From owner-freebsd-net@FreeBSD.ORG  Mon Mar 12 15:00:09 2007
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id C121A16A403
	for <freebsd-net@freebsd.org>; Mon, 12 Mar 2007 15:00:09 +0000 (UTC)
	(envelope-from ale@seudns.net)
Received: from connectmed.com.br (s200-189-171-55.ipb.diveo.net.br
	[200.189.171.55])
	by mx1.freebsd.org (Postfix) with SMTP id E456113C4B8
	for <freebsd-net@freebsd.org>; Mon, 12 Mar 2007 15:00:08 +0000 (UTC)
	(envelope-from ale@seudns.net)
Received: (qmail 16999 invoked from network); 12 Mar 2007 14:30:14 -0000
Received: from unknown (HELO caco-new) (200.189.171.49)
	by donald.connectmed.com.br with SMTP; 12 Mar 2007 14:30:14 -0000
Received: (qmail 13294 invoked from network); 12 Mar 2007 14:33:26 -0000
Received: from unknown (HELO ?192.168.3.109?) (192.168.3.109)
	by localhost with SMTP; 12 Mar 2007 14:33:25 -0000
Message-ID: <45F564B5.10307@seudns.net>
Date: Mon, 12 Mar 2007 11:33:25 -0300
From: Alexandre Biancalana <ale@seudns.net>
User-Agent: Thunderbird 1.5.0.9 (X11/20070206)
MIME-Version: 1.0
To: freebsd-net@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Subject: PF route-to behavior
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Mar 2007 15:00:09 -0000

Hi List,


I´m doing a firewall setup using 6-STABLE + PF with two internet links 
but I can't do the route-to rule function as I need.


          (default gw)    ______
  Link A <-----------> |int A  |
                                  |           |
  Link B <-----------> |int B  |
                                  |______|
                              FreeBSD FW

A simple thing that I need to do is test the two Internet links to know 
if they are up or not. To do this I could ping or connect tcp ports on 
some external ips thought each link, using nc and hping I tried do this 
generate connections/packets from each network interface connected to 
each link but the packets always go out by the interface indicated by 
machines default route.

I tried to add this rules in pf to force packets out by the right 
interface based in your source address, but this does not work, and the 
packets generated with ip of int B are going out by int A.

pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b to any
pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a to any


Am I forgetting something ? Any comments ?


Regards,

Alexandre