From owner-freebsd-pf@FreeBSD.ORG Thu Mar 20 23:43:08 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8E995106566B for ; Thu, 20 Mar 2008 23:43:08 +0000 (UTC) (envelope-from torsten@cnc-london.net) Received: from mailhost.cnc-london.net (mailhost.cnc-london.net [209.44.113.194]) by mx1.freebsd.org (Postfix) with ESMTP id 2CB658FC21 for ; Thu, 20 Mar 2008 23:43:07 +0000 (UTC) (envelope-from torsten@cnc-london.net) Received: (qmail 86257 invoked by uid 90); 20 Mar 2008 23:14:21 +0000 Received: from 78.105.9.127 (postmaster@78.105.9.127) by mailhost.cnc-london.net (envelope-from , uid 89) with qmail-scanner-2.01st (clamdscan: 0.91.2/5269. spamassassin: 3.2.3. perlscan: 2.01st. Clear:RC:1(78.105.9.127):. Processed in 0.020363 secs); 20 Mar 2008 23:14:21 -0000 Received: from 78-105-9-127.zone3.bethere.co.uk (HELO torstendev) (postmaster@78.105.9.127) by mailhost.cnc-london.net with SMTP; 20 Mar 2008 23:14:21 +0000 From: "Torsten @ CNC-LONDON" To: References: <241289.54152.qm@web38204.mail.mud.yahoo.com> In-Reply-To: <241289.54152.qm@web38204.mail.mud.yahoo.com> Date: Thu, 20 Mar 2008 23:16:17 -0000 Message-ID: <00a101c88ae0$67c88100$37598300$@net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AciKxp12SUyAvEhvRZapFzPOkxXQvgAGIuVA Content-Language: en-gb Subject: RE: route-to not working X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Mar 2008 23:43:08 -0000 --- Wesley wrote: > Dear people, > > I have 2 links on a box, and I don't want to load balance it but, > only to > reply requests in the same interface that it comes. > > I tried to use the route-to, but it not seems to work. > > Could you please, give-me a help? > Looking at your config, most of your traffic is blocked since pf (if i remember correctly) works on last rule matching except for "quick". You might want to read the FAQs again at http://www.openbsd.org/faq/pf/index.html It has some good examples with the detailed explanations of each part of pf configuration. As for reply to external interface, you can use something like this: pass in quick on xl0 reply-to (xl0 $Gateway_IP_xl0) \ proto tcp from any to any port { 22, 21, 1194 } keep state However, I remember reading somewhere that reply-to is broken on FreeBSD and that I couldn't get reply-to to work properly on my box. Someone please correct me on this if I'm wrong. BTW, route-to is not only used for outbound load balancing. You can use it to route certain destinations via certain interfaces without having to mess around with routing table ;) Regards, Tommy > It's my configuration: > > set skip on lo0 > scrub on xl0 reassemble tcp no-df random-id > scrub on xl1 reassemble tcp no-df random-id > scrub on dc0 reassemble tcp no-df random-id > nat on xl0 from 172.16.0.0/24 to any -> (xl0) static-port > rdr on dc0 inet proto tcp to port 80 -> 127.0.0.1 port 3128 > round-robin > sticky-address > antispoof quick for {xl0,dc0,xl1} > block proto tcp from 172.16.0.0/24 to any port 3128 > # Internal Traffic > pass in quick on dc0 from any to any > pass out quick on dc0 from any to any > # Outgoing > pass out on xl0 proto tcp all flags S/SA modulate state > pass out on xl0 proto { udp, icmp } all keep state > pass out on xl1 proto tcp all flags S/SA modulate state > pass out on xl1 proto { udp, icmp } all keep state > # Pass basic services > pass in quick on xl1 proto tcp from any to any port { 22, 21, 1194 } > keep > state > pass in quick on xl0 proto tcp from any to any port { 22, 21, 1194 } > keep > state > pass in on xl0 proto udp from any to any port 53 > pass in on xl1 proto udp from any to any port 53 > # Pass VPN > pass in quick on xl1 proto udp from any to port 1194 keep state > pass quick on tun0 > # Source nat route > pass out log on xl0 route-to ( xl1 200.232.164.1 ) from xl1 to any > pass out on xl1 route-to ( xl0 201.83.16.1 ) from xl0 to any > # Close > block return-rst in log quick on xl0 inet proto tcp from any to any > block return-rst in log quick on xl1 inet proto tcp from any to any > block return-icmp in log quick on xl0 proto udp from any to any > block return-icmp in log quick on xl1 proto udp from any to any > block in quick on xl0 all > block in quick on xl1 all > > Best Regards, > > Wesley Gentine > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" Hi Wesley Here are the rules I use for that purpose on my server (I'm still in the middle of setting it up) It works best on incoming connection just need to include the outgoing to balance and figure ftp. I noticed one thing, and that I can't explain myself, if using a macro for the external IP instead of having the actual outside interface ip addresses in the "pass in" rules the whole thing blows up and stops working. example: inet proto tcp from any to 192.168.254.10 is good inet proto tcp from any to $ ext_if1_IP is bad and not working here is my config: ext_if1="rl0" ext_if2="rl1" ext_if1_IP="192.168.1.10" ext_if2_IP="192.168.254.10" ext_gw1="192.168.1.254" ext_gw2="192.168.254.254" public_services = "{ 80, 443, 873, 1701 ,1721, 1723 }" pass in quick log on $ext_if1 reply-to ($ext_if1 $ext_gw1) \ inet proto tcp from any to 192.168.1.10 port $public_services flags S/SA modulate state pass in quick log on $ext_if2 reply-to ($ext_if2 $ext_gw2) \ inet proto tcp from any to 192.168.254.10 port $public_services flags S/SA modulate state pass in quick log on $ext_if1 reply-to ($ext_if1 $ext_gw1) \ inet proto udp from any to 192.168.1.10 port $public_services keep state pass in quick log on $ext_if2 reply-to ($ext_if2 $ext_gw2) \ inet proto udp from any to 192.168.254.10 port $public_services keep state