From owner-freebsd-pf@FreeBSD.ORG Thu Feb 11 22:58:07 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B11331065670 for ; Thu, 11 Feb 2010 22:58:07 +0000 (UTC) (envelope-from dgeo@centrale-marseille.fr) Received: from melo.ec-m.fr (melo.ec-m.fr [147.94.19.139]) by mx1.freebsd.org (Postfix) with ESMTP id 6E32C8FC08 for ; Thu, 11 Feb 2010 22:58:07 +0000 (UTC) Received: from localhost (amavis4.serv.int [10.3.0.48]) by melo.ec-m.fr (GrosseBox 1743 XXL) with ESMTP id 4BBAFAC896; Thu, 11 Feb 2010 23:39:54 +0100 (CET) X-Virus-Scanned: amavisd-new at centrale-marseille.fr Received: from melo.ec-m.fr ([10.3.0.13]) by localhost (amavis4.serv.int [10.3.0.48]) (amavisd-new, port 10024) with LMTP id EZuVHNo8N2cN; Thu, 11 Feb 2010 23:39:48 +0100 (CET) Received: from [10.0.5.14] (unknown [10.0.5.14]) (Authenticated sender: dgeo) by melo.ec-m.fr (GrosseBox 1743 XXL) with ESMTPSA id 8E2B7AC894; Thu, 11 Feb 2010 23:39:48 +0100 (CET) Message-ID: <4B748700.70409@centrale-marseille.fr> Date: Thu, 11 Feb 2010 23:38:56 +0100 From: geoffroy desvernay User-Agent: Mozilla-Thunderbird 2.0.0.22 (X11/20090707) MIME-Version: 1.0 To: Albert Shih References: <20100205123254.GN11310@obspm.fr> In-Reply-To: <20100205123254.GN11310@obspm.fr> X-Enigmail-Version: 0.95.0 OpenPGP: id=7C253D52 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enigF08A8D6BCEF39083733F24BD" Cc: freebsd-pf@freebsd.org Subject: Re: How make the route-to working ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Feb 2010 22:58:07 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigF08A8D6BCEF39083733F24BD Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Albert Shih a =E9crit : > Hi all, >=20 > I've a problem with route-to. >=20 > I've a server with 2 interfaces, and I'm running jail on this server. E= ach > interface have is own public IP address. >=20 > eth0 -- IP0 eth1 -- IP1 >=20 > and I've a default route (for example in IP0 subnet). >=20 > So if the jail is in the IP0 subnet no problem everything work. >=20 > Now if I put a jail in IP1 subnet, and some client try to connect to th= is > jail the answer come out through eth0 because of the default route (sup= pose > the client is not on my subnet). >=20 > I don't want that. I want the answer come out through the eth1 >=20 > I'm trying to use pf to do that and put in my pf.conf something like=20 >=20 > pass in all > pass out all > pass out on eth0 route-to {(eth0 IP0_Gateway)} from to ! IP0_subn= et > pass out on eth1 route-to {(eth1 IP1_Gateway)} from to ! IP1_subn= et >=20 > but it's not working, if I run a tcpdump on the host I can see the > incoming packet come in from eth1 and the outgoing come out on eth0.=20 >=20 > And if I try do remove default route the outgoing packet don't come out= =2E... >=20 > Any help ?=20 >=20 > Regards. >=20 >=20 Hi, I'm using that for the same case: You just have to catch packets on the interface they would go normally: pass out on *eth0* route-to {(eth1 IP1_Gateway)} from to !eth1:netw= ork The other rule is not needed in this case You may also try instead a 'reply-to' rule on eth1's inbound, as David DeSimone suggested. A third and cleaner solution would be to use multiple routing-tables - see setfib(1) and 'options ROUTETABLES' of the kernel... HTH --=20 *Geoffroy Desvernay* C.R.I - Administration syst=E8mes et r=E9seaux Ecole Centrale de Marseille --------------enigF08A8D6BCEF39083733F24BD Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBCAAGBQJLdIcDAAoJEC0NWrh8JT1S7DcH/jHajcn6ik1Xa6Kt+qM2jdVA NYF6+DW/jWuxs8/QdkX6wv3uUONGmVnmxDbdMchKG+cWHCxQz15rM1CGXtKnP/cf SwGDo8HxHLSX9pBrJ+9NNNn1cFuA5RC5f8RZAV23vDbaIWVL10VEymTKq2v94P0j UJ9hP1mCGwpfVhasDt2b0ToTev+3dubRcS8axExANKpcNnn5sCNP1lt9Ckr/CGY4 rrVP68OsThER+9NIUQKvY8cHqm1aAnxFUicFrLEKW6ah9b3LQsj4WhnIc7YMjMYp 5pmnDvtdZUh+FreRdHzMTxrhw4TFGiuPOkd0XKRGxuS0/+NKGS4Jzy1sa2xdXiM= =5U3n -----END PGP SIGNATURE----- --------------enigF08A8D6BCEF39083733F24BD--