From owner-freebsd-pf@FreeBSD.ORG Wed May 13 03:51:12 2015 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5175DF54 for ; Wed, 13 May 2015 03:51:12 +0000 (UTC) Received: from SNT004-OMC2S29.hotmail.com (snt004-omc2s29.hotmail.com [65.55.90.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "*.outlook.com", Issuer "MSIT Machine Auth CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 21CB7135A for ; Wed, 13 May 2015 03:51:11 +0000 (UTC) Received: from SNT146-W26 ([65.55.90.73]) by SNT004-OMC2S29.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.22751); Tue, 12 May 2015 20:51:05 -0700 X-TMN: [m7D67OKA6K0yl6fLcPfBQR0EWnFyK8wS] X-Originating-Email: [ricky1252@hotmail.com] Message-ID: From: Ricky G To: Dave Hayes CC: "freebsd-pf@FreeBSD.org" Subject: RE: Pf, rtable, and rdr...bug? Date: Tue, 12 May 2015 23:51:04 -0400 Importance: Normal In-Reply-To: <5552B614.4080502@jetcafe.org> References: <5552B614.4080502@jetcafe.org> MIME-Version: 1.0 X-OriginalArrivalTime: 13 May 2015 03:51:05.0187 (UTC) FILETIME=[098C2330:01D08D30] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 May 2015 03:51:12 -0000 The reason is because you are forcing all your traffic to flow out of fast = net. If you want a incoming response to go back out the same interface you = will have to do a reply-to rule. Its not a bug just a rule you have in plac= e =3D] > Date: Tue=2C 12 May 2015 19:25:24 -0700 > From: dave@jetcafe.org > To: freebsd-pf@FreeBSD.org > Subject: Pf=2C rtable=2C and rdr...bug? >=20 > [ Resending this to the PF list in hopes of some insight. Thanks. ] >=20 > Hello everyone. I'm having a problem with using rdr in an existing pf tha= t uses rtable. I'm running 10.1-STABLE #0 r282154 and I believe this is a b= ug=2C but it could also be something I haven't spotted. >=20 > I have a firewall with three interfaces. The ip addresses have been chang= ed to protect the innocent. :) >=20 > - a slow net (1.2.3.0/24) interface: em0 @ 1.2.3.10 > - a fast net (4.5.6.0/24) interface: em1 @ 4.5.6.10 > - an internal net (192.168.4.0/24) interface: em2 @ 192.168.4.10 >=20 > I route the internal net traffic over the fast cable net=2C and allow the= internet net to access machines on the slower work net. Both default route= s for the slow and fast net are .1 addresses (e.g. 1.2.3.1 and 4.5.6.1). I = use an alias on both the slow and fast net (.42) to route the traffic from = so I can see what's going on. I have net.fibs=3D"2" in loader.conf and two = different default routes set up for each fib. The default "default route" (= fib 0) is 1.2.3.1. >=20 > Here's my pf ruleset that works=2C paraphrased. >=20 > $slow_net =3D "1.2.3.0/24" > $slow_if =3D "em0" > $slow_nat_ip =3D "1.2.3.42" >=20 > $fast_net =3D "4.5.6.0/24" > $fast_if =3D "em1" > $fast_nat_ip =3D "4.5.6.42" > $int_net =3D "192.168.4.0/24" > $int_if =3D "em2" > $int_ip =3D "192.168.4.10" # I don't alias this side >=20 > table const { 10/8=2C 172.16/12=2C 192.168/16 } >=20 > nat log in $fast_if inet from $int_if:network to ! $slow_net -> $fast= _nat_ip > nat log on $slow_if inet from $int_if:network to $slow_net -> $slow_n= at_ip > block in log all > antispoof log quick for { $slow_if $fast_if $int_if } > pass in log quick on $int_if inet from $int_net to !$slow_if:network = modulate state rtable 1 > pass in log quick on $int_if inet from $int_net to $slow_if:network m= odulate state rtable 0 > pass log on $slow_if inet from ! to any modulate state > pass out log inet from any to any modulate state >=20 > So I tried to use rdr to forward some ports from the to a machine on the = internal net: >=20 > $webserver =3D "192.168.4.22" > .... > rdr on $fast_if inet proto tcp from any to port 80 -> $webserver > =20 > This doesn't work. When I turn on tcpdump on all three interfaces=2C I se= e the packets coming in from the fast net to the internal net. The response= s are appearing on the slow net=2C with the IP addresses of the fast net. S= o if I see this from em1: >=20 > 14:34:11.887357 IP 10.11.12.13:18600 > 4.5.6.42:80 ... >=20 > I then see the response...but on em0: >=20 > 14:34:12.087283 IP 4.5.6.42:80 > 10.11.12.13:18600 ... >=20 > Why doesn't this response packet go out the proper interface? >=20 > Thanks in advance for any insight. If I don't hear from anyone=2C I'm goi= ng to assume this is a bug and file a bug report.=20 > --=20 > Dave Hayes - Consultant - Altadena CA=2C USA - dave@jetcafe.org=20 > >>>> *The opinions expressed above are entirely my own* <<<< >=20 > A path and a gateway have no meaning or use once the > objective is in sight. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe=2C send any mail to "freebsd-pf-unsubscribe@freebsd.org" =