From owner-freebsd-pf@FreeBSD.ORG Sat Feb 13 08:12:27 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D213E106566B for ; Sat, 13 Feb 2010 08:12:27 +0000 (UTC) (envelope-from dgeo@centrale-marseille.fr) Received: from melo.ec-m.fr (melo.ec-m.fr [147.94.19.139]) by mx1.freebsd.org (Postfix) with ESMTP id 7FA058FC0C for ; Sat, 13 Feb 2010 08:12:27 +0000 (UTC) Received: from localhost (amavis3.serv.int [10.3.0.47]) by melo.ec-m.fr (GrosseBox 1743 XXL) with ESMTP id D1559AC930; Sat, 13 Feb 2010 09:12:24 +0100 (CET) X-Virus-Scanned: amavisd-new at centrale-marseille.fr Received: from melo.ec-m.fr ([10.3.0.13]) by localhost (amavis3.serv.int [10.3.0.47]) (amavisd-new, port 10024) with LMTP id BRpfp1z1s+PF; Sat, 13 Feb 2010 09:12:19 +0100 (CET) Received: from [10.0.5.14] (unknown [10.0.5.14]) (Authenticated sender: dgeo) by melo.ec-m.fr (GrosseBox 1743 XXL) with ESMTPSA id 41EA0AC92A; Sat, 13 Feb 2010 09:12:19 +0100 (CET) Message-ID: <4B765EAC.9020201@centrale-marseille.fr> Date: Sat, 13 Feb 2010 09:11:24 +0100 From: geoffroy desvernay User-Agent: Mozilla-Thunderbird 2.0.0.22 (X11/20090707) MIME-Version: 1.0 To: Albert Shih References: <20100205123254.GN11310@obspm.fr> <4B748700.70409@centrale-marseille.fr> <20100212164454.GA23456@obspm.fr> In-Reply-To: <20100212164454.GA23456@obspm.fr> X-Enigmail-Version: 0.95.0 OpenPGP: id=7C253D52 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig38FD68699B063E8A44B90C6D" Cc: freebsd-pf@freebsd.org Subject: Re: How make the route-to working ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Feb 2010 08:12:28 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig38FD68699B063E8A44B90C6D Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Albert Shih a =E9crit : > Le 11/02/2010 =E0 23:38:56+0100, geoffroy desvernay a =E9crit >> Albert Shih a =E9crit : >>> Hi all, >>> >>> I've a problem with route-to. >>> >>> I've a server with 2 interfaces, and I'm running jail on this server.= Each >>> interface have is own public IP address. >>> >>> eth0 -- IP0 eth1 -- IP1 >>> >>> and I've a default route (for example in IP0 subnet). >>> >>> So if the jail is in the IP0 subnet no problem everything work. >>> >>> Now if I put a jail in IP1 subnet, and some client try to connect to = this >>> jail the answer come out through eth0 because of the default route (s= uppose >>> the client is not on my subnet). >>> >>> I don't want that. I want the answer come out through the eth1 >>> >>> I'm trying to use pf to do that and put in my pf.conf something like = >>> >>> pass in all >>> pass out all >>> pass out on eth0 route-to {(eth0 IP0_Gateway)} from to ! IP0_su= bnet >>> pass out on eth1 route-to {(eth1 IP1_Gateway)} from to ! IP1_su= bnet >>> >>> but it's not working, if I run a tcpdump on the host I can see the >>> incoming packet come in from eth1 and the outgoing come out on eth0. = >>> >>> And if I try do remove default route the outgoing packet don't come o= ut.... >>> >>> Any help ?=20 >>> >>> Regards. >>> > Lots of thanks for your answer.=20 >=20 >> You just have to catch packets on the interface they would go normally= : >> >> pass out on *eth0* route-to {(eth1 IP1_Gateway)} from to !eth1:n= etwork >> >> The other rule is not needed in this case >> >> You may also try instead a 'reply-to' rule on eth1's inbound, as David= >> DeSimone suggested. >=20 > OK now it's working. But I have some big trouble about the bandwith.=20 >=20 > Now when I try to do something like a scp, or ftp or wget from inside a= > jail to outside, everything work fine. The traffic go to right interfac= e, > the answer too.=20 >=20 > But when I try to do some network connection (ssh, scp etc..) from outs= ide > to a jail the bandwith is catastrophic (~40kB/s on 1Gbit/s).=20 >=20 > And for you ?=20 >=20 Using this kind of setup since at least two years for ~500 real users without complains... (three different 'ssh jails' on the same machine with many vlans and three "default" gateways) >> A third and cleaner solution would be to use multiple routing-tables -= >> see setfib(1) and 'options ROUTETABLES' of the kernel... >=20 > I already try this, I don't known how to make it work. I'm going to try= > again.=20 >=20 I'm also planning to test this... since more than a year :-| --=20 *Geoffroy Desvernay* C.R.I - Administration syst=E8mes et r=E9seaux Ecole Centrale de Marseille --------------enig38FD68699B063E8A44B90C6D Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBCAAGBQJLdl6vAAoJEC0NWrh8JT1SPqkIAKTRkc4ovBe4QUp43f7FWnpm lcJ4sn0WbYV5/0SopT24GxVShRpf9dcsKB3BUW0UxzZJrEhq3FLSlTUfx+if3T9T /1eYClP3UYSlloRkJBgeDZebecgk0I6qcHPlJEVMRhzY96n3Q8qhOtOdyugw84dW I42pMr2166KQoW12vSqQNl6c73Z82yBD9cnLNxDWs5paQ9uBZdrHUoDUx8biqSUo /5OvDTk0I7GZl/pv1Of+Q5x/ThFZzupAoq7Z+8GX8II79LMtZxsQ9PBrqXh7a9gv 86eaUa/yL5Iz4oVyiIuE1y7IZL7HWORVNfrQu8dYvxTbQ3zMkDOvu6g71Fv2JDg= =feiM -----END PGP SIGNATURE----- --------------enig38FD68699B063E8A44B90C6D--