Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 20 Mar 2008 23:16:17 -0000
From:      "Torsten @ CNC-LONDON" <torsten@cnc-london.net>
To:        <freebsd-pf@freebsd.org>
Subject:   RE: route-to not working
Message-ID:  <00a101c88ae0$67c88100$37598300$@net>
In-Reply-To: <241289.54152.qm@web38204.mail.mud.yahoo.com>
References:  <a49a70ea0803190611u317b289fkb3c7c3c82bdd7c2f@mail.gmail.com> <241289.54152.qm@web38204.mail.mud.yahoo.com>

next in thread | previous in thread | raw e-mail | index | archive | help
--- Wesley <wcglist@gmail.com> wrote:

> Dear people,
> 
> I have 2 links on a box, and I don't want to load balance it but,
> only to
> reply requests in the same interface that it comes.
> 
> I tried to use the route-to, but it not seems to work.
> 
> Could you please, give-me a help?
> 
Looking at your config, most of your traffic is blocked since pf (if i
remember correctly) works on last rule matching except for "quick". 
You might want to read the FAQs again at
http://www.openbsd.org/faq/pf/index.html

It has some good examples with the detailed explanations of each part
of pf configuration.  As for reply to external interface, you can use
something like this:

pass in quick on xl0 reply-to (xl0 $Gateway_IP_xl0) \
   proto tcp from any to any port { 22, 21, 1194 } keep state

However, I remember reading somewhere that reply-to is broken on
FreeBSD and that I couldn't get reply-to to work properly on my box. 
Someone please correct me on this if I'm wrong.

BTW, route-to is not only used for outbound load balancing.  You can
use it to route certain destinations via certain interfaces without
having to mess around with routing table ;)

Regards,
Tommy

> It's my configuration:
> 
> set skip on lo0
> scrub on xl0 reassemble tcp no-df random-id
> scrub on xl1 reassemble tcp no-df random-id
> scrub on dc0 reassemble tcp no-df random-id
> nat on xl0 from 172.16.0.0/24 to any -> (xl0) static-port
> rdr on dc0 inet proto tcp to port 80 -> 127.0.0.1 port 3128
> round-robin
> sticky-address
> antispoof quick for {xl0,dc0,xl1}
> block proto tcp from 172.16.0.0/24 to any port 3128
> # Internal Traffic
> pass in quick on dc0 from any to any
> pass out quick on dc0 from any to any
> # Outgoing
> pass out on xl0 proto tcp all flags S/SA modulate state
> pass out on xl0 proto { udp, icmp } all keep state
> pass out on xl1 proto tcp all flags S/SA modulate state
> pass out on xl1 proto { udp, icmp } all keep state
> # Pass basic services
> pass in quick on xl1 proto tcp from any to any port { 22, 21, 1194 }
> keep
> state
> pass in quick on xl0 proto tcp from any to any port { 22, 21, 1194 }
> keep
> state
> pass in on xl0 proto udp from any to any port 53
> pass in on xl1 proto udp from any to any port 53
> # Pass VPN
> pass in quick on xl1 proto udp from any to port 1194 keep state
> pass quick on tun0
> # Source nat route
> pass out log on xl0 route-to ( xl1 200.232.164.1 ) from xl1 to any
> pass out on xl1 route-to ( xl0 201.83.16.1 ) from xl0 to any
> # Close
> block return-rst in log quick on xl0 inet proto tcp from any to any
> block return-rst in log quick on xl1 inet proto tcp from any to any
> block return-icmp in log quick on xl0 proto udp from any to any
> block return-icmp in log quick on xl1 proto udp from any to any
> block in quick on xl0 all
> block in quick on xl1 all
> 
> Best Regards,
> 
> Wesley Gentine
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
> 

_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"

Hi Wesley

Here are the rules I use for that purpose on my server (I'm still in the
middle of setting it up)
It works best on incoming connection just need to include the outgoing to
balance and figure ftp.

I noticed one thing, and that I can't explain myself, if using a macro for
the external IP instead
of having the actual outside interface ip addresses in the "pass in" rules
the whole thing blows up and stops working.

example:
inet proto tcp from any to 192.168.254.10   is good
inet proto tcp from any to $ ext_if1_IP	  is bad and not working

here is my config:

	ext_if1="rl0"
	ext_if2="rl1"
	ext_if1_IP="192.168.1.10"
	ext_if2_IP="192.168.254.10"

	ext_gw1="192.168.1.254"
	ext_gw2="192.168.254.254"
	public_services = "{ 80, 443, 873, 1701 ,1721, 1723 }"
	
	pass in quick log on $ext_if1 reply-to ($ext_if1 $ext_gw1) \
		inet proto tcp from any to 192.168.1.10 port
$public_services flags S/SA modulate state 
	
	pass in quick log on $ext_if2 reply-to ($ext_if2 $ext_gw2) \
		inet proto tcp from any to 192.168.254.10 port
$public_services flags S/SA modulate state

	pass in quick log on $ext_if1 reply-to ($ext_if1 $ext_gw1) \
		inet proto udp from any to 192.168.1.10 port
$public_services keep state

	pass in quick log on $ext_if2 reply-to ($ext_if2 $ext_gw2) \
		inet proto udp from any to 192.168.254.10 port
$public_services keep state






Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00a101c88ae0$67c88100$37598300$>