Date: Tue, 12 May 2015 23:51:04 -0400 From: Ricky G <ricky1252@hotmail.com> To: Dave Hayes <dave@jetcafe.org> Cc: "freebsd-pf@FreeBSD.org" <freebsd-pf@freebsd.org> Subject: RE: Pf, rtable, and rdr...bug? Message-ID: <SNT146-W260DB7982C88CCC0FD671CA1D90@phx.gbl> In-Reply-To: <5552B614.4080502@jetcafe.org> References: <5552B614.4080502@jetcafe.org>
next in thread | previous in thread | raw e-mail | index | archive | help
The reason is because you are forcing all your traffic to flow out of fast =
net. If you want a incoming response to go back out the same interface you =
will have to do a reply-to rule. Its not a bug just a rule you have in plac=
e =3D]
> Date: Tue=2C 12 May 2015 19:25:24 -0700
> From: dave@jetcafe.org
> To: freebsd-pf@FreeBSD.org
> Subject: Pf=2C rtable=2C and rdr...bug?
>=20
> [ Resending this to the PF list in hopes of some insight. Thanks. ]
>=20
> Hello everyone. I'm having a problem with using rdr in an existing pf tha=
t uses rtable. I'm running 10.1-STABLE #0 r282154 and I believe this is a b=
ug=2C but it could also be something I haven't spotted.
>=20
> I have a firewall with three interfaces. The ip addresses have been chang=
ed to protect the innocent. :)
>=20
> - a slow net (1.2.3.0/24) interface: em0 @ 1.2.3.10
> - a fast net (4.5.6.0/24) interface: em1 @ 4.5.6.10
> - an internal net (192.168.4.0/24) interface: em2 @ 192.168.4.10
>=20
> I route the internal net traffic over the fast cable net=2C and allow the=
internet net to access machines on the slower work net. Both default route=
s for the slow and fast net are .1 addresses (e.g. 1.2.3.1 and 4.5.6.1). I =
use an alias on both the slow and fast net (.42) to route the traffic from =
so I can see what's going on. I have net.fibs=3D"2" in loader.conf and two =
different default routes set up for each fib. The default "default route" (=
fib 0) is 1.2.3.1.
>=20
> Here's my pf ruleset that works=2C paraphrased.
>=20
> $slow_net =3D "1.2.3.0/24"
> $slow_if =3D "em0"
> $slow_nat_ip =3D "1.2.3.42"
>=20
> $fast_net =3D "4.5.6.0/24"
> $fast_if =3D "em1"
> $fast_nat_ip =3D "4.5.6.42"
> $int_net =3D "192.168.4.0/24"
> $int_if =3D "em2"
> $int_ip =3D "192.168.4.10" # I don't alias this side
>=20
> table <private> const { 10/8=2C 172.16/12=2C 192.168/16 }
>=20
> nat log in $fast_if inet from $int_if:network to ! $slow_net -> $fast=
_nat_ip
> nat log on $slow_if inet from $int_if:network to $slow_net -> $slow_n=
at_ip
> block in log all
> antispoof log quick for { $slow_if $fast_if $int_if }
> pass in log quick on $int_if inet from $int_net to !$slow_if:network =
modulate state rtable 1
> pass in log quick on $int_if inet from $int_net to $slow_if:network m=
odulate state rtable 0
> pass log on $slow_if inet from ! <private> to any modulate state
> pass out log inet from any to any modulate state
>=20
> So I tried to use rdr to forward some ports from the to a machine on the =
internal net:
>=20
> $webserver =3D "192.168.4.22"
> ....
> rdr on $fast_if inet proto tcp from any to port 80 -> $webserver
> =20
> This doesn't work. When I turn on tcpdump on all three interfaces=2C I se=
e the packets coming in from the fast net to the internal net. The response=
s are appearing on the slow net=2C with the IP addresses of the fast net. S=
o if I see this from em1:
>=20
> 14:34:11.887357 IP 10.11.12.13:18600 > 4.5.6.42:80 ...
>=20
> I then see the response...but on em0:
>=20
> 14:34:12.087283 IP 4.5.6.42:80 > 10.11.12.13:18600 ...
>=20
> Why doesn't this response packet go out the proper interface?
>=20
> Thanks in advance for any insight. If I don't hear from anyone=2C I'm goi=
ng to assume this is a bug and file a bug report.=20
> --=20
> Dave Hayes - Consultant - Altadena CA=2C USA - dave@jetcafe.org=20
> >>>> *The opinions expressed above are entirely my own* <<<<
>=20
> A path and a gateway have no meaning or use once the
> objective is in sight.
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe=2C send any mail to "freebsd-pf-unsubscribe@freebsd.org"
=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?SNT146-W260DB7982C88CCC0FD671CA1D90>