From owner-freebsd-pf@FreeBSD.ORG Thu Mar 20 20:13:21 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A0D76106567E for ; Thu, 20 Mar 2008 20:13:21 +0000 (UTC) (envelope-from tommyhp2@yahoo.com) Received: from web38204.mail.mud.yahoo.com (web38204.mail.mud.yahoo.com [209.191.124.147]) by mx1.freebsd.org (Postfix) with SMTP id 704DC8FC15 for ; Thu, 20 Mar 2008 20:13:21 +0000 (UTC) (envelope-from tommyhp2@yahoo.com) Received: (qmail 54542 invoked by uid 60001); 20 Mar 2008 19:46:40 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=0CS2pc4ETfK+VueL/AMkj5VtZz8GZrcs1q8TEbY88FvHOm/BgeLXeNQvYJh/YBeGWHwJo9h96wT3+BfpSWOh+LC46mc4ajNdfFAPJ0/XfWIvxn6OSvQHugToaTuY5Iq5dIXFlCXBpNIV1VB9KGjYMYR+vz0dAmjsqIrKkpSkJTs=; X-YMail-OSG: YUaTzrwVM1mnYqpT4UAbgjvmgN31DZjmK9WbAxHZ1C1NjpDeaDGtmW.gRSbUR0vu5GDdo0vntE1JTud4wH8SKny6okdNjlfKPn3mddq60g86CB7WAHf5W9QIG00MdWn5Y_sJvTRZwn0N6cSIIgaM.J7td4B6KVJuxIsottugg.wY5HLGA5fqcu7u Received: from [74.229.174.93] by web38204.mail.mud.yahoo.com via HTTP; Thu, 20 Mar 2008 12:46:40 PDT Date: Thu, 20 Mar 2008 12:46:40 -0700 (PDT) From: Tommy Pham To: freebsd-pf@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Message-ID: <241289.54152.qm@web38204.mail.mud.yahoo.com> Subject: Re: route-to not working X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Mar 2008 20:13:21 -0000 --- Wesley wrote: > Dear people, > > I have 2 links on a box, and I don't want to load balance it but, > only to > reply requests in the same interface that it comes. > > I tried to use the route-to, but it not seems to work. > > Could you please, give-me a help? > Looking at your config, most of your traffic is blocked since pf (if i remember correctly) works on last rule matching except for "quick". You might want to read the FAQs again at http://www.openbsd.org/faq/pf/index.html It has some good examples with the detailed explanations of each part of pf configuration. As for reply to external interface, you can use something like this: pass in quick on xl0 reply-to (xl0 $Gateway_IP_xl0) \ proto tcp from any to any port { 22, 21, 1194 } keep state However, I remember reading somewhere that reply-to is broken on FreeBSD and that I couldn't get reply-to to work properly on my box. Someone please correct me on this if I'm wrong. BTW, route-to is not only used for outbound load balancing. You can use it to route certain destinations via certain interfaces without having to mess around with routing table ;) Regards, Tommy > It's my configuration: > > set skip on lo0 > scrub on xl0 reassemble tcp no-df random-id > scrub on xl1 reassemble tcp no-df random-id > scrub on dc0 reassemble tcp no-df random-id > nat on xl0 from 172.16.0.0/24 to any -> (xl0) static-port > rdr on dc0 inet proto tcp to port 80 -> 127.0.0.1 port 3128 > round-robin > sticky-address > antispoof quick for {xl0,dc0,xl1} > block proto tcp from 172.16.0.0/24 to any port 3128 > # Internal Traffic > pass in quick on dc0 from any to any > pass out quick on dc0 from any to any > # Outgoing > pass out on xl0 proto tcp all flags S/SA modulate state > pass out on xl0 proto { udp, icmp } all keep state > pass out on xl1 proto tcp all flags S/SA modulate state > pass out on xl1 proto { udp, icmp } all keep state > # Pass basic services > pass in quick on xl1 proto tcp from any to any port { 22, 21, 1194 } > keep > state > pass in quick on xl0 proto tcp from any to any port { 22, 21, 1194 } > keep > state > pass in on xl0 proto udp from any to any port 53 > pass in on xl1 proto udp from any to any port 53 > # Pass VPN > pass in quick on xl1 proto udp from any to port 1194 keep state > pass quick on tun0 > # Source nat route > pass out log on xl0 route-to ( xl1 200.232.164.1 ) from xl1 to any > pass out on xl1 route-to ( xl0 201.83.16.1 ) from xl0 to any > # Close > block return-rst in log quick on xl0 inet proto tcp from any to any > block return-rst in log quick on xl1 inet proto tcp from any to any > block return-icmp in log quick on xl0 proto udp from any to any > block return-icmp in log quick on xl1 proto udp from any to any > block in quick on xl0 all > block in quick on xl1 all > > Best Regards, > > Wesley Gentine > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >