From owner-freebsd-pf@freebsd.org Fri Aug 5 06:04:25 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CE745BADC37 for ; Fri, 5 Aug 2016 06:04:25 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from mx.als.nnov.ru (mx.als.nnov.ru [95.79.102.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 927B31174 for ; Fri, 5 Aug 2016 06:04:24 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from [10.4.1.100] by mx.als.nnov.ru with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.86_2 (FreeBSD)) (envelope-from ) id 1bVXuA-0004Gr-OA for freebsd-pf@freebsd.org; Fri, 05 Aug 2016 08:42:46 +0300 Subject: Re: wan1 as default, wan2 dedicated to a service To: freebsd-pf@freebsd.org References: <20160805030555.53101@relay.ibs.dn.ua> From: Max Message-ID: <3b256072-c7a5-8be7-dca0-0faf853e5432@als.nnov.ru> Date: Fri, 5 Aug 2016 08:42:46 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <20160805030555.53101@relay.ibs.dn.ua> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Aug 2016 06:04:25 -0000 Hello, Zeus. Probably you should use pass out log on $if_dvr reply-to ($if_wan2 $gw_wan2) to or pass out log on $if_wan1 route-to ($if_wan2 $gw_wan2) from ($if_wan2) or both rules. Please check your state table and routing table. 05.08.2016 3:05, Zeus Panchenko пишет: > hi, > I need trivial thing but wondering where am I wrong ... :( > help please > > I have two WAN interfaces: wan1 and wan2 > wan1 is default route interface, wan2 is dedicated for DVR (video) > > I'm trying to direct all output from DVR to wan2 (here I do not care of > where a request to DVR came from, I want all replies to go out trough wan2) > > so, I hoped to do that with this pf.config > > ---[ start ]------------------------------------------------------------ > if_wan1 = "em0" > if_wan2 = "igb0" # ip address A.B.C.D > gw_wan2 = "E.F.G.H" > if_dvr="vlan123" > table const { 10.0.0.0/24 } > # redirect all requests on wan2 to DVR host1 > rdr pass on $if_wan2 proto { tcp, udp } to ($if_wan2) port 1234 -> 10.0.0.1 port 5678 > nat log on $if_wan2 from to any -> ($if_wan2) > ... > pass in log on $if_dvr route-to ($if_wan2 $gw_wan2) from to any keep state > ---[ stop ]------------------------------------------------------------ > > as results, > I see requests from world on $if_wan2 > I see redirects of the requests, out packets on $if_dvr > I see replies to the requests, in packets on $if_dvr > but I see ($if_wan2) sourced replies, and I see them on *$if_wan1* > > so, as I understand ... route-to works, otherwise replies wouldn't be > from ($if_wan2) > > but nated replies appears on $if_wan1 what is default route ... so > ... how can I have replies go out through $if_wan2? is it question of > the second routing table? > > please, advise