From owner-freebsd-pf@FreeBSD.ORG Sat Feb 13 11:49:11 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5EA68106566B for ; Sat, 13 Feb 2010 11:49:11 +0000 (UTC) (envelope-from sfourman@gmail.com) Received: from mail-px0-f180.google.com (mail-px0-f180.google.com [209.85.216.180]) by mx1.freebsd.org (Postfix) with ESMTP id 323F08FC1B for ; Sat, 13 Feb 2010 11:49:10 +0000 (UTC) Received: by pxi10 with SMTP id 10so1813606pxi.13 for ; Sat, 13 Feb 2010 03:49:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=QpJTkoUlLlcvKvi89IsxDB/HyxVmZdbqakcid6wLXmo=; b=myJTze5a6MG9yH9xV3SItFxIUHnqBGmhCyPlN+XMt2VlSupZIWUZrkowPpxGWO+kZ8 MSEIzWVCX3QRQqG36ECWOoewPsGGmGYbfzr3mQ6zLy1iRn0gO07zCifDv6WIwL5MItJX lS15ju+W924etLSvVLZKbzG1HKPTHEDNvrXa4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=Bg/q/hISlPuJ+fPoAFxK7APjmzcy4hCmX3/WGgro7IV6NXwPA1YZbCp54nmJMsOcYu V276A5ovII8EjddA6NK9+qzjwcDm/3Jh1K9fYCsrFnOUwzpPEk2DWetGOsE0eIFXJySD tXWZi39FjuFOIfyaM+UOAOcZdIzD06K0k9eF4= MIME-Version: 1.0 Received: by 10.142.55.16 with SMTP id d16mr1762967wfa.166.1266059960903; Sat, 13 Feb 2010 03:19:20 -0800 (PST) In-Reply-To: <4B748700.70409@centrale-marseille.fr> References: <20100205123254.GN11310@obspm.fr> <4B748700.70409@centrale-marseille.fr> Date: Sat, 13 Feb 2010 05:19:20 -0600 Message-ID: <11167f521002130319h42e131bbic432b4122773d383@mail.gmail.com> From: "Sam Fourman Jr." To: geoffroy desvernay Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Albert Shih , freebsd-pf@freebsd.org Subject: Re: How make the route-to working ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Feb 2010 11:49:11 -0000 On Thu, Feb 11, 2010 at 4:38 PM, geoffroy desvernay wrote: > Albert Shih a =E9crit : >> Hi all, >> >> I've a problem with route-to. >> >> I've a server with 2 interfaces, and I'm running jail on this server. Ea= ch >> interface have is own public IP address. >> >> =A0 =A0 =A0 eth0 -- IP0 =A0 =A0 =A0 =A0 =A0 =A0 eth1 -- IP1 >> >> and I've a default route (for example in IP0 subnet). >> >> So if the jail is in the IP0 subnet no problem everything work. >> >> Now if I put a jail in IP1 subnet, and some client try to connect to thi= s >> jail the answer come out through eth0 because of the default route (supp= ose >> the client is not on my subnet). >> >> I don't want that. I want the answer come out through the eth1 >> >> I'm trying to use pf to do that and put in my pf.conf something like >> >> pass in all >> pass out all >> pass out on eth0 route-to {(eth0 IP0_Gateway)} from to ! IP0_subne= t >> pass out on eth1 route-to {(eth1 IP1_Gateway)} from to ! IP1_subne= t >> >> but it's not working, if I run a tcpdump on the host I can see the >> incoming packet come in from eth1 and the outgoing come out on eth0. >> >> And if I try do remove default route the outgoing packet don't come out.= ... >> >> Any help ? >> >> Regards. >> >> > Hi, > > I'm using that for the same case: > > You just have to catch packets on the interface they would go normally: > > pass out on *eth0* route-to {(eth1 IP1_Gateway)} from to !eth1:netw= ork > > The other rule is not needed in this case > > You may also try instead a 'reply-to' rule on eth1's inbound, as David > DeSimone suggested. > > A third and cleaner solution would be to use multiple routing-tables - > see setfib(1) and 'options ROUTETABLES' of the kernel... I have searched the net high and low and I can not find any good examples on how to use multiple routing tables. I agree that it would be cleaner do you have a example of how to do this? if anyone has links to examples for Multiple routing tables examples post them please. Sam Fourman Jr. Sam Fourman Jr.