From owner-freebsd-net@FreeBSD.ORG Mon Mar 12 17:19:19 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C53A616A401 for ; Mon, 12 Mar 2007 17:19:19 +0000 (UTC) (envelope-from ale@seudns.net) Received: from connectmed.com.br (s200-189-171-55.ipb.diveo.net.br [200.189.171.55]) by mx1.freebsd.org (Postfix) with SMTP id F1DAC13C44C for ; Mon, 12 Mar 2007 17:19:18 +0000 (UTC) (envelope-from ale@seudns.net) Received: (qmail 4015 invoked from network); 12 Mar 2007 17:16:04 -0000 Received: from unknown (HELO caco-new) (200.189.171.49) by donald.connectmed.com.br with SMTP; 12 Mar 2007 17:16:04 -0000 Received: (qmail 32207 invoked from network); 12 Mar 2007 17:19:16 -0000 Received: from unknown (HELO ?192.168.3.109?) (192.168.3.109) by localhost with SMTP; 12 Mar 2007 17:19:16 -0000 Message-ID: <45F58B94.9000308@seudns.net> Date: Mon, 12 Mar 2007 14:19:16 -0300 From: Alexandre Biancalana User-Agent: Thunderbird 1.5.0.9 (X11/20070206) MIME-Version: 1.0 To: Tom Judge References: <45F564B5.10307@seudns.net> <45F58321.5050309@tomjudge.com> <45F58758.6090103@seudns.net> <45F5889C.3010806@tomjudge.com> In-Reply-To: <45F5889C.3010806@tomjudge.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-net@freebsd.org Subject: Re: PF route-to behavior X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Mar 2007 17:19:19 -0000 Tom Judge wrote: > Alexandre Biancalana wrote: >> Tom Judge wrote: >>> Alexandre Biancalana wrote: >>>> Hi List, >>>> >>>> >>>> I´m doing a firewall setup using 6-STABLE + PF with two internet >>>> links but I can't do the route-to rule function as I need. >>>> >>>> >>>> (default gw) ______ >>>> Link A <-----------> |int A | >>>> | | >>>> Link B <-----------> |int B | >>>> |______| >>>> FreeBSD FW >>>> >>>> A simple thing that I need to do is test the two Internet links to >>>> know if they are up or not. To do this I could ping or connect tcp >>>> ports on some external ips thought each link, using nc and hping I >>>> tried do this generate connections/packets from each network >>>> interface connected to each link but the packets always go out by >>>> the interface indicated by machines default route. >>>> >>>> I tried to add this rules in pf to force packets out by the right >>>> interface based in your source address, but this does not work, and >>>> the packets generated with ip of int B are going out by int A. >>>> >>>> pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b to >>>> any >>>> pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a to >>>> any >>>> >>>> >>>> Am I forgetting something ? Any comments ? >>>> >>> >>> Have you tried setting the source IP address to int B when using >>> ping your tcp sessions, this should force PF to do your source >>> routing for you. >>> >>> Hope this helps >>> >>> Tom >> >> Yes, I tried the following commands: >> >> ping -S >> nc -s >> hping -I >> >> All the commands generate the traffic with source address of int B, >> but the traffic always go out by int A... this is the problem, even >> with the rules: >> >> pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b to any >> pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a to any >> >> that should "correct" the interface used send this traffic out... >> right ?! >> >> I can provide more details if need, but I think that is a simple >> setup... I can't see why this does not work.... any other ideas ?? >> > > > Did you try: > > ping -S -I # ping -S -I ping: invalid multicast interface: `' but it should be ping -S -I , for the traffic go out by int B with int B source address right ? I tried too and the same error happens. From ping man page: [...] -I iface Source multicast packets with the given interface address. This flag only applies if the ping destination is a multicast address. [...]