Date: Fri, 05 Feb 2010 14:56:31 +0200 From: Stefan <stefanferreira@gmail.com> To: freebsd-pf@freebsd.org Subject: Re: How make the route-to working ? Message-ID: <4B6C157F.2080301@gmail.com> In-Reply-To: <20100205123254.GN11310@obspm.fr> References: <20100205123254.GN11310@obspm.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi
Pf doesn't seem to be able to route packets on the outbound interface.
Therefore you have to always put the route-to statements on "pass in
on..." rules.
I don't have experience setting up pf in a server environment, but I
believe that rdr rules are normally used for what you are trying to
achieve...
Regards,
Stefan
On 2010-02-05 14:32, Albert Shih wrote:
> Hi all,
>
> I've a problem with route-to.
>
> I've a server with 2 interfaces, and I'm running jail on this server. Each
> interface have is own public IP address.
>
> eth0 -- IP0 eth1 -- IP1
>
> and I've a default route (for example in IP0 subnet).
>
> So if the jail is in the IP0 subnet no problem everything work.
>
> Now if I put a jail in IP1 subnet, and some client try to connect to this
> jail the answer come out through eth0 because of the default route (suppose
> the client is not on my subnet).
>
> I don't want that. I want the answer come out through the eth1
>
> I'm trying to use pf to do that and put in my pf.conf something like
>
> pass in all
> pass out all
> pass out on eth0 route-to {(eth0 IP0_Gateway)} from<IP0> to ! IP0_subnet
> pass out on eth1 route-to {(eth1 IP1_Gateway)} from<IP1> to ! IP1_subnet
>
> but it's not working, if I run a tcpdump on the host I can see the
> incoming packet come in from eth1 and the outgoing come out on eth0.
>
> And if I try do remove default route the outgoing packet don't come out....
>
> Any help ?
>
> Regards.
>
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B6C157F.2080301>