From owner-freebsd-net@FreeBSD.ORG Mon Mar 12 17:01:24 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B551916A400 for ; Mon, 12 Mar 2007 17:01:24 +0000 (UTC) (envelope-from ale@seudns.net) Received: from connectmed.com.br (s200-189-171-55.ipb.diveo.net.br [200.189.171.55]) by mx1.freebsd.org (Postfix) with SMTP id E5DB113C465 for ; Mon, 12 Mar 2007 17:01:19 +0000 (UTC) (envelope-from ale@seudns.net) Received: (qmail 24192 invoked from network); 12 Mar 2007 16:58:01 -0000 Received: from unknown (HELO caco-new) (200.189.171.49) by donald.connectmed.com.br with SMTP; 12 Mar 2007 16:58:01 -0000 Received: (qmail 30517 invoked from network); 12 Mar 2007 17:01:14 -0000 Received: from unknown (HELO ?192.168.3.109?) (192.168.3.109) by localhost with SMTP; 12 Mar 2007 17:01:12 -0000 Message-ID: <45F58758.6090103@seudns.net> Date: Mon, 12 Mar 2007 14:01:12 -0300 From: Alexandre Biancalana User-Agent: Thunderbird 1.5.0.9 (X11/20070206) MIME-Version: 1.0 To: Tom Judge References: <45F564B5.10307@seudns.net> <45F58321.5050309@tomjudge.com> In-Reply-To: <45F58321.5050309@tomjudge.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-net@freebsd.org Subject: Re: PF route-to behavior X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Mar 2007 17:01:24 -0000 Tom Judge wrote: > Alexandre Biancalana wrote: >> Hi List, >> >> >> I´m doing a firewall setup using 6-STABLE + PF with two internet >> links but I can't do the route-to rule function as I need. >> >> >> (default gw) ______ >> Link A <-----------> |int A | >> | | >> Link B <-----------> |int B | >> |______| >> FreeBSD FW >> >> A simple thing that I need to do is test the two Internet links to >> know if they are up or not. To do this I could ping or connect tcp >> ports on some external ips thought each link, using nc and hping I >> tried do this generate connections/packets from each network >> interface connected to each link but the packets always go out by the >> interface indicated by machines default route. >> >> I tried to add this rules in pf to force packets out by the right >> interface based in your source address, but this does not work, and >> the packets generated with ip of int B are going out by int A. >> >> pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b to any >> pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a to any >> >> >> Am I forgetting something ? Any comments ? >> > > Have you tried setting the source IP address to int B when using ping > your tcp sessions, this should force PF to do your source routing for > you. > > Hope this helps > > Tom Yes, I tried the following commands: ping -S nc -s hping -I All the commands generate the traffic with source address of int B, but the traffic always go out by int A... this is the problem, even with the rules: pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b to any pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a to any that should "correct" the interface used send this traffic out... right ?! I can provide more details if need, but I think that is a simple setup... I can't see why this does not work.... any other ideas ?? Regards, Alexandre