From owner-freebsd-pf@FreeBSD.ORG Thu Jan 27 18:27:06 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E084B16A4CE for ; Thu, 27 Jan 2005 18:27:05 +0000 (GMT) Received: from hotmail.com (bay24-f23.bay24.hotmail.com [64.4.18.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8727C43D1D for ; Thu, 27 Jan 2005 18:27:05 +0000 (GMT) (envelope-from segr@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 27 Jan 2005 10:26:01 -0800 Message-ID: Received: from 198.53.131.3 by by24fd.bay24.hotmail.msn.com with HTTP; Thu, 27 Jan 2005 18:25:32 GMT X-Originating-IP: [198.53.131.3] X-Originating-Email: [segr@hotmail.com] X-Sender: segr@hotmail.com In-Reply-To: <000d01c50411$3904d3e0$3c00000a@R3B> From: "Stephane Raimbault" To: dionch@freemail.gr, freebsd-pf@freebsd.org Date: Thu, 27 Jan 2005 11:25:32 -0700 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 27 Jan 2005 18:26:01.0778 (UTC) FILETIME=[A793B920:01C5049D] Subject: Re: route-to rule. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Jan 2005 18:27:06 -0000 Okay, with the syntax cleaned up this is what I have: set state-policy if-bound int_if="rl0" int_net="10.1.0.0/24" ext_if1="rl1" ext_gw1="" ext_if2="rl2" ext_gw2="" vpn_if="tun0" vpn_gw="172.16.0.1" isp1 = "(" $ext_if1 $ext_gw1 ")" isp2 = "(" $ext_if2 $ext_gw2 ")" vpn = "(" $vpn_if $vpn_gw ")" server1_int="10.1.0.20" server1_out="63.252.160.219" server2_int="10.1.0.21" server2_out="63.252.160.222" server3_int="10.1.0.22" server3_out="63.252.160.221" server4_int="10.1.0.23" server4_out="63.252.160.220" nat on $ext_if1 from $int_net to any -> ($ext_if1:0) nat on $ext_if2 from $int_net to any -> ($ext_if2:0) binat on $ext_if1 from $server1_int to any -> $server1_out binat on $ext_if1 from $server2_int to any -> $server2_out binat on $ext_if1 from $server3_int to any -> $server3_out binat on $ext_if1 from $server4_int to any -> $server4_out pass in quick on $int_if inet from $int_net to $int_net keep state pass out quick on $int_if inet from $int_net to $int_net keep state pass in on $ext_if1 tag $ext_if1 keep state pass out on $ext_if1 route-to $ext_if1 keep state pass out quick on $int_if reply-to $ext_if1 tagged $ext_if1 keep state pass in on $ext_if2 tag $ext_if2 keep state pass out on $ext_if2 route-to $ext_if2 keep state pass out quick on $int_if reply-to $ext_if2 tagged $ext_if2 keep state pass in on $vpn_if tag $vpn_if keep state pass out on $vpn_if route-to $vpn_if keep state pass out quick on $vpn_if reply-to $vpn_if tagged $vpn_if keep state pass in quick on $int_if route-to $isp1 from {$server1_int,$server2_int,$server3_int,$server4_int} to {!10.0.0.0/26, !$int_net} keep state pass in quick on $int_if route-to $vpn from $int_net to 10.0.0.0/26 keep state pass in on $int_if route-to $isp2 from $int_net to {!10.0.0.0/26, !$int_net} keep state I tried this out and it was not a success. It seemend like nothing could get anywhere. $int_net wasn't able to access the internet nor the subnets on the otherside of the vpn. The binat'd servers were unaccessible from the internet... and I got an arp error in the /var/log/messages about a bunch of arp's not being on the local network... I got a stream of these types of messages: Jan 27 12:12:02 router1 kernel: arplookup 69.57.244.70 failed: host is not on local network Jan 27 12:12:02 router1 kernel: arpresolve: can't allocate llinfo for 69.57.244.70 Jan 27 12:12:02 router1 kernel: arplookup 12.24.195.78 failed: host is not on local network Jan 27 12:12:02 router1 kernel: arpresolve: can't allocate llinfo for 12.24.195.78 so, we aren't quite there yet. Could I more simply change my default route to ISP #2, and setup some sort of route-to statements specifically for the binat's instead? Then I would also need to setup a rule for the openvpn to go over ISP #1 instead of ISP #2. any suggestions... as always much apreciated. Thanks, Stephane. >From: "Chris Dionissopoulos" >Reply-To: "Chris Dionissopoulos" >To: "Stephane Raimbault" >Subject: Re: route-to rule. >Date: Thu, 27 Jan 2005 03:40:43 +0200 > >Try to negate(="!") each network for "to" field like: >{ !10.0.0.0/26, !$int_net} >Also when you change line in a rule , you must backslash at the end ("\"). > >Chris. > > > >>Hi Chris, Thanks for the quick response, however I'm still getting syntax >>errors on 2 of the 3 lines now: >> >>pass in quick on $int_if route-to $isp1 from >>{$server1_int,$server2_int,$server3_int,$server4_int} to !{10.0.0.0/26, >>$int_net} keep state >>pass in quick on $int_if route-to $vpn from $int_net to 10.0.0.0/26 keep >>state >>pass in on $int_if route-to $isp2 from $int_net to !{10.0.0.0/26, >>$int_net} keep state >> >>/etc/pf.conf:47: syntax error >>/etc/pf.conf:49: syntax error >> >>Where line 47 is the first one above and 49 is the last (3rd line) above. >> >>Any thoughts? I'm scratching my head bald. >> >>Thanks, >>Stephane. >> >> > > >____________________________________________________________________ >http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου. >http://www.freemail.gr - free email service for the Greek-speaking. _________________________________________________________________ Powerful Parental Controls Let your child discover the best the Internet has to offer. http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*.