>> to any >>>>>>>> >>> >>> >>> >>> My mistake, I only looked at the header of the ping man page. >>> >>> These are the rules that I would use in that situation: >>> >>> if_a=em0 >>> ip_a=192.168.0.2 >>> gw_a=192.168.0.1 >>> net_a=192.168.0.0/24 >>> if_b=em1 >>> ip_a=192.168.1.2 >>> gw_a=192.168.1.1 >>> net_a=192.168.1.0/24 >>> >>> >>> pass out log on $if_a route-to ( $if_b $gw_b ) from $ip_a to ! $net_b >>> pass out log on $if_b route-to ( $if_a $gw_a ) from $ip_b to ! $net_a >> >> >> The difference is that my rules are for internet traffic, I don't have >> fixed destinations.... >> >> > > Ok so substitute the private IP addresses and networks in the rules ( > and the interfaces) an you should be sorted. We use exactly the same > configuration but with both public IP Addresses on one interface. Then > if you connect from $ip_b to a public IP address not in $net_b you > should see it routed via if_b to $gw_b. The only time I have seen these > rules fail is when the IPSec code in the kernel transmits ESP packets > which seem to pass though pf with some weird interfaces set or don't > pass through pf at all. All other traffic generated on ip_a or ip_b > will always pass to the correct ISP's router. > > The fact that the example rules I posted used private IP addresses is > neither here nor there, if you make the appropriate changes to: > > ip_[ab] > gw_[ab] > net_[ab] > if_[ab] > > Then the example rules should do what you want. > I just had an idea of one way to possibly test this, add a static destination route to an external host, e.g. www.google.com, via gw_b then ping said host with the source address of ip_a, this should cause the packet from ip_a to pass out if_b. The rules i posted above will catch the packet and then change the route to gw_a and transmit the packet via if_a. This is totally untested and may not work but it should do. Tom
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45F5A5B8.3010307>