From owner-freebsd-pf@FreeBSD.ORG Mon Feb 7 12:15:23 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3B11316A4CE for ; Mon, 7 Feb 2005 12:15:23 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id B8DC843D3F for ; Mon, 7 Feb 2005 12:15:22 +0000 (GMT) (envelope-from macdonald.matthew@gmail.com) Received: by rproxy.gmail.com with SMTP id z35so708308rne for ; Mon, 07 Feb 2005 04:15:22 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=bps5JDWTFGzZyOcjnpxg1SDD39L6ROQjD5wXbEDa/d3gmF3I/extM3qdHWpVfKQ7N1ivch8F/kqOsA39aQEZmmo5BAj/WCCCLoiWL5acLu5ojaLH1V1G/2GxpRNNGi8e37IwZ02rh5PYnOWSxgKv0PeE+O8YmM36a8uG7D0Pt4w= Received: by 10.38.83.9 with SMTP id g9mr456293rnb; Mon, 07 Feb 2005 04:15:21 -0800 (PST) Received: by 10.38.104.62 with HTTP; Mon, 7 Feb 2005 04:15:21 -0800 (PST) Message-ID: <8878e3ce05020704156c54f315@mail.gmail.com> Date: Mon, 7 Feb 2005 07:15:21 -0500 From: Matt MacDonald To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Two interface route-to problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Matt MacDonald List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Feb 2005 12:15:23 -0000 I've been working on a problem for a while but it doesn't seem to be getting fixed. I've got two PPPoe interfaces to different ISPs. The default route is to ISP1 but my servers are on the ISP2. Everything seems to be working fine except for traffic that is destined for ISP2 get's returned on the ISP1 interface. The docs seem to say that route-to will fix me problem but I can't seem to get it to work. Hopefully someone on this list will see what I'm doing wrong. Here is the commands that I have tried to get this to work: pass out log quick on $ISP1 route-to ( $ISP2 $ISP2:peer ) from ($ISP2) \ to any flags S/SA pass out log quick on $ISP1 route-to ( $ISP2 $ISP2gw ) from ($ISP2) \ to any flags S/SA pass out log quick on $ISP1 route-to ( $ISP2 $ISP2:peer ) from $ISP2addr \ to any flags S/SA pass out log quick on $ISP1 route-to ( $ISP2 $ISP2gw ) from $ISP2addr \ to any flags S/SA but none of them seem to work. I do have a similar line that routes SMTP traffic inbound on the inside interface to ISP2 and that works fine. Thanks, Matt Here is my entire config: ############### /etc/pf.conf ########################### ## Macros ISP1="tun0" ISP2="tun1" INSIDE="rl1" MYNET="192.168.1.0/24" ALLOWED="{ 20, 21, 22, 113 }" ## TABLES table const { 10/8, 172.16/12, 192.168/16, 224/8 } table persist table { 66.x.x.x} table { 64.x.x.x} ## GLOBAL OPTIONS set loginterface $ISP2 set block-policy return ## TRAFFIC NORMALIZATION scrub in on { $ISP2, $ISP1 } all fragment reassemble #scrub out on { $ISP2, $ISP1 } all fragment reassemble random-id no-df ## QUEUEING RULES ## TRANSLATION RULES (NAT) nat on $ISP1 from $INSIDE:network to any -> ($ISP1) nat on $ISP2 from $INSIDE:network to any -> ($ISP2) rdr on $INSIDE proto tcp from any to any port 21 -> 127.0.0.1 \ port 8021 ## FILTER RULES # # Defaults Block All # block log all block in log quick on { $ISP2, $ISP1 } from to any block log quick on { $ISP2, $ISP1 } from to any # # Tun 0 - ISP1 # Out pass out log quick on $ISP1 route-to ( $ISP2 $ISP2:peer ) from ($ISP2) to any flags S/SA pass out log on $ISP1 proto tcp all modulate state flags S/SA pass out log on $ISP1 proto { udp, icmp } all keep state # In pass in log on $ISP1 proto icmp from any to ($ISP1) keep state pass in log on $ISP1 inet proto tcp from any to ($ISP1) port $ALLOWED flags S/SA keep state pass in log on $ISP1 inet proto tcp from any to ($ISP1) \ port > 49151 keep state # # Tun 1 - ISP2 # Out pass out log quick on $ISP2 route-to ( $ISP1 $ISP1:peer ) from ($ISP1) to any flags S/SA pass out log on $ISP2 proto tcp all modulate state flags S/SA pass out log on $ISP2 proto { udp, icmp } all keep state # In pass in log on $ISP2 proto icmp from any to ($ISP2) keep state pass in log on $ISP2 inet proto tcp from any to ($ISP2) port $ALLOWED flags S/SA keep state # # rl1 - Inside # Out pass in quick on $INSIDE route-to ( $ISP2 ) inet proto tcp from any to any port 25 modulate state pass in on $INSIDE from $MYNET to any pass out on $INSIDE from any to $MYNET # # Loopback # pass in quick on lo0 all pass out quick on lo0 all