Date: Wed, 05 Apr 2017 13:20:57 +0200 From: Nils Beyer <nbe@renzel.net> To: freebsd-net@freebsd.org Subject: [PF] Symmetric routing enforcement, how-to without using "reply-to"... Message-ID: <4956261.2DO1X0b8Gd@asbach.renzel.net>
next in thread | raw e-mail | index | archive | help
Hi,
we have two internet lines here.
Following situation (IP addresses changed) on my server:
iface "wan1" = 8.0.0.1/24 - GW1 8.0.0.254 (internet line 1)
iface "wan2" = 9.0.0.1/24 - GW2 9.0.0.254 (internet line 2)
Now I'd like it so that every packet that comes in on interface "wan1"
being replied on interface "wan1" and its "GW1". For every packet that
comes in on interface "wan2", replies go to "GW2" via "wan2".
That's my "pf.conf"
------------------------------------------------------------------------------
scrub in all
block in log
pass in inet proto icmp
pass in inet proto tcp to port { ssh }
pass on lo0
pass out
pass out on wan1 route-to (wan2 9.0.0.254) from wan2
pass out on wan2 route-to (wan1 8.0.0.254) from wan1
------------------------------------------------------------------------------
guess what - it's not working.
With tcpdump I see traffic from a remote "telnet 8.0.0.1 22" and a remote
"telnet 9.0.0.1 22" going in on the corresponding interface, but the replies
are always going through the default gateway.
I also have tried "no state" after the "route-to" rules without success.
"pfctl -vs rules" shows that no outgoing packet matches one of the "route-to"-
rules. "reply-to"-rules are working, but then I have to duplicate all incoming
rules for every possible gateway route - or use tags; with both solutions I'm
not very happy with.
The thing that works for me is an additional use of "ipfw" for routing:
------------------------------------------------------------------------------
kenv net.inet.ip.fw.default_to_accept=1
kldload ipfw
# fwd gw2 from wan2 via wan1
ipfw add 65000 fwd 9.0.0.254 all from 9.0.0.1 to any via wan1
# fwd gw1 from wan1 via wan2
ipfw add 65001 fwd 8.0.0.254 all from 8.0.0.1 to any via wan2
------------------------------------------------------------------------------
I'd really like to know where my fallacy lies...
TIA and regards,
Nils
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4956261.2DO1X0b8Gd>