Date: Sun, 14 Aug 2005 15:31:14 +0200 From: Nils Vogels <nivo+sender+38c70d@yuckfou.org> To: freebsd-pf@freebsd.org Subject: Dual-feed: PF setup troubles Message-ID: <42FF47A2.1090208@yuckfou.org>
next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi there! I've got two internet connections with two different ISP's and would like to use one for my own use, while the other serves various services from various servers inside my network and directly on the firewall. Both two connections end up at one firewall. The firewall has one default route to ISP1, and I would like to have PF find out if the packet needs to travel to ISP1 or ISP2, based on the IP address information of the request. Right now, I'm trying things like this, but for some reason the don't work: [ I have taken DNS as an example here, but there are various TCP and UDP based services that seem to have this problem. ] ISP1 = "xl0" ISP2 = "ed0" LAN = "rl0" ipv4_isp1 = "1.1.1.1/32" # My interface IP to ISP1 ipv4_isp2 = "2.2.2.2/32" # My interface IP to ISP2 ipv4_gw_isp2 = "2.2.2.1" # ISP2's gateway IP ipv4_lan_range = "172.16.0.0/16" # My local network # Set up NAT for my connections nat on $ISP1 from $ipv4_lan_range to any -> $ipv4_isp1 nat on $ISP2 from $ipv4_lan_range to any -> $ipv4_isp2 # Handle incoming traffic for my DNS server pass in quick log on $ISP2 reply-to ($ISP2 $ipv4_gw_isp2) proto udp from any port > 1023 to $ipv4_isp2 port 53 keep state # Handle outgoing traffic, originated locally pass out quick log on $ISP2 route-to ($ISP2 $ipv4_gw_isp2) proto udp from $ipv4_isp2 to any port 53 keep state Looking into the logs, I see the incoming connection coming in and being accepted, however, I do not see the outgoing originating packets being logged. When I run tcpdump to troubleshoot, I see packets with source IP $ipv4_isp2 travelling over interface $ISP1, and thus, I get no reply. I must be running into some anti-spoofing lists at ISP1. I have my nameserver bound to the interface IP adress $ipv4_isp2. Except from my setup being somewhat unusual, could someone maybe point out what I am doing wrong here ? Thanks a bunch! Nils. - -- Simple guidelines to happiness: Work like you don't need the money, love like your heart has never been broken and dance like no one can see you. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: GnuPT 2.6.2.1 by EQUIPMENTE.DE Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFC/0efMzNX/a06Wq0RAg6+AJ4wG+kl1NNv3zMZ4ZNdO/bayWG0hwCfYQXh LstDGe+xFPJ3bHUvuGSdGjE= =49OP -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42FF47A2.1090208>