Date: Sat, 13 Feb 2010 09:11:24 +0100 From: geoffroy desvernay <dgeo@centrale-marseille.fr> To: Albert Shih <Albert.Shih@obspm.fr> Cc: freebsd-pf@freebsd.org Subject: Re: How make the route-to working ? Message-ID: <4B765EAC.9020201@centrale-marseille.fr> In-Reply-To: <20100212164454.GA23456@obspm.fr> References: <20100205123254.GN11310@obspm.fr> <4B748700.70409@centrale-marseille.fr> <20100212164454.GA23456@obspm.fr>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --]
Albert Shih a écrit :
> Le 11/02/2010 à 23:38:56+0100, geoffroy desvernay a écrit
>> Albert Shih a écrit :
>>> Hi all,
>>>
>>> I've a problem with route-to.
>>>
>>> I've a server with 2 interfaces, and I'm running jail on this server. Each
>>> interface have is own public IP address.
>>>
>>> eth0 -- IP0 eth1 -- IP1
>>>
>>> and I've a default route (for example in IP0 subnet).
>>>
>>> So if the jail is in the IP0 subnet no problem everything work.
>>>
>>> Now if I put a jail in IP1 subnet, and some client try to connect to this
>>> jail the answer come out through eth0 because of the default route (suppose
>>> the client is not on my subnet).
>>>
>>> I don't want that. I want the answer come out through the eth1
>>>
>>> I'm trying to use pf to do that and put in my pf.conf something like
>>>
>>> pass in all
>>> pass out all
>>> pass out on eth0 route-to {(eth0 IP0_Gateway)} from <IP0> to ! IP0_subnet
>>> pass out on eth1 route-to {(eth1 IP1_Gateway)} from <IP1> to ! IP1_subnet
>>>
>>> but it's not working, if I run a tcpdump on the host I can see the
>>> incoming packet come in from eth1 and the outgoing come out on eth0.
>>>
>>> And if I try do remove default route the outgoing packet don't come out....
>>>
>>> Any help ?
>>>
>>> Regards.
>>>
> Lots of thanks for your answer.
>
>> You just have to catch packets on the interface they would go normally:
>>
>> pass out on *eth0* route-to {(eth1 IP1_Gateway)} from <IP1> to !eth1:network
>>
>> The other rule is not needed in this case
>>
>> You may also try instead a 'reply-to' rule on eth1's inbound, as David
>> DeSimone suggested.
>
> OK now it's working. But I have some big trouble about the bandwith.
>
> Now when I try to do something like a scp, or ftp or wget from inside a
> jail to outside, everything work fine. The traffic go to right interface,
> the answer too.
>
> But when I try to do some network connection (ssh, scp etc..) from outside
> to a jail the bandwith is catastrophic (~40kB/s on 1Gbit/s).
>
> And for you ?
>
Using this kind of setup since at least two years for ~500 real users
without complains... (three different 'ssh jails' on the same machine
with many vlans and three "default" gateways)
>> A third and cleaner solution would be to use multiple routing-tables -
>> see setfib(1) and 'options ROUTETABLES' of the kernel...
>
> I already try this, I don't known how to make it work. I'm going to try
> again.
>
I'm also planning to test this... since more than a year :-|
--
*Geoffroy Desvernay*
C.R.I - Administration systèmes et réseaux
Ecole Centrale de Marseille
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBCAAGBQJLdl6vAAoJEC0NWrh8JT1SPqkIAKTRkc4ovBe4QUp43f7FWnpm
lcJ4sn0WbYV5/0SopT24GxVShRpf9dcsKB3BUW0UxzZJrEhq3FLSlTUfx+if3T9T
/1eYClP3UYSlloRkJBgeDZebecgk0I6qcHPlJEVMRhzY96n3Q8qhOtOdyugw84dW
I42pMr2166KQoW12vSqQNl6c73Z82yBD9cnLNxDWs5paQ9uBZdrHUoDUx8biqSUo
/5OvDTk0I7GZl/pv1Of+Q5x/ThFZzupAoq7Z+8GX8II79LMtZxsQ9PBrqXh7a9gv
86eaUa/yL5Iz4oVyiIuE1y7IZL7HWORVNfrQu8dYvxTbQ3zMkDOvu6g71Fv2JDg=
=feiM
-----END PGP SIGNATURE-----
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B765EAC.9020201>