Date: Fri, 12 Feb 2010 17:44:54 +0100 From: Albert Shih <Albert.Shih@obspm.fr> To: geoffroy desvernay <dgeo@centrale-marseille.fr> Cc: freebsd-pf@freebsd.org Subject: Re: How make the route-to working ? Message-ID: <20100212164454.GA23456@obspm.fr> In-Reply-To: <4B748700.70409@centrale-marseille.fr> References: <20100205123254.GN11310@obspm.fr> <4B748700.70409@centrale-marseille.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
Le 11/02/2010 à 23:38:56+0100, geoffroy desvernay a écrit
> Albert Shih a écrit :
> > Hi all,
> >
> > I've a problem with route-to.
> >
> > I've a server with 2 interfaces, and I'm running jail on this server. Each
> > interface have is own public IP address.
> >
> > eth0 -- IP0 eth1 -- IP1
> >
> > and I've a default route (for example in IP0 subnet).
> >
> > So if the jail is in the IP0 subnet no problem everything work.
> >
> > Now if I put a jail in IP1 subnet, and some client try to connect to this
> > jail the answer come out through eth0 because of the default route (suppose
> > the client is not on my subnet).
> >
> > I don't want that. I want the answer come out through the eth1
> >
> > I'm trying to use pf to do that and put in my pf.conf something like
> >
> > pass in all
> > pass out all
> > pass out on eth0 route-to {(eth0 IP0_Gateway)} from <IP0> to ! IP0_subnet
> > pass out on eth1 route-to {(eth1 IP1_Gateway)} from <IP1> to ! IP1_subnet
> >
> > but it's not working, if I run a tcpdump on the host I can see the
> > incoming packet come in from eth1 and the outgoing come out on eth0.
> >
> > And if I try do remove default route the outgoing packet don't come out....
> >
> > Any help ?
> >
> > Regards.
> >
Lots of thanks for your answer.
>
> You just have to catch packets on the interface they would go normally:
>
> pass out on *eth0* route-to {(eth1 IP1_Gateway)} from <IP1> to !eth1:network
>
> The other rule is not needed in this case
>
> You may also try instead a 'reply-to' rule on eth1's inbound, as David
> DeSimone suggested.
OK now it's working. But I have some big trouble about the bandwith.
Now when I try to do something like a scp, or ftp or wget from inside a
jail to outside, everything work fine. The traffic go to right interface,
the answer too.
But when I try to do some network connection (ssh, scp etc..) from outside
to a jail the bandwith is catastrophic (~40kB/s on 1Gbit/s).
And for you ?
>
> A third and cleaner solution would be to use multiple routing-tables -
> see setfib(1) and 'options ROUTETABLES' of the kernel...
I already try this, I don't known how to make it work. I'm going to try
again.
Regards.
Thanks again.
--
Albert SHIH
SIO batiment 15
Observatoire de Paris Meudon
5 Place Jules Janssen
92195 Meudon Cedex
Téléphone : 01 45 07 76 26/06 86 69 95 71
Heure local/Local time:
Ven 12 fév 2010 17:41:22 CET
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100212164454.GA23456>