From owner-freebsd-net@FreeBSD.ORG Thu Mar 20 14:22:55 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0BE671065671 for ; Thu, 20 Mar 2008 14:22:55 +0000 (UTC) (envelope-from dudu@dudu.ro) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.158]) by mx1.freebsd.org (Postfix) with ESMTP id B99D78FC12 for ; Thu, 20 Mar 2008 14:22:53 +0000 (UTC) (envelope-from dudu@dudu.ro) Received: by fg-out-1718.google.com with SMTP id 16so769543fgg.35 for ; Thu, 20 Mar 2008 07:22:52 -0700 (PDT) Received: by 10.82.166.9 with SMTP id o9mr4154495bue.33.1206022971460; Thu, 20 Mar 2008 07:22:51 -0700 (PDT) Received: by 10.82.185.8 with HTTP; Thu, 20 Mar 2008 07:22:51 -0700 (PDT) Message-ID: Date: Thu, 20 Mar 2008 16:22:51 +0200 From: "Vlad GALU" To: "Stefan Lambrev" In-Reply-To: <47E26A10.4040305@moneybookers.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <47E25F45.8010805@moneybookers.com> <47E26A10.4040305@moneybookers.com> Cc: freebsd-net@freebsd.org Subject: Re: route-to not working X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Mar 2008 14:22:55 -0000 On 3/20/08, Stefan Lambrev wrote: > > > Vlad GALU wrote: > > On 3/20/08, Stefan Lambrev wrote: > > > >> Greetings, > >> > >> > >> > >> Wesley wrote: > >> > Dear people, > >> > > >> > I have 2 links on a box, and I don't want to load balance it but, only to > >> > reply requests in the same interface that it comes. > >> > > >> > I tried to use the route-to, but it not seems to work. > >> > > >> > Could you please, give-me a help? > >> > > >> > >> I do not see where you use "reply-to" in you configuration > >> > >> But here is working example which you can improve off course. > >> > >> #dual home > >> pass in on $ext_if1 reply-to ($ext_if1 $gw1) from any to $external_addr1 > >> keep state > >> pass out on $ext_if2 route-to ($ext_if1 $gw1) from $external_addr1 to any > >> pass in on $ext_if2 reply-to ($ext_if2 $gw2) from any to $external_addr2 > >> keep state > >> pass out on $ext_if1 route-to ($ext_if2 $gw1) from $external_addr2 to any > >> > >> #dual home ssh only > >> pass out on $ext_if2 route-to ($ext_if1 $gw1) from $external_addr1 to any > >> pass out on $ext_if1 route-to ($ext_if2 $gw1) from $external_addr2 to any > >> pass in on $ext_if1 reply-to ($ext_if1 $gw1) proto tcp from any to > >> $external_addr1 port 22 keep state > >> pass in on $ext_if2 reply-to ($ext_if2 $gw2) proto tcp from any to > >> $external_addr2 port 22 keep state > >> > > > > > > Don't mind me asking, but isn't your example working due to your > > route-to rules? I, as well as Wesley, assumed that reply-to should've > > been enough to reach the goal. > > > > It's working because of reply-to rules - incoming packets does not match > "pass out route-to" rules. > The "pass out" rules are needed if the packet(s) is generated locally > and does not match the "pass in" rules. > > You forget that the first rule to match wins and keep state (which is on > by default in 7.0) > will make replies to match the state not the pass out rules. Yes, you're right, I'm sorry :) ENOTENOUGHCOFFEE :) However, I do recall having seen the symptom once myself. > > > > >>> It's my configuration: > >>> > >> > > >> > set skip on lo0 > >> > scrub on xl0 reassemble tcp no-df random-id > >> > scrub on xl1 reassemble tcp no-df random-id > >> > scrub on dc0 reassemble tcp no-df random-id > >> > nat on xl0 from 172.16.0.0/24 to any -> (xl0) static-port > >> > rdr on dc0 inet proto tcp to port 80 -> 127.0.0.1 port 3128 round-robin > >> > sticky-address > >> > antispoof quick for {xl0,dc0,xl1} > >> > block proto tcp from 172.16.0.0/24 to any port 3128 > >> > # Internal Traffic > >> > pass in quick on dc0 from any to any > >> > pass out quick on dc0 from any to any > >> > # Outgoing > >> > pass out on xl0 proto tcp all flags S/SA modulate state > >> > pass out on xl0 proto { udp, icmp } all keep state > >> > pass out on xl1 proto tcp all flags S/SA modulate state > >> > pass out on xl1 proto { udp, icmp } all keep state > >> > # Pass basic services > >> > pass in quick on xl1 proto tcp from any to any port { 22, 21, 1194 } keep > >> > state > >> > pass in quick on xl0 proto tcp from any to any port { 22, 21, 1194 } keep > >> > state > >> > pass in on xl0 proto udp from any to any port 53 > >> > pass in on xl1 proto udp from any to any port 53 > >> > # Pass VPN > >> > pass in quick on xl1 proto udp from any to port 1194 keep state > >> > pass quick on tun0 > >> > # Source nat route > >> > pass out log on xl0 route-to ( xl1 200.232.164.1 ) from xl1 to any > >> > pass out on xl1 route-to ( xl0 201.83.16.1 ) from xl0 to any > >> > # Close > >> > block return-rst in log quick on xl0 inet proto tcp from any to any > >> > block return-rst in log quick on xl1 inet proto tcp from any to any > >> > block return-icmp in log quick on xl0 proto udp from any to any > >> > block return-icmp in log quick on xl1 proto udp from any to any > >> > block in quick on xl0 all > >> > block in quick on xl1 all > >> > > >> > Best Regards, > >> > > >> > Wesley Gentine > >> > _______________________________________________ > >> > freebsd-net@freebsd.org mailing list > >> > http://lists.freebsd.org/mailman/listinfo/freebsd-net > >> > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > >> > > >> > >> > >> -- > >> > >> Best Wishes, > >> Stefan Lambrev > >> ICQ# 24134177 > >> > >> > >> _______________________________________________ > >> freebsd-net@freebsd.org mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-net > >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > >> > >> > > > > > > > > -- > > Best Wishes, > Stefan Lambrev > ICQ# 24134177 > > -- ~/.signature: no such file or directory