From owner-freebsd-pf@FreeBSD.ORG Fri Feb 12 16:44:59 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 70BD7106566C for ; Fri, 12 Feb 2010 16:44:59 +0000 (UTC) (envelope-from Albert.Shih@obspm.fr) Received: from smtp-int-m.obspm.fr (smtp-int-m.obspm.fr [145.238.187.15]) by mx1.freebsd.org (Postfix) with ESMTP id 0B8AD8FC1C for ; Fri, 12 Feb 2010 16:44:58 +0000 (UTC) Received: from obspm.fr (pcjas.obspm.fr [145.238.184.233]) by smtp-int-m.obspm.fr (8.14.3/8.14.3/SIO Observatoire de Paris - 07/2009) with ESMTP id o1CGis6R025565 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 12 Feb 2010 17:44:55 +0100 Date: Fri, 12 Feb 2010 17:44:54 +0100 From: Albert Shih To: geoffroy desvernay Message-ID: <20100212164454.GA23456@obspm.fr> References: <20100205123254.GN11310@obspm.fr> <4B748700.70409@centrale-marseille.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <4B748700.70409@centrale-marseille.fr> User-Agent: Mutt/1.5.20 (2009-06-14) X-Miltered: at smtp-int-m.obspm.fr with ID 4B758586.000 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)! X-j-chkmail-Enveloppe: 4B758586.000/145.238.184.233/pcjas.obspm.fr/obspm.fr/ X-j-chkmail-Score: MSGID : 4B758586.000 on smtp-int-m.obspm.fr : j-chkmail score : . : R=. U=. O=. B=0.007 -> S=0.007 X-j-chkmail-Status: Ham Cc: freebsd-pf@freebsd.org Subject: Re: How make the route-to working ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Feb 2010 16:44:59 -0000 Le 11/02/2010 à 23:38:56+0100, geoffroy desvernay a écrit > Albert Shih a écrit : > > Hi all, > > > > I've a problem with route-to. > > > > I've a server with 2 interfaces, and I'm running jail on this server. Each > > interface have is own public IP address. > > > > eth0 -- IP0 eth1 -- IP1 > > > > and I've a default route (for example in IP0 subnet). > > > > So if the jail is in the IP0 subnet no problem everything work. > > > > Now if I put a jail in IP1 subnet, and some client try to connect to this > > jail the answer come out through eth0 because of the default route (suppose > > the client is not on my subnet). > > > > I don't want that. I want the answer come out through the eth1 > > > > I'm trying to use pf to do that and put in my pf.conf something like > > > > pass in all > > pass out all > > pass out on eth0 route-to {(eth0 IP0_Gateway)} from to ! IP0_subnet > > pass out on eth1 route-to {(eth1 IP1_Gateway)} from to ! IP1_subnet > > > > but it's not working, if I run a tcpdump on the host I can see the > > incoming packet come in from eth1 and the outgoing come out on eth0. > > > > And if I try do remove default route the outgoing packet don't come out.... > > > > Any help ? > > > > Regards. > > Lots of thanks for your answer. > > You just have to catch packets on the interface they would go normally: > > pass out on *eth0* route-to {(eth1 IP1_Gateway)} from to !eth1:network > > The other rule is not needed in this case > > You may also try instead a 'reply-to' rule on eth1's inbound, as David > DeSimone suggested. OK now it's working. But I have some big trouble about the bandwith. Now when I try to do something like a scp, or ftp or wget from inside a jail to outside, everything work fine. The traffic go to right interface, the answer too. But when I try to do some network connection (ssh, scp etc..) from outside to a jail the bandwith is catastrophic (~40kB/s on 1Gbit/s). And for you ? > > A third and cleaner solution would be to use multiple routing-tables - > see setfib(1) and 'options ROUTETABLES' of the kernel... I already try this, I don't known how to make it work. I'm going to try again. Regards. Thanks again. -- Albert SHIH SIO batiment 15 Observatoire de Paris Meudon 5 Place Jules Janssen 92195 Meudon Cedex Téléphone : 01 45 07 76 26/06 86 69 95 71 Heure local/Local time: Ven 12 fév 2010 17:41:22 CET