From owner-freebsd-pf@FreeBSD.ORG Tue Jan 26 11:07:26 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 74D21106566B for ; Tue, 26 Jan 2010 11:07:26 +0000 (UTC) (envelope-from frank@jasmin.behrens.de) Received: from post.behrens.de (post.behrens.de [IPv6:2a01:170:1023::1:2]) by mx1.freebsd.org (Postfix) with ESMTP id D18CE8FC14 for ; Tue, 26 Jan 2010 11:07:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=behrens.de; h=from:to:date:mime-version:subject:in-reply-to:content-type:content-transfer-encoding:content-description; s=pinky1; t=1264504044; i=frank@jasmin.behrens.de; bh=UZ2zyAJnpxiyGT0qg0wQIQ8+tcWrzK7kf/7LPN/Iu6Y=; b=otyT4VtcBj/FXzqgv70I4YKRM+a8CDg1/p/EeIhgP2RTYWvhITE3L2dcahCm+aZy4sldZr4Y/rQvEXqtlPCSKQ== Received: from sun.behrens ([IPv6:2a01:170:1023:0:312e:e393:fa6:d22c]) by post.behrens.de (8.14.3/8.14.3) with ESMTP(MSA) id o0QB7Gbq034146 for ; Tue, 26 Jan 2010 12:07:18 +0100 (CET) (envelope-from frank@jasmin.behrens.de) Message-Id: <201001261107.o0QB7Gbq034146@post.behrens.de> From: "Frank Behrens" To: freebsd-pf@freebsd.org Date: Tue, 26 Jan 2010 12:07:16 +0100 MIME-Version: 1.0 Priority: normal In-reply-to: <4B5EBDAC.2030605@gmail.com> X-mailer: Pegasus Mail for Windows (4.31, DE v4.31 R1) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body X-Hashcash: 1:23:100126:freebsd-pf@freebsd.org::hS7/abpAAPnsxibz:00000000000sEpK Subject: Re: Routing router-originating traffic via route-to rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jan 2010 11:07:26 -0000 Stefan wrote on 26 Jan 2010 12:02: > I've googled this one to bits and pulled out quite a lot of hair: > Basically I need a way to route, using "route-to" filter rules, the > traffic originating on the freebsd router itself. The problem with doing > this is that pf only sees the packets on their way out, when an outbound > interface has already been chosen by the routing tables. Therefore pf's > route-to rules have no effect on locally originating traffic. I had always some trouble with this approach. I used rules like nat inet from any to xxx port yyy tag IF2 -> $myaddr pass out quick on $iface from $myaddr to any tag IF2 pass out quick on $defaultinterface route-to ($iface $hisaddr) tagged IF2 Now I'm using an associated FIB (setfib(8)) for desired processes and it works very well without any trouble. Routed traffic is also assigned to the fib with pf's "rtable" option. Frank -- Frank Behrens, Osterwieck, Germany PGP-key 0x5B7C47ED on public servers available.