Tom Judge wrote:
Alexandre Biancalana wrote:
Tom Judge wrote:
Alexandre Biancalana wrote:
Tom Judge wrote:
Alexandre Biancalana wrote:
Tom Judge wrote:
Alexandre Biancalana wrote:
Hi List,
I´m doing a firewall setup using 6-STABLE + PF with two internet
links but I can't do the route-to rule function as I need.
(default gw) ______
Link A <-----------> |int A |
| |
Link B <-----------> |int B |
|______|
FreeBSD FW
A simple thing that I need to do is test the two Internet links
to know if they are up or not. To do this I could ping or
connect tcp ports on some external ips thought each link, using
nc and hping I tried do this generate connections/packets from
each network interface connected to each link but the packets
always go out by the interface indicated by machines default route.
I tried to add this rules in pf to force packets out by the
right interface based in your source address, but this does not
work, and the packets generated with ip of int B are going out
by int A.
pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b
to any
pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a
to any
My mistake, I only looked at the header of the ping man page.
These are the rules that I would use in that situation:
if_a=em0
ip_a=192.168.0.2
gw_a=192.168.0.1
net_a=192.168.0.0/24
if_b=em1
ip_a=192.168.1.2
gw_a=192.168.1.1
net_a=192.168.1.0/24
pass out log on $if_a route-to ( $if_b $gw_b ) from $ip_a to ! $net_b
pass out log on $if_b route-to ( $if_a $gw_a ) from $ip_b to ! $net_a
The difference is that my rules are for internet traffic, I don't have
fixed destinations....
Ok so substitute the private IP addresses and networks in the rules (
and the interfaces) an you should be sorted. We use exactly the same
configuration but with both public IP Addresses on one interface. Then
if you connect from $ip_b to a public IP address not in $net_b you
should see it routed via if_b to $gw_b. The only time I have seen these
rules fail is when the IPSec code in the kernel transmits ESP packets
which seem to pass though pf with some weird interfaces set or don't
pass through pf at all. All other traffic generated on ip_a or ip_b
will always pass to the correct ISP's router.
The fact that the example rules I posted used private IP addresses is
neither here nor there, if you make the appropriate changes to:
ip_[ab]
gw_[ab]
net_[ab]
if_[ab]
Then the example rules should do what you want.
I just had an idea of one way to possibly test this, add a static
destination route to an external host, e.g. www.google.com, via gw_b
then ping said host with the source address of ip_a, this should cause
the packet from ip_a to pass out if_b. The rules i posted above will
catch the packet and then change the route to gw_a and transmit the
packet via if_a.
This is totally untested and may not work but it should do.
Tom
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
