Date: Wed, 5 Apr 2017 14:33:52 +0300 From: Slawa Olhovchenkov <slw@zxy.spb.ru> To: Nils Beyer <nbe@renzel.net> Cc: freebsd-net@freebsd.org Subject: Re: [PF] Symmetric routing enforcement, how-to without using "reply-to"... Message-ID: <20170405113352.GB20974@zxy.spb.ru> In-Reply-To: <4956261.2DO1X0b8Gd@asbach.renzel.net> References: <4956261.2DO1X0b8Gd@asbach.renzel.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Apr 05, 2017 at 01:20:57PM +0200, Nils Beyer wrote:
> Hi,
>
> we have two internet lines here.
>
> Following situation (IP addresses changed) on my server:
>
> iface "wan1" = 8.0.0.1/24 - GW1 8.0.0.254 (internet line 1)
> iface "wan2" = 9.0.0.1/24 - GW2 9.0.0.254 (internet line 2)
>
> Now I'd like it so that every packet that comes in on interface "wan1"
> being replied on interface "wan1" and its "GW1". For every packet that
> comes in on interface "wan2", replies go to "GW2" via "wan2".
On packet layers "replies" don't exist. Every packet is independent
and don't have history.
Also, posible to got packets for 9.0.0.1 via wan1 and this is
legitime.
I.e. you can't build rules based on "replays", only on "origins",
source IP address generated packes (as you ipfw fwd rules).
UDP select source address based on routing information and only case
don't use default gateway interface -- multiple bind() call in application.
> That's my "pf.conf"
> ------------------------------------------------------------------------------
> scrub in all
>
> block in log
> pass in inet proto icmp
> pass in inet proto tcp to port { ssh }
> pass on lo0
>
> pass out
> pass out on wan1 route-to (wan2 9.0.0.254) from wan2
> pass out on wan2 route-to (wan1 8.0.0.254) from wan1
> ------------------------------------------------------------------------------
>
> guess what - it's not working.
>
>
> With tcpdump I see traffic from a remote "telnet 8.0.0.1 22" and a remote
> "telnet 9.0.0.1 22" going in on the corresponding interface, but the replies
> are always going through the default gateway.
>
> I also have tried "no state" after the "route-to" rules without success.
> "pfctl -vs rules" shows that no outgoing packet matches one of the "route-to"-
> rules. "reply-to"-rules are working, but then I have to duplicate all incoming
> rules for every possible gateway route - or use tags; with both solutions I'm
> not very happy with.
>
>
> The thing that works for me is an additional use of "ipfw" for routing:
> ------------------------------------------------------------------------------
> kenv net.inet.ip.fw.default_to_accept=1
> kldload ipfw
> # fwd gw2 from wan2 via wan1
> ipfw add 65000 fwd 9.0.0.254 all from 9.0.0.1 to any via wan1
> # fwd gw1 from wan1 via wan2
> ipfw add 65001 fwd 8.0.0.254 all from 8.0.0.1 to any via wan2
> ------------------------------------------------------------------------------
>
>
> I'd really like to know where my fallacy lies...
>
>
>
> TIA and regards,
> Nils
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170405113352.GB20974>