From owner-freebsd-net@FreeBSD.ORG Fri Nov 16 00:41:50 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 67F0A16A421 for ; Fri, 16 Nov 2007 00:41:50 +0000 (UTC) (envelope-from dd@freebsd.org) Received: from mail.trit.net (mail.trit.net [208.75.88.227]) by mx1.freebsd.org (Postfix) with ESMTP id 51EF613C45D for ; Fri, 16 Nov 2007 00:41:46 +0000 (UTC) (envelope-from dd@freebsd.org) Received: from beaver.trit.net (beaver.trit.net [208.75.88.61]) by mail.trit.net (Postfix) with ESMTP id DB27736509; Fri, 16 Nov 2007 00:14:29 +0000 (UTC) Received: from beaver.trit.net (localhost [127.0.0.1]) by beaver.trit.net (8.14.1/8.14.1) with ESMTP id lAG0ETRW025711; Fri, 16 Nov 2007 00:14:29 GMT (envelope-from dd@freebsd.org) Received: (from dima@localhost) by beaver.trit.net (8.14.1/8.14.1/Submit) id lAG0ET35025710; Fri, 16 Nov 2007 00:14:29 GMT (envelope-from dd@freebsd.org) X-Authentication-Warning: beaver.trit.net: dima set sender to dd@freebsd.org using -f Date: Fri, 16 Nov 2007 00:14:29 +0000 From: Dima Dorfman To: Brian Hawk Message-ID: <20071116001429.GE1499@beaver.trit.net> References: <473C5593.4080407@tnetus.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <473C5593.4080407@tnetus.com> X-PGP-Key: 69FAE582 (https://www.trit.org/~dima/dima.asc) X-PGP-Fingerprint: B340 8338 7DA3 4D61 7632 098E 0730 055B 69FA E582 User-Agent: mutt-ng/devel-r804 (FreeBSD) Cc: freebsd-net@freebsd.org Subject: Re: Interface address sourced packets go thru default gateway on another interface X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Nov 2007 00:41:50 -0000 Brian Hawk wrote: > since it shouldn't really happen and it used not to happen. > Everything was working fine until I don't know when and why, now I > cannot send any packets out thru my xl1 interface by binding its > source address to the packets. I don't think it ever worked the way you described. The source IP address doesn't usually affect how replies will be routed on the way out. You can fix this with policy routing rules. Here's an example with PF: : pass out quick route-to ($other_if $other_gw) from ($other_if) $other_if is the name of the interface and $other_gw is the name of the gateway through that interface. You need to do this for every interface other than the one used by the default gateway. The rule says: If the packet is coming from an IP address assigned to $other_if, then send it through $other_gw. If you use stateful inspection, you need corresponding reply-to rules in the other direction: : pass in quick reply-to ($other_if $other_gw) inet proto tcp to ($other_if) port ssh keep state This idiom is useful on systems with multiple indepenent Internet connections. With these rules, failure of the primary connection will not prevent full connectivity through the secondary. -- Dima