From owner-freebsd-net@freebsd.org Wed Apr 5 11:21:10 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 56D8FD2F657 for ; Wed, 5 Apr 2017 11:21:10 +0000 (UTC) (envelope-from nbe@renzel.net) Received: from nijmegen.renzel.net (mx1.renzel.net [195.243.213.130]) by mx1.freebsd.org (Postfix) with ESMTP id 1EA928C6 for ; Wed, 5 Apr 2017 11:21:09 +0000 (UTC) (envelope-from nbe@renzel.net) X-Virus-Scanned: GDATA Antivirus at gdata-milter.renzel.de.isb X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=-8.0 required=7.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.3.2 Received: from dublin.vkf.isb.de.renzel.net (unknown [10.0.0.80]) by nijmegen.renzel.net (smtpd) with ESMTP id 59BB614148F0 for ; Wed, 5 Apr 2017 13:20:57 +0200 (CEST) Received: from asbach.renzel.net (unknown [172.18.96.1]) by dublin.vkf.isb.de.renzel.net (Postfix) with ESMTP id 5417D816A1 for ; Wed, 5 Apr 2017 13:20:57 +0200 (CEST) From: Nils Beyer To: freebsd-net@freebsd.org Subject: [PF] Symmetric routing enforcement, how-to without using "reply-to"... Date: Wed, 05 Apr 2017 13:20:57 +0200 Message-ID: <4956261.2DO1X0b8Gd@asbach.renzel.net> Organization: VKF Renzel GmbH User-Agent: KMail/4.14.10 (FreeBSD/12.0-CURRENT; KDE/4.14.30; amd64; ; ) MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on nijmegen.renzel.net X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Apr 2017 11:21:10 -0000 Hi, we have two internet lines here. Following situation (IP addresses changed) on my server: iface "wan1" = 8.0.0.1/24 - GW1 8.0.0.254 (internet line 1) iface "wan2" = 9.0.0.1/24 - GW2 9.0.0.254 (internet line 2) Now I'd like it so that every packet that comes in on interface "wan1" being replied on interface "wan1" and its "GW1". For every packet that comes in on interface "wan2", replies go to "GW2" via "wan2". That's my "pf.conf" ------------------------------------------------------------------------------ scrub in all block in log pass in inet proto icmp pass in inet proto tcp to port { ssh } pass on lo0 pass out pass out on wan1 route-to (wan2 9.0.0.254) from wan2 pass out on wan2 route-to (wan1 8.0.0.254) from wan1 ------------------------------------------------------------------------------ guess what - it's not working. With tcpdump I see traffic from a remote "telnet 8.0.0.1 22" and a remote "telnet 9.0.0.1 22" going in on the corresponding interface, but the replies are always going through the default gateway. I also have tried "no state" after the "route-to" rules without success. "pfctl -vs rules" shows that no outgoing packet matches one of the "route-to"- rules. "reply-to"-rules are working, but then I have to duplicate all incoming rules for every possible gateway route - or use tags; with both solutions I'm not very happy with. The thing that works for me is an additional use of "ipfw" for routing: ------------------------------------------------------------------------------ kenv net.inet.ip.fw.default_to_accept=1 kldload ipfw # fwd gw2 from wan2 via wan1 ipfw add 65000 fwd 9.0.0.254 all from 9.0.0.1 to any via wan1 # fwd gw1 from wan1 via wan2 ipfw add 65001 fwd 8.0.0.254 all from 8.0.0.1 to any via wan2 ------------------------------------------------------------------------------ I'd really like to know where my fallacy lies... TIA and regards, Nils