From owner-freebsd-net@FreeBSD.ORG Thu Mar 20 13:43:58 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A7779106566B for ; Thu, 20 Mar 2008 13:43:58 +0000 (UTC) (envelope-from stefan.lambrev@moneybookers.com) Received: from blah.sun-fish.com (blah.sun-fish.com [217.18.249.150]) by mx1.freebsd.org (Postfix) with ESMTP id 03B3D8FC21 for ; Thu, 20 Mar 2008 13:43:57 +0000 (UTC) (envelope-from stefan.lambrev@moneybookers.com) Received: by blah.sun-fish.com (Postfix, from userid 1002) id CE32C1B10EF4; Thu, 20 Mar 2008 14:43:56 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on blah.cmotd.com X-Spam-Level: X-Spam-Status: No, score=-10.6 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.2.3 Received: from hater.haters.org (hater.cmotd.com [192.168.3.125]) by blah.sun-fish.com (Postfix) with ESMTP id E81641B10EBB; Thu, 20 Mar 2008 14:43:44 +0100 (CET) Message-ID: <47E26A10.4040305@moneybookers.com> Date: Thu, 20 Mar 2008 15:43:44 +0200 From: Stefan Lambrev User-Agent: Thunderbird 2.0.0.12 (X11/20080229) MIME-Version: 1.0 To: Vlad GALU References: <47E25F45.8010805@moneybookers.com> In-Reply-To: Content-Type: text/plain; charset=windows-1251; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.91.2/6310/Thu Mar 20 07:02:00 2008 on blah.cmotd.com X-Virus-Status: Clean Cc: freebsd-net@freebsd.org Subject: Re: route-to not working X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Mar 2008 13:43:58 -0000 Vlad GALU wrote: > On 3/20/08, Stefan Lambrev wrote: > >> Greetings, >> >> >> >> Wesley wrote: >> > Dear people, >> > >> > I have 2 links on a box, and I don't want to load balance it but, only to >> > reply requests in the same interface that it comes. >> > >> > I tried to use the route-to, but it not seems to work. >> > >> > Could you please, give-me a help? >> > >> >> I do not see where you use "reply-to" in you configuration >> >> But here is working example which you can improve off course. >> >> #dual home >> pass in on $ext_if1 reply-to ($ext_if1 $gw1) from any to $external_addr1 >> keep state >> pass out on $ext_if2 route-to ($ext_if1 $gw1) from $external_addr1 to any >> pass in on $ext_if2 reply-to ($ext_if2 $gw2) from any to $external_addr2 >> keep state >> pass out on $ext_if1 route-to ($ext_if2 $gw1) from $external_addr2 to any >> >> #dual home ssh only >> pass out on $ext_if2 route-to ($ext_if1 $gw1) from $external_addr1 to any >> pass out on $ext_if1 route-to ($ext_if2 $gw1) from $external_addr2 to any >> pass in on $ext_if1 reply-to ($ext_if1 $gw1) proto tcp from any to >> $external_addr1 port 22 keep state >> pass in on $ext_if2 reply-to ($ext_if2 $gw2) proto tcp from any to >> $external_addr2 port 22 keep state >> > > > Don't mind me asking, but isn't your example working due to your > route-to rules? I, as well as Wesley, assumed that reply-to should've > been enough to reach the goal. > It's working because of reply-to rules - incoming packets does not match "pass out route-to" rules. The "pass out" rules are needed if the packet(s) is generated locally and does not match the "pass in" rules. You forget that the first rule to match wins and keep state (which is on by default in 7.0) will make replies to match the state not the pass out rules. > >>> It's my configuration: >>> >> > >> > set skip on lo0 >> > scrub on xl0 reassemble tcp no-df random-id >> > scrub on xl1 reassemble tcp no-df random-id >> > scrub on dc0 reassemble tcp no-df random-id >> > nat on xl0 from 172.16.0.0/24 to any -> (xl0) static-port >> > rdr on dc0 inet proto tcp to port 80 -> 127.0.0.1 port 3128 round-robin >> > sticky-address >> > antispoof quick for {xl0,dc0,xl1} >> > block proto tcp from 172.16.0.0/24 to any port 3128 >> > # Internal Traffic >> > pass in quick on dc0 from any to any >> > pass out quick on dc0 from any to any >> > # Outgoing >> > pass out on xl0 proto tcp all flags S/SA modulate state >> > pass out on xl0 proto { udp, icmp } all keep state >> > pass out on xl1 proto tcp all flags S/SA modulate state >> > pass out on xl1 proto { udp, icmp } all keep state >> > # Pass basic services >> > pass in quick on xl1 proto tcp from any to any port { 22, 21, 1194 } keep >> > state >> > pass in quick on xl0 proto tcp from any to any port { 22, 21, 1194 } keep >> > state >> > pass in on xl0 proto udp from any to any port 53 >> > pass in on xl1 proto udp from any to any port 53 >> > # Pass VPN >> > pass in quick on xl1 proto udp from any to port 1194 keep state >> > pass quick on tun0 >> > # Source nat route >> > pass out log on xl0 route-to ( xl1 200.232.164.1 ) from xl1 to any >> > pass out on xl1 route-to ( xl0 201.83.16.1 ) from xl0 to any >> > # Close >> > block return-rst in log quick on xl0 inet proto tcp from any to any >> > block return-rst in log quick on xl1 inet proto tcp from any to any >> > block return-icmp in log quick on xl0 proto udp from any to any >> > block return-icmp in log quick on xl1 proto udp from any to any >> > block in quick on xl0 all >> > block in quick on xl1 all >> > >> > Best Regards, >> > >> > Wesley Gentine >> > _______________________________________________ >> > freebsd-net@freebsd.org mailing list >> > http://lists.freebsd.org/mailman/listinfo/freebsd-net >> > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >> > >> >> >> -- >> >> Best Wishes, >> Stefan Lambrev >> ICQ# 24134177 >> >> >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >> >> > > > -- Best Wishes, Stefan Lambrev ICQ# 24134177