From owner-freebsd-net@FreeBSD.ORG Mon Mar 12 22:07:38 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6531816A403 for ; Mon, 12 Mar 2007 22:07:38 +0000 (UTC) (envelope-from ale@seudns.net) Received: from connectmed.com.br (s200-189-171-55.ipb.diveo.net.br [200.189.171.55]) by mx1.freebsd.org (Postfix) with SMTP id B2E3F13C459 for ; Mon, 12 Mar 2007 22:07:36 +0000 (UTC) (envelope-from ale@seudns.net) Received: (qmail 28549 invoked from network); 12 Mar 2007 22:04:22 -0000 Received: from unknown (HELO caco-new) (200.189.171.49) by donald.connectmed.com.br with SMTP; 12 Mar 2007 22:04:22 -0000 Received: (qmail 64614 invoked from network); 12 Mar 2007 22:07:35 -0000 Received: from unknown (HELO ?192.168.3.109?) (192.168.3.109) by localhost with SMTP; 12 Mar 2007 22:07:34 -0000 Message-ID: <45F5CF26.6070100@seudns.net> Date: Mon, 12 Mar 2007 19:07:34 -0300 From: Alexandre Biancalana User-Agent: Thunderbird 1.5.0.9 (X11/20070206) MIME-Version: 1.0 To: freebsd-net@freebsd.org References: <45F564B5.10307@seudns.net> <45F58321.5050309@tomjudge.com> <45F58758.6090103@seudns.net> <45F5889C.3010806@tomjudge.com> <45F58B94.9000308@seudns.net> <45F58D1D.8080304@tomjudge.com> <45F59254.2050907@seudns.net> <45F5A395.9010309@tomjudge.com> In-Reply-To: <45F5A395.9010309@tomjudge.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: PF route-to behavior X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Mar 2007 22:07:38 -0000 Tom Judge wrote: > Alexandre Biancalana wrote: >> Tom Judge wrote: >>> Alexandre Biancalana wrote: >>>> Tom Judge wrote: >>>>> Alexandre Biancalana wrote: >>>>>> Tom Judge wrote: >>>>>>> Alexandre Biancalana wrote: >>>>>>>> Hi List, >>>>>>>> >>>>>>>> >>>>>>>> I´m doing a firewall setup using 6-STABLE + PF with two >>>>>>>> internet links but I can't do the route-to rule function as I >>>>>>>> need. >>>>>>>> >>>>>>>> >>>>>>>> (default gw) ______ >>>>>>>> Link A <-----------> |int A | >>>>>>>> | | >>>>>>>> Link B <-----------> |int B | >>>>>>>> |______| >>>>>>>> FreeBSD FW >>>>>>>> >>>>>>>> A simple thing that I need to do is test the two Internet links >>>>>>>> to know if they are up or not. To do this I could ping or >>>>>>>> connect tcp ports on some external ips thought each link, using >>>>>>>> nc and hping I tried do this generate connections/packets from >>>>>>>> each network interface connected to each link but the packets >>>>>>>> always go out by the interface indicated by machines default >>>>>>>> route. >>>>>>>> >>>>>>>> I tried to add this rules in pf to force packets out by the >>>>>>>> right interface based in your source address, but this does not >>>>>>>> work, and the packets generated with ip of int B are going out >>>>>>>> by int A. >>>>>>>> >>>>>>>> pass out log on $int_a route-to ( $int_b $int_b_gw ) from >>>>>>>> $int_b to any >>>>>>>> pass out log on $int_b route-to ( $int_a $int_a_gw ) from >>>>>>>> $int_a to any >>>>>>>> >>> >>> >>> >>> My mistake, I only looked at the header of the ping man page. >>> >>> These are the rules that I would use in that situation: >>> >>> if_a=em0 >>> ip_a=192.168.0.2 >>> gw_a=192.168.0.1 >>> net_a=192.168.0.0/24 >>> if_b=em1 >>> ip_a=192.168.1.2 >>> gw_a=192.168.1.1 >>> net_a=192.168.1.0/24 >>> >>> >>> pass out log on $if_a route-to ( $if_b $gw_b ) from $ip_a to ! $net_b >>> pass out log on $if_b route-to ( $if_a $gw_a ) from $ip_b to ! $net_a >> >> >> The difference is that my rules are for internet traffic, I don't >> have fixed destinations.... >> >> > > Ok so substitute the private IP addresses and networks in the rules ( > and the interfaces) an you should be sorted. We use exactly the same > configuration but with both public IP Addresses on one interface. > Then if you connect from $ip_b to a public IP address not in $net_b > you should see it routed via if_b to $gw_b. The only time I have seen > these rules fail is when the IPSec code in the kernel transmits ESP > packets which seem to pass though pf with some weird interfaces set or > don't pass through pf at all. All other traffic generated on ip_a or > ip_b will always pass to the correct ISP's router. > > The fact that the example rules I posted used private IP addresses is > neither here nor there, if you make the appropriate changes to: > > ip_[ab] > gw_[ab] > net_[ab] > if_[ab] > > Then the example rules should do what you want. > I understand that, I just don't see much difference in your rules and my rules example... the both examples should work... but here none off then work..... Adding a static destination route to an external host via gw_b and ping with int_a address, the packet exit by int_b with int_a source address... the same behavior... I tried your way: pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b to ! int_b:network pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a to ! int_a:network # pfctl -vv -sr @28 pass out log on int_a route-to (int_b int_b_gw) inet from int_b_ip to ! int_b:network [ Evaluations: 88 Packets: 0 Bytes: 0 States: 0 ] @29 pass out log on int_b route-to (int_a int_a_gw) inet from int_a to ! int_a:network [ Evaluations: 80 Packets: 0 Bytes: 0 States: 0 ] Any more hints ?! Alexandre