Date: Thu, 20 Mar 2008 12:46:40 -0700 (PDT) From: Tommy Pham <tommyhp2@yahoo.com> To: freebsd-pf@freebsd.org Subject: Re: route-to not working Message-ID: <241289.54152.qm@web38204.mail.mud.yahoo.com> In-Reply-To: <a49a70ea0803190611u317b289fkb3c7c3c82bdd7c2f@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--- Wesley <wcglist@gmail.com> wrote: > Dear people, > > I have 2 links on a box, and I don't want to load balance it but, > only to > reply requests in the same interface that it comes. > > I tried to use the route-to, but it not seems to work. > > Could you please, give-me a help? > Looking at your config, most of your traffic is blocked since pf (if i remember correctly) works on last rule matching except for "quick". You might want to read the FAQs again at http://www.openbsd.org/faq/pf/index.html It has some good examples with the detailed explanations of each part of pf configuration. As for reply to external interface, you can use something like this: pass in quick on xl0 reply-to (xl0 $Gateway_IP_xl0) \ proto tcp from any to any port { 22, 21, 1194 } keep state However, I remember reading somewhere that reply-to is broken on FreeBSD and that I couldn't get reply-to to work properly on my box. Someone please correct me on this if I'm wrong. BTW, route-to is not only used for outbound load balancing. You can use it to route certain destinations via certain interfaces without having to mess around with routing table ;) Regards, Tommy > It's my configuration: > > set skip on lo0 > scrub on xl0 reassemble tcp no-df random-id > scrub on xl1 reassemble tcp no-df random-id > scrub on dc0 reassemble tcp no-df random-id > nat on xl0 from 172.16.0.0/24 to any -> (xl0) static-port > rdr on dc0 inet proto tcp to port 80 -> 127.0.0.1 port 3128 > round-robin > sticky-address > antispoof quick for {xl0,dc0,xl1} > block proto tcp from 172.16.0.0/24 to any port 3128 > # Internal Traffic > pass in quick on dc0 from any to any > pass out quick on dc0 from any to any > # Outgoing > pass out on xl0 proto tcp all flags S/SA modulate state > pass out on xl0 proto { udp, icmp } all keep state > pass out on xl1 proto tcp all flags S/SA modulate state > pass out on xl1 proto { udp, icmp } all keep state > # Pass basic services > pass in quick on xl1 proto tcp from any to any port { 22, 21, 1194 } > keep > state > pass in quick on xl0 proto tcp from any to any port { 22, 21, 1194 } > keep > state > pass in on xl0 proto udp from any to any port 53 > pass in on xl1 proto udp from any to any port 53 > # Pass VPN > pass in quick on xl1 proto udp from any to port 1194 keep state > pass quick on tun0 > # Source nat route > pass out log on xl0 route-to ( xl1 200.232.164.1 ) from xl1 to any > pass out on xl1 route-to ( xl0 201.83.16.1 ) from xl0 to any > # Close > block return-rst in log quick on xl0 inet proto tcp from any to any > block return-rst in log quick on xl1 inet proto tcp from any to any > block return-icmp in log quick on xl0 proto udp from any to any > block return-icmp in log quick on xl1 proto udp from any to any > block in quick on xl0 all > block in quick on xl1 all > > Best Regards, > > Wesley Gentine > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?241289.54152.qm>