From owner-freebsd-pf@FreeBSD.ORG  Fri Nov  3 14:31:02 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7483D16A403
	for <freebsd-pf@freebsd.org>; Fri,  3 Nov 2006 14:31:02 +0000 (UTC)
	(envelope-from fr33man@fr33man.ru)
Received: from server.localserver.ru (server.localserver.ru [63.246.133.30])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6835543D62
	for <freebsd-pf@freebsd.org>; Fri,  3 Nov 2006 14:31:01 +0000 (GMT)
	(envelope-from fr33man@fr33man.ru)
Received: from [85.21.237.15] (helo=fr33man)
	by server.localserver.ru with esmtp (Exim 4.52) id 1Gg04J-00009w-NI
	for freebsd-pf@freebsd.org; Fri, 03 Nov 2006 17:30:52 +0300
From: "fr33man" <fr33man@fr33man.ru>
To: <freebsd-pf@freebsd.org>
Date: Fri, 3 Nov 2006 17:28:50 +0300
MIME-Version: 1.0
Content-Type: text/plain;
	charset="koi8-r"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Thread-Index: Acb+zGV3DKVHf2AzTTyomM1jhJjlHwAh3ENQ
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4963.1700
In-Reply-To: <20061102221737.B44B543D60@mx1.FreeBSD.org>
X-PopBeforeSMTPSenders: fr33man@fr33man.ru
X-AntiAbuse: This header was added to track abuse,
	please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.localserver.ru
X-AntiAbuse: Original Domain - freebsd.org
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain - fr33man.ru
X-Source: 
X-Source-Args: 
X-Source-Dir: 
Message-Id: <20061103143101.6835543D62@mx1.FreeBSD.org>
Subject: RE: Policy Based Routing pf
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Nov 2006 14:31:02 -0000

Thanks to all, I have solved the problem. Pf doesn't wrok because of mtu,
On shield mtu was 1440:

[fr33man@shield ~]$ ifconfig ng0
ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 1440
        inet 84.47.165.43 --> 172.17.0.1 netmask 0xffffffff
[fr33man@shield ~]$

And on the web server it was 1500. And now all works!!


-----Original Message-----
From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On
Behalf Of fr33man
Sent: Friday, November 03, 2006 1:15 AM
To: freebsd-pf@freebsd.org
Subject: Policy Based Routing pf

Hi all!

 

I have one problem with pf. This is my network:

 

ISP1     ISP2

|           |

|           |

|           |

|           |

FreeBSD(shield)

|

|

|

Local_Network

 

My configuration:

 

Local_Network has address: 192.168.1.0/24.

Ip address of freebsd(hostname is shield) is 192.168.1.254 on the
Local_Network and 192.168.98.2 on the ISP1 and external ip(for example
1.1.1.1) on ISP2.

The default gateway is ISP1, and ip address of default gateway is
192.168.98.1. 

ISP2 gives me internet over vpn, and gateway on ISP2 is 172.17.0.1. This is
output of `ifconfig`:

 

shield@/usr/local/etc> ifconfig

dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500

        options=8<VLAN_MTU>

        inet 192.168.98.2 netmask 0xffffff00 broadcast 192.168.98.255

        ether 00:05:1c:1e:6f:9e

        media: Ethernet autoselect (100baseTX <full-duplex>)

        status: active

fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500

        options=8<VLAN_MTU>

        inet 192.168.1.254 netmask 0xffffff00 broadcast 192.168.1.255

        ether 00:00:4b:51:07:84

        media: Ethernet autoselect (100baseTX <full-duplex>)

        status: active

pfsync0: flags=0<> mtu 2020

pflog0: flags=0<> mtu 33208

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384

        inet 127.0.0.1 netmask 0xff000000

ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 1440

        inet 1.1.1.1 --> 172.17.0.1 netmask 0xffffffff

shield@/usr/local/etc>

 

I have compiled kernel with pf:

 

device          pf

device          pflog

device          pfsync

 

And this is my pf.conf:

 

shield@/usr/local/etc> cat /etc/pf.conf.back

 

ext_if="ng0"

 

scrub in all

 

nat on $ext_if inet proto tcp from 192.168.1.230 port 80 -> $ext_if

 

rdr on $ext_if inet proto tcp to $ext_if port www -> 192.168.1.230 port www

 

pass in quick on $ext_if reply-to ($ext_if 172.17.0.1) inet proto tcp tagged
WEB_SERVER flags S/SA keep state

 

pass all

shield@/usr/local/etc>

 

192.168.1.230 - web server ip address.

 

And now I want tell you one very interesting thing! ;)

 

If I have index.html size about 1 Kb on the web server, everyone can see
it(from the internet), but if index.html is about 11 kb nobody can see it
from the internet!!!

 

Can you help me? 

 

--

WBR Ozerov Vasiliy I. 

Good Luck

 

_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"