Date: Tue, 2 Feb 2010 21:59:34 -0500 From: jhell <jhell@DataIX.net> To: Stefan <stefanferreira@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: toute-to on lo0 not working? Message-ID: <alpine.BSF.2.00.1002022152130.33395@qvfongpu.qngnvk.ybpny> In-Reply-To: <4B6866D5.4060405@gmail.com> References: <4B6866D5.4060405@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 2 Feb 2010 12:54, stefanferreira@ wrote: > Hi > > In my quest to route traffic originating on the freebsd machine, I've managed > to loop back outbound traffic via lo0 so that I can try and route it inbound > on lo0 (pf can't apply route-to logic to outbound traffic; by then it's to > late to try and route it over a different interface). > > The loopback works when I switch off skip on lo0, and pass all lo0 traffic, > so that traffic is definitely processed by pf. I also know the looping works, > because when I try to ping an outside IP, I get a response that the TTL has > been exceeded, and traceroute shows repeating entries of 127.0.0.1 (in other > words, the packets jost loop back through the pf box repeatedly till their > TTL is exceeded). > > The problem is the moment I change my rule to try and route the inbound > traffic on lo0, the packets just seem to go nowhere. They are not routed > correctly and I can't tell what happens to them. In the ruleset below, > enabling the second rule results in the packets looping back to the pf box > repeatedly, and the first rule results in the packets "disappearing". The > only difference is the route-to statement, which works for all traffic > originating elsewhere on the lan. > > #pass in quick on lo0 route-to (adsl-int0 196.210.140.129) from any to ! > $IPs_LAN $KEEPSTATE $ALTQ_DEFAULT label zSA_Local tag zSA_Local > #pass in quick on lo0 from any to ! $IPs_LAN $KEEPSTATE $ALTQ_DEFAULT label > zSA_Local tag zSA_Local > pass out quick all $KEEPSTATE tagged zSA_Local > pass quick on lo0 > > Please help! I really need to route traffic originating on the pf box via pf, > and not via rtables! > Have you tried implementing "binat" and possibly making use of rdr while using some tables to hold your addresses and subnets ? # BINAT # Translate outgoing packets' source address (any protocol). # Translate incoming packets' destination address to an internal machine # (bidirectional). binat on $ext_if from 10.1.2.150 to any -> $ext_ifA you could change that to: binat on $ext_if from <binathosts> to any -> $ext_ifA Looping traffic that is originating internally back around to a loopback interface is not going to solve this, and it will cause you a lot more frustration. Best of luck. -- jhell
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1002022152130.33395>