From owner-freebsd-questions@FreeBSD.ORG Sat Sep 1 21:49:09 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AD4EE106564A for ; Sat, 1 Sep 2012 21:49:09 +0000 (UTC) (envelope-from tamino@wolfhut.org) Received: from pendor.wolfhut.org (pendor.wolfhut.org [173.228.91.225]) by mx1.freebsd.org (Postfix) with ESMTP id 95FFE8FC15 for ; Sat, 1 Sep 2012 21:49:09 +0000 (UTC) Received: from [192.168.42.100] (173-228-91-224.static.sonic.net [173.228.91.224]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by pendor.wolfhut.org (Postfix) with ESMTPSA id A8D2DDBB1A for ; Sat, 1 Sep 2012 14:42:33 -0700 (PDT) From: Ben Cottrell Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Message-Id: <2060AF10-560C-40E5-B402-412E51130A46@wolfhut.org> Date: Sat, 1 Sep 2012 14:42:34 -0700 To: freebsd-questions@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 6.0 \(1486\)) X-Mailer: Apple Mail (2.1486) Subject: Different take on old FAQ: multihoming and source-based routing X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Sep 2012 21:49:09 -0000 Hi everyone, I've been doing a lot of google searching recently for variants of "freebsd source-based routing" to look for how to get a dual-homed FreeBSD machine to send to the correct default gateway based on the source address of the packets it's expecting that gateway to pass along. You can't send a packet with a Comcast source address to the AT&T default gateway and expect it to actually make it out onto the public internet, etc. Universally, the posts I've been finding that discuss this always recommend creating multiple routing tables with "options = ROUTETABLES=3D..." which I wasn't willing to do, because my wild youthful = kernel-recompiling days are over -- these days I like the advantages that come with using a pure GENERIC kernel. :-) So, today I tried the following /etc/pf.conf: > if =3D "bge0" > v4_addr_1 =3D "173.228.91.225" > v4_net_1 =3D "173.228.91.0/24" > v4_gw_1 =3D "173.228.91.1" > v4_addr_2 =3D "50.193.24.82" > v4_net_2 =3D "50.193.24.80/28" > v4_gw_2 =3D "50.193.24.94" >=20 > pass out quick on $if route-to ($if $v4_gw_1) inet from $v4_addr_1 to = !$v4_net_1 no state > pass out quick on $if route-to ($if $v4_gw_2) inet from $v4_addr_2 to = !$v4_net_2 no state > #pass out quick on $if route-to ($if $v6_gw_1) inet6 from $v6_addr_1 = to !$v6_net_1 no state >=20 > pass all no state I guess my setup is a bit simpler than the norm because I only have one physical interface, that both networks are on. But... by Jove, it seems to be working! Is there something I'm missing? Is this going to break in some subtle edge case that I'm just not seeing? If it really is this simple, why does everyone keep recommending the "options ROUTETABLES" approach? Thanks, ~Ben=