From owner-freebsd-questions@FreeBSD.ORG Fri Aug 27 20:19:29 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8072E10656A6 for ; Fri, 27 Aug 2010 20:19:29 +0000 (UTC) (envelope-from nvass9573@gmx.com) Received: from mailout-us.gmx.com (mailout-us.gmx.com [74.208.5.67]) by mx1.freebsd.org (Postfix) with SMTP id 229918FC1B for ; Fri, 27 Aug 2010 20:19:29 +0000 (UTC) Received: (qmail invoked by alias); 27 Aug 2010 20:19:27 -0000 Received: from adsl-41.79.107.0.tellas.gr (EHLO [192.168.73.192]) [79.107.0.41] by mail.gmx.com (mp-us002) with SMTP; 27 Aug 2010 16:19:27 -0400 X-Authenticated: #46156728 X-Provags-ID: V01U2FsdGVkX1/oMzhVOj/o+/fI9aBc+THrHZLVUm0kyWv+AO7U2F V7cLHQi6G4c5Tm Message-ID: <4C781DCC.3020503@gmx.com> Date: Fri, 27 Aug 2010 23:19:24 +0300 From: Nikos Vassiliadis User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8) Gecko/20100802 Thunderbird/3.1.2 MIME-Version: 1.0 To: Doug Hardie References: <96E6F9A3-49F5-4C55-8248-6D62717636DF@lafn.org> <20100827140713.41391a3e@davenulle.org> <2D2B914E-B6FA-43CF-9741-559D74D43B9E@lafn.org> In-Reply-To: <2D2B914E-B6FA-43CF-9741-559D74D43B9E@lafn.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Y-GMX-Trusted: 0 Cc: Patrick Lamaiziere , freebsd-questions@freebsd.org Subject: Re: Routing Question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Aug 2010 20:19:29 -0000 On 8/27/2010 9:09 PM, Doug Hardie wrote: > > On 27 August 2010, at 05:07, Patrick Lamaiziere wrote: > >> Le Thu, 26 Aug 2010 18:17:19 -0700, Doug Hardie a >> écrit : >> >>> PF's route_to will return the packets to the proper router, but I >>> have not been able to figure out which ones those would be. The >>> source IP address can be any on either network and its highly >>> likely that we will see packets from the same source network on >>> both at the same time. The only distinction I see in the input >>> packets between the two paths is the MAC address of the router. >>> I don't see any way in pf or the system to use that to affect the >>> return path though. >> >> the filter option "reply-to" looks to be what you need. It works >> by keeping the state of a connection (see pf.conf(5)). > > That works great on the output if you can figure out which packets to > use it on. The only way I can see to separate the traffic is using > the router MAC address. I don't find anything in pf that will look > at that. Yes, pf cannot use the MAC address to classify a packet. The most sensible sollution would be installing a single router to handle both lines but I know it's not always feasible to do so for several reasons. ipfw can use MAC addresses for classification, perhaps you hack some rules using fwd, skipto and mac. Nikos