From owner-freebsd-pf@FreeBSD.ORG Thu Feb 8 15:54:00 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 78F3A16A405 for ; Thu, 8 Feb 2007 15:53:58 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from smtp812.mail.ird.yahoo.com (smtp812.mail.ird.yahoo.com [217.146.188.72]) by mx1.freebsd.org (Postfix) with SMTP id 6AEB613C467 for ; Thu, 8 Feb 2007 15:53:57 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: (qmail 66816 invoked from network); 8 Feb 2007 15:53:56 -0000 Received: from unknown (HELO ?192.168.1.2?) (thomasjudge@btinternet.com@81.157.42.3 with plain) by smtp812.mail.ird.yahoo.com with SMTP; 8 Feb 2007 15:53:56 -0000 X-YMail-OSG: xYa0Au4VM1nGor8niDEILtrJ6M8KrtEWcgEynzu.qphPoZwExb3r4vxpxbj9lT2e8ulFcTLbVsTJIzw_H.WzvVqHG8RVq_tNXBeN0YNIVjjsv2J2WLj4jraeRlG1J3MHO0sa7BZMIZOR4i4Vco0F_1mldGnBxYdlo110T23ThFvrPang4532b8Rs0P8J4IpLN4bn549evqcMaA-- Message-ID: <45CB47B3.6060402@tomjudge.com> Date: Thu, 08 Feb 2007 15:54:27 +0000 From: Tom Judge User-Agent: Thunderbird 1.5.0.9 (X11/20070104) MIME-Version: 1.0 To: Tom Judge References: <45BF6DFE.9060307@tomjudge.com> In-Reply-To: <45BF6DFE.9060307@tomjudge.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: PF Policy routing failing to route ESP packets correctly X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Feb 2007 15:54:00 -0000 Tom Judge wrote: > Hi, > > I am having some problems getting policy routing of outbound ESP packets > to work correctly. It seems the routing works fine for everything but > esp packets. Is this a known bug? > > Tom > > Relevent PF rules: > > table { 100.198.71.78 , 100.198.71.66 } > > > pass out quick route-to ( fxp0 100.198.71.65 ) inet from > to ! 100.198.71.64/28 keep state label "RULE 21 -- " > Just a bump on this thread to see if anyone has any ideas about this problem. Here is a slightly better description of the problem. The network layout is available at: http://www.tomjudge.com/tmp/tunnels.png From the diagram Host A and B both have there default gateway set as ISP A's router, and have a PF rule that should route traffic from ISP B's addresses to ISP B's router. This seems to work for all traffic except the IPSEC ESP packets which always get transmitted to the default gateway that is set on the host. It seems that they do not pass through the firewall or for some reason do not match the route-to rule. Can anyone suggest a solution to this problem? PF rule Host A: (First rule in rule set) pass out quick on bge1 route-to ( bge1 112.0.0.1 ) inet from 112.0.0.2 to ! 112.0.0.0/27 keep state PF rule Host B: (First rule in rule set) pass out quick on bge1 route-to ( bge1 114.0.0.1 ) inet from 114.0.0.2 to ! 114.0.0.0/27 keep state Thanks Tom