Tom Judge wrote:
Alexandre Biancalana wrote:
Tom Judge wrote:
Alexandre Biancalana wrote:
Hi List,
I´m doing a firewall setup using 6-STABLE + PF with two internet
links but I can't do the route-to rule function as I need.
(default gw) ______
Link A <-----------> |int A |
| |
Link B <-----------> |int B |
|______|
FreeBSD FW
A simple thing that I need to do is test the two Internet links to
know if they are up or not. To do this I could ping or connect tcp
ports on some external ips thought each link, using nc and hping I
tried do this generate connections/packets from each network
interface connected to each link but the packets always go out by
the interface indicated by machines default route.
I tried to add this rules in pf to force packets out by the right
interface based in your source address, but this does not work, and
the packets generated with ip of int B are going out by int A.
pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b to
any
pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a to
any
Am I forgetting something ? Any comments ?
Have you tried setting the source IP address to int B when using
ping your tcp sessions, this should force PF to do your source
routing for you.
Hope this helps
Tom
Yes, I tried the following commands:
ping -S <int B address>
nc -s <int B address>
hping -I <int B>
All the commands generate the traffic with source address of int B,
but the traffic always go out by int A... this is the problem, even
with the rules:
pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b to any
pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a to any
that should "correct" the interface used send this traffic out...
right ?!
I can provide more details if need, but I think that is a simple
setup... I can't see why this does not work.... any other ideas ??
Did you try:
ping -S <ip B addr> -I <if A>
# ping -S <ip B addr> -I <if A>
ping: invalid multicast interface: `<if A>'
but it should be ping -S <ip B addr> -I <if B> , for the traffic go out
by int B with int B source address right ? I tried too and the same
error happens.
From ping man page:
[...]
-I iface
Source multicast packets with the given interface address.
This
flag only applies if the ping destination is a multicast
address.
[...]
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
