Date: Thu, 20 Mar 2008 16:22:51 +0200 From: "Vlad GALU" <dudu@dudu.ro> To: "Stefan Lambrev" <stefan.lambrev@moneybookers.com> Cc: freebsd-net@freebsd.org Subject: Re: route-to not working Message-ID: <ad79ad6b0803200722y51697e6eid0ea30f3f18d36c1@mail.gmail.com> In-Reply-To: <47E26A10.4040305@moneybookers.com> References: <a49a70ea0803190611u317b289fkb3c7c3c82bdd7c2f@mail.gmail.com> <a49a70ea0803200524h594d5cb3pcfc903145fc244a7@mail.gmail.com> <47E25F45.8010805@moneybookers.com> <ad79ad6b0803200606n1fc2bffhb56e836412b61791@mail.gmail.com> <47E26A10.4040305@moneybookers.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 3/20/08, Stefan Lambrev <stefan.lambrev@moneybookers.com> wrote:
>
>
> Vlad GALU wrote:
> > On 3/20/08, Stefan Lambrev <stefan.lambrev@moneybookers.com> wrote:
> >
> >> Greetings,
> >>
> >>
> >>
> >> Wesley wrote:
> >> > Dear people,
> >> >
> >> > I have 2 links on a box, and I don't want to load balance it but, only to
> >> > reply requests in the same interface that it comes.
> >> >
> >> > I tried to use the route-to, but it not seems to work.
> >> >
> >> > Could you please, give-me a help?
> >> >
> >>
> >> I do not see where you use "reply-to" in you configuration
> >>
> >> But here is working example which you can improve off course.
> >>
> >> #dual home
> >> pass in on $ext_if1 reply-to ($ext_if1 $gw1) from any to $external_addr1
> >> keep state
> >> pass out on $ext_if2 route-to ($ext_if1 $gw1) from $external_addr1 to any
> >> pass in on $ext_if2 reply-to ($ext_if2 $gw2) from any to $external_addr2
> >> keep state
> >> pass out on $ext_if1 route-to ($ext_if2 $gw1) from $external_addr2 to any
> >>
> >> #dual home ssh only
> >> pass out on $ext_if2 route-to ($ext_if1 $gw1) from $external_addr1 to any
> >> pass out on $ext_if1 route-to ($ext_if2 $gw1) from $external_addr2 to any
> >> pass in on $ext_if1 reply-to ($ext_if1 $gw1) proto tcp from any to
> >> $external_addr1 port 22 keep state
> >> pass in on $ext_if2 reply-to ($ext_if2 $gw2) proto tcp from any to
> >> $external_addr2 port 22 keep state
> >>
> >
> >
> > Don't mind me asking, but isn't your example working due to your
> > route-to rules? I, as well as Wesley, assumed that reply-to should've
> > been enough to reach the goal.
> >
>
> It's working because of reply-to rules - incoming packets does not match
> "pass out route-to" rules.
> The "pass out" rules are needed if the packet(s) is generated locally
> and does not match the "pass in" rules.
>
> You forget that the first rule to match wins and keep state (which is on
> by default in 7.0)
> will make replies to match the state not the pass out rules.
Yes, you're right, I'm sorry :) ENOTENOUGHCOFFEE :) However, I do
recall having seen the symptom once myself.
>
> >
> >>> It's my configuration:
> >>>
> >> >
> >> > set skip on lo0
> >> > scrub on xl0 reassemble tcp no-df random-id
> >> > scrub on xl1 reassemble tcp no-df random-id
> >> > scrub on dc0 reassemble tcp no-df random-id
> >> > nat on xl0 from 172.16.0.0/24 to any -> (xl0) static-port
> >> > rdr on dc0 inet proto tcp to port 80 -> 127.0.0.1 port 3128 round-robin
> >> > sticky-address
> >> > antispoof quick for {xl0,dc0,xl1}
> >> > block proto tcp from 172.16.0.0/24 to any port 3128
> >> > # Internal Traffic
> >> > pass in quick on dc0 from any to any
> >> > pass out quick on dc0 from any to any
> >> > # Outgoing
> >> > pass out on xl0 proto tcp all flags S/SA modulate state
> >> > pass out on xl0 proto { udp, icmp } all keep state
> >> > pass out on xl1 proto tcp all flags S/SA modulate state
> >> > pass out on xl1 proto { udp, icmp } all keep state
> >> > # Pass basic services
> >> > pass in quick on xl1 proto tcp from any to any port { 22, 21, 1194 } keep
> >> > state
> >> > pass in quick on xl0 proto tcp from any to any port { 22, 21, 1194 } keep
> >> > state
> >> > pass in on xl0 proto udp from any to any port 53
> >> > pass in on xl1 proto udp from any to any port 53
> >> > # Pass VPN
> >> > pass in quick on xl1 proto udp from any to port 1194 keep state
> >> > pass quick on tun0
> >> > # Source nat route
> >> > pass out log on xl0 route-to ( xl1 200.232.164.1 ) from xl1 to any
> >> > pass out on xl1 route-to ( xl0 201.83.16.1 ) from xl0 to any
> >> > # Close
> >> > block return-rst in log quick on xl0 inet proto tcp from any to any
> >> > block return-rst in log quick on xl1 inet proto tcp from any to any
> >> > block return-icmp in log quick on xl0 proto udp from any to any
> >> > block return-icmp in log quick on xl1 proto udp from any to any
> >> > block in quick on xl0 all
> >> > block in quick on xl1 all
> >> >
> >> > Best Regards,
> >> >
> >> > Wesley Gentine
> >> > _______________________________________________
> >> > freebsd-net@freebsd.org mailing list
> >> > http://lists.freebsd.org/mailman/listinfo/freebsd-net
> >> > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
> >> >
> >>
> >>
> >> --
> >>
> >> Best Wishes,
> >> Stefan Lambrev
> >> ICQ# 24134177
> >>
> >>
> >> _______________________________________________
> >> freebsd-net@freebsd.org mailing list
> >> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
> >>
> >>
> >
> >
> >
>
> --
>
> Best Wishes,
> Stefan Lambrev
> ICQ# 24134177
>
>
--
~/.signature: no such file or directory
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ad79ad6b0803200722y51697e6eid0ea30f3f18d36c1>