From owner-freebsd-pf@FreeBSD.ORG Thu Mar 17 21:33:54 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 244CD16A4CE for ; Thu, 17 Mar 2005 21:33:54 +0000 (GMT) Received: from atlas.spiretech.com (atlas.spiretech.com [207.173.200.232]) by mx1.FreeBSD.org (Postfix) with ESMTP id D258443D46 for ; Thu, 17 Mar 2005 21:33:53 +0000 (GMT) (envelope-from fbsd-pf@shelton.ca) Received: from [10.1.1.110] (ben.shelton.ca [207.173.201.46]) (authenticated) by atlas.spiretech.com (8.11.6/8.11.6) with ESMTP id j2HLXrC23603 for ; Thu, 17 Mar 2005 13:33:53 -0800 Message-ID: <4239F7B8.7020101@shelton.ca> Date: Thu, 17 Mar 2005 13:33:44 -0800 From: Ben Shelton User-Agent: Mozilla Thunderbird 1.0 (Macintosh/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: pf route-to? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Mar 2005 21:33:54 -0000 Hi all, I've got a little bit of an issue with pf and the route-to statement. We have 2 ISPs currently and I'd like to get both of the uplinks put on the freebsd box using pf to firewall/route for them. I have a couple route-to rules set up but they don't seem to do much. I'm sure I'm just missing some little detail here or misunderstanding exactly what route-to is doing but I can't find any examples. I've got: ISP1 ISP2 | | firewall | internal net So the internal net has hosts on both ISP1 and ISP2's subnets and therefore has traffic to/from both ISPs travelling on it. The firewall is the default router for both internal subnets (via aliases on the interface). I have the pf rules: pass in quick on $inside_int route to ( $ISP1_int $ISP1_router ) inet proto icmp from $ISP1_inside_net to any keep state pass out quick on $ISP1_int route to ( $ISP1_int $ISP1_router ) inet proto icmp from $ISP1_inside_net to any keep state It doesn't seem to work. I do a tcpdump on $ICP1_int and don't see any traffic from a host inside, though I do see the traffic on $inside_int. Something's not being routed properly. I moved these two rules up pretty far in the ruleset to make sure they're not being dropped quick by anything else, but to no avail. There are no antispoof rules here or anything, so that probably isn't a factor. Any help is greatly appreciated. I'm down to just banging my head on the box hoping it works (and it doesn't seem to be helping). Later, Ben