From owner-freebsd-net@freebsd.org Wed Apr 5 11:34:01 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 50514D2FB35 for ; Wed, 5 Apr 2017 11:34:01 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1281AF32 for ; Wed, 5 Apr 2017 11:34:01 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1cvjCC-000AxQ-Oz; Wed, 05 Apr 2017 14:33:52 +0300 Date: Wed, 5 Apr 2017 14:33:52 +0300 From: Slawa Olhovchenkov To: Nils Beyer Cc: freebsd-net@freebsd.org Subject: Re: [PF] Symmetric routing enforcement, how-to without using "reply-to"... Message-ID: <20170405113352.GB20974@zxy.spb.ru> References: <4956261.2DO1X0b8Gd@asbach.renzel.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4956261.2DO1X0b8Gd@asbach.renzel.net> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Apr 2017 11:34:01 -0000 On Wed, Apr 05, 2017 at 01:20:57PM +0200, Nils Beyer wrote: > Hi, > > we have two internet lines here. > > Following situation (IP addresses changed) on my server: > > iface "wan1" = 8.0.0.1/24 - GW1 8.0.0.254 (internet line 1) > iface "wan2" = 9.0.0.1/24 - GW2 9.0.0.254 (internet line 2) > > Now I'd like it so that every packet that comes in on interface "wan1" > being replied on interface "wan1" and its "GW1". For every packet that > comes in on interface "wan2", replies go to "GW2" via "wan2". On packet layers "replies" don't exist. Every packet is independent and don't have history. Also, posible to got packets for 9.0.0.1 via wan1 and this is legitime. I.e. you can't build rules based on "replays", only on "origins", source IP address generated packes (as you ipfw fwd rules). UDP select source address based on routing information and only case don't use default gateway interface -- multiple bind() call in application. > That's my "pf.conf" > ------------------------------------------------------------------------------ > scrub in all > > block in log > pass in inet proto icmp > pass in inet proto tcp to port { ssh } > pass on lo0 > > pass out > pass out on wan1 route-to (wan2 9.0.0.254) from wan2 > pass out on wan2 route-to (wan1 8.0.0.254) from wan1 > ------------------------------------------------------------------------------ > > guess what - it's not working. > > > With tcpdump I see traffic from a remote "telnet 8.0.0.1 22" and a remote > "telnet 9.0.0.1 22" going in on the corresponding interface, but the replies > are always going through the default gateway. > > I also have tried "no state" after the "route-to" rules without success. > "pfctl -vs rules" shows that no outgoing packet matches one of the "route-to"- > rules. "reply-to"-rules are working, but then I have to duplicate all incoming > rules for every possible gateway route - or use tags; with both solutions I'm > not very happy with. > > > The thing that works for me is an additional use of "ipfw" for routing: > ------------------------------------------------------------------------------ > kenv net.inet.ip.fw.default_to_accept=1 > kldload ipfw > # fwd gw2 from wan2 via wan1 > ipfw add 65000 fwd 9.0.0.254 all from 9.0.0.1 to any via wan1 > # fwd gw1 from wan1 via wan2 > ipfw add 65001 fwd 8.0.0.254 all from 8.0.0.1 to any via wan2 > ------------------------------------------------------------------------------ > > > I'd really like to know where my fallacy lies... > > > > TIA and regards, > Nils > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"