Date: Mon, 15 Aug 2005 18:27:33 +0200 From: Daniel Hartmeier <daniel@benzedrine.cx> To: Sergey Lapin <slapinid@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: Fwd: Fwd: Dual-feed: PF setup troubles Message-ID: <20050815162733.GC32151@insomnia.benzedrine.cx> In-Reply-To: <48239d3905081509062c585a17@mail.gmail.com> References: <D5972F49810A69449A9EA72A4B360DC238712A@e1.universe.dart.spb> <48239d390508150840481420ec@mail.gmail.com> <20050815154334.GB32151@insomnia.benzedrine.cx> <48239d3905081509062c585a17@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Aug 15, 2005 at 08:06:03PM +0400, Sergey Lapin wrote: > And as for other bugs - return to wrong place and NAT from wrong interface? > #2 is serious > http://www.mail-archive.com/freebsd-pf@freebsd.org/msg00421.html Repeat it on 6.0RC and provide the smallest ruleset that reproduces it completely. The order of how translation rules are evaluated with routing rules has changed several times, 6.0RC contains the newest code. Note that translation rules (like NAT) are executed before route-to is, i.e. if you let outgoing packets first go out the default interface, any NAT rule on that interface is performed, _before_ the packet is then re-routed to the non-default interface. Using route-to on the internal interface makes this a non-issue, but you met the bug when trying that. Assuming that bug is fixed, it will probably be the simplest approach, and work. If you do want to use route-to on the outgoing default interface, however, you can try restricting the nat rules to appropriately tagged packets, like nat on ... from ... to ... tagged TAG -> ... so they only apply for packets that are not (later) re-routed. Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050815162733.GC32151>