From owner-freebsd-pf@FreeBSD.ORG Fri Nov 3 20:11:14 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6394416A415 for ; Fri, 3 Nov 2006 20:11:14 +0000 (UTC) (envelope-from fr33man@fr33man.ru) Received: from server.localserver.ru (server.localserver.ru [63.246.133.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id EDE6743D46 for ; Fri, 3 Nov 2006 20:11:13 +0000 (GMT) (envelope-from fr33man@fr33man.ru) Received: from [85.21.237.15] (helo=fr33man) by server.localserver.ru with esmtp (Exim 4.52) id 1Gg5NV-0003LO-4K for freebsd-pf@freebsd.org; Fri, 03 Nov 2006 23:11:01 +0300 From: "fr33man" To: Date: Fri, 3 Nov 2006 23:09:02 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Thread-Index: Acb/ZSvnEHoSzrzwRuaJvClak6Bu4gAHNE3A X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4963.1700 In-Reply-To: <20061103162900.GQ63502@ns2.wananchi.com> X-PopBeforeSMTPSenders: fr33man@fr33man.ru X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - server.localserver.ru X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12] X-AntiAbuse: Sender Address Domain - fr33man.ru X-Source: X-Source-Args: X-Source-Dir: Message-Id: <20061103201113.EDE6743D46@mx1.FreeBSD.org> Subject: RE: Policy Based Routing pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Nov 2006 20:11:14 -0000 The first, that I change my pf rule from this: pass in on $ext_if reply-to ($ext_if $ext_gateway) inet proto tcp tagged WEB_SERVER keep state to this: pass in log-all on $ext_if reply-to ($ext_if $ext_gateway) inet proto tcp tagged WEB_SERVER keep state Then, I tried to access to my site, and on console I was listening pflog0 interface with tcpdump: web# tcpdump -i pflog0 ... skipped ... web# I have seen icmp packets going to web server. In the packets I have seen errors about mtu. Then I enter this command on the web server: stronghold# ifconfig xl0 xl0: flags=8843 mtu 1500 options=9 inet6 fe80::204:79ff:fe66:2d87%xl0 prefixlen 64 scopeid 0x1 inet 10.10.20.2 netmask 0xffffff00 broadcast 10.10.20.255 ether 00:04:79:66:2d:87 media: Ethernet autoselect (100baseTX ) status: active stronghold# ifconfig xl0 mtu 1440 stronghold# ifconfig xl0 xl0: flags=8843 mtu 1440 options=9 inet6 fe80::204:79ff:fe66:2d87%xl0 prefixlen 64 scopeid 0x1 inet 10.10.20.2 netmask 0xffffff00 broadcast 10.10.20.255 ether 00:04:79:66:2d:87 media: Ethernet autoselect (100baseTX ) status: active stronghold# I changed mtu to 1440, because my vpn channel was with mtu 1440: shield@/root> ifconfig ng0 ng0: flags=88d1 mtu 1440 inet 84.47.165.43 --> 172.17.0.1 netmask 0xffffffff shield@/root> That's all. If there will be any questions, tou can ask me. ;) ICQ: 539-555 Skype: fr33manees Email: fr33man@fr33man.ru -- Goodluck -----Original Message----- From: Odhiambo Washington [mailto:wash@wananchi.com] On Behalf Of Odhiambo WASHINGTON Sent: Friday, November 03, 2006 7:29 PM To: fr33man Subject: Re: Policy Based Routing pf Hi Freeman, Could you please post the complete solution? Or just post the whole solution to me. Thanking you in advance!! * On 03/11/06 17:28 +0300, fr33man wrote: | Thanks to all, I have solved the problem. Pf doesn't wrok because of mtu, | On shield mtu was 1440: | | [fr33man@shield ~]$ ifconfig ng0 | ng0: flags=88d1 mtu 1440 | inet 84.47.165.43 --> 172.17.0.1 netmask 0xffffffff | [fr33man@shield ~]$ | | And on the web server it was 1500. And now all works!! | | | -----Original Message----- | From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On | Behalf Of fr33man | Sent: Friday, November 03, 2006 1:15 AM | To: freebsd-pf@freebsd.org | Subject: Policy Based Routing pf | | Hi all! | | | | I have one problem with pf. This is my network: | | | | ISP1 ISP2 | | | | | | | | | | | | | | | | | | FreeBSD(shield) | | | | | | | | | | | Local_Network | | | | My configuration: | | | | Local_Network has address: 192.168.1.0/24. | | Ip address of freebsd(hostname is shield) is 192.168.1.254 on the | Local_Network and 192.168.98.2 on the ISP1 and external ip(for example | 1.1.1.1) on ISP2. | | The default gateway is ISP1, and ip address of default gateway is | 192.168.98.1. | | ISP2 gives me internet over vpn, and gateway on ISP2 is 172.17.0.1. This is | output of `ifconfig`: | | | | shield@/usr/local/etc> ifconfig | | dc0: flags=8843 mtu 1500 | | options=8 | | inet 192.168.98.2 netmask 0xffffff00 broadcast 192.168.98.255 | | ether 00:05:1c:1e:6f:9e | | media: Ethernet autoselect (100baseTX ) | | status: active | | fxp0: flags=8843 mtu 1500 | | options=8 | | inet 192.168.1.254 netmask 0xffffff00 broadcast 192.168.1.255 | | ether 00:00:4b:51:07:84 | | media: Ethernet autoselect (100baseTX ) | | status: active | | pfsync0: flags=0<> mtu 2020 | | pflog0: flags=0<> mtu 33208 | | lo0: flags=8049 mtu 16384 | | inet 127.0.0.1 netmask 0xff000000 | | ng0: flags=88d1 mtu 1440 | | inet 1.1.1.1 --> 172.17.0.1 netmask 0xffffffff | | shield@/usr/local/etc> | | | | I have compiled kernel with pf: | | | | device pf | | device pflog | | device pfsync | | | | And this is my pf.conf: | | | | shield@/usr/local/etc> cat /etc/pf.conf.back | | | | ext_if="ng0" | | | | scrub in all | | | | nat on $ext_if inet proto tcp from 192.168.1.230 port 80 -> $ext_if | | | | rdr on $ext_if inet proto tcp to $ext_if port www -> 192.168.1.230 port www | | | | pass in quick on $ext_if reply-to ($ext_if 172.17.0.1) inet proto tcp tagged | WEB_SERVER flags S/SA keep state | | | | pass all | | shield@/usr/local/etc> | | | | 192.168.1.230 - web server ip address. | | | | And now I want tell you one very interesting thing! ;) | | | | If I have index.html size about 1 Kb on the web server, everyone can see | it(from the internet), but if index.html is about 11 kb nobody can see it | from the internet!!! | | | | Can you help me? | | | | -- | | WBR Ozerov Vasiliy I. | | Good Luck | | | | _______________________________________________ | freebsd-pf@freebsd.org mailing list | http://lists.freebsd.org/mailman/listinfo/freebsd-pf | To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" | | | _______________________________________________ | freebsd-pf@freebsd.org mailing list | http://lists.freebsd.org/mailman/listinfo/freebsd-pf | To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +======================================================================+ |\ _,,,---,,_ | Odhiambo Washington Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +======================================================================+ Of course there's no reason for it, it's just our policy.