From owner-freebsd-pf@freebsd.org Mon Oct 31 08:00:15 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 138DCC27756 for ; Mon, 31 Oct 2016 08:00:15 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from mx.als.nnov.ru (mx.als.nnov.ru [95.79.102.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C62BF12E0 for ; Mon, 31 Oct 2016 08:00:14 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from [10.4.1.100] by mx.als.nnov.ru with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.87 (FreeBSD)) (envelope-from ) id 1c172w-0002DI-1O for freebsd-pf@freebsd.org; Mon, 31 Oct 2016 10:30:18 +0300 Subject: Re: Forcing a route using pf To: freebsd-pf@freebsd.org References: <20161027140324.GH51420@home.opsec.eu> <20161027142417.GI51420@home.opsec.eu> <20161028132154.5a094476@mr185083> From: Max Message-ID: <4a6abbc5-612a-8081-2cf0-8e72def91d0d@als.nnov.ru> Date: Mon, 31 Oct 2016 10:30:17 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Oct 2016 08:00:15 -0000 Interface igb0: nat on igb1 to 10.10.10.100 -> igb0 pass out on igb1 route-to ( igb0 10.0.0.1 ) from igb0 to 10.10.10.100 Why don't you use igb1 interface? nat on igb1 to 10.10.10.100 -> igb0 And on Server B: route add -host 10.0.0.10 10.10.10.10 29.10.2016 13:14, James Morris пишет: > Hi, > > I added the pf rule: > > pass out on igb1 route-to ( igb0 10.0.0.1 ) from any to 10.10.10.100 > > But now when I try to reach 10.10.10.100 traffic goes out igb0 as expected, but it has the source IP of igb1 > > # ping 10.10.10.100 > > # tshark -i igb0 > Capturing on 'igb0' > 1 0.000000 10.10.10.10 -> 10.10.10.100 ICMP 98 Echo (ping) request id=0xb403, seq=0/0, ttl=64 > 2 0.001509 RealtekU_12:35:02 -> Broadcast ARP 60 Who has 10.10.10.10? Tell 10.0.0.1 > 3 1.020896 10.10.10.10 -> 10.10.10.100 ICMP 98 Echo (ping) request id=0xb403, seq=1/256, ttl=64 > 4 1.022268 RealtekU_12:35:02 -> Broadcast ARP 60 Who has 10.10.10.10? Tell 10.0.0.1 > > > Traffic is flowing out the correct interface, but has the wrong source IP address. > > What am I doing wrong here? > > Thanks, > > James > > > > From: Patrick Lamaiziere > Sent: 28 October 2016 11:21 > To: James Morris > Cc: freebsd-pf@freebsd.org > Subject: Re: Forcing a route using pf > > Le Thu, 27 Oct 2016 19:23:38 +0000, > James Morris a écrit : > > Hi, > > Hello, > >> While this does solve the issue of pushing traffic through igb0, >> however any income connections to igb1 from server B also get shunted >> out igb0. >> >> I was wondering if there is a way to do this in pf. > see PF route-to option. > > Regards, > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"