Tom Judge wrote:
Alexandre Biancalana wrote:
Tom Judge wrote:
Alexandre Biancalana wrote:
Tom Judge wrote:
Alexandre Biancalana wrote:
Tom Judge wrote:
Alexandre Biancalana wrote:
Hi List,
I´m doing a firewall setup using 6-STABLE + PF with two
internet links but I can't do the route-to rule function as I
need.
(default gw) ______
Link A <-----------> |int A |
| |
Link B <-----------> |int B |
|______|
FreeBSD FW
A simple thing that I need to do is test the two Internet links
to know if they are up or not. To do this I could ping or
connect tcp ports on some external ips thought each link, using
nc and hping I tried do this generate connections/packets from
each network interface connected to each link but the packets
always go out by the interface indicated by machines default
route.
I tried to add this rules in pf to force packets out by the
right interface based in your source address, but this does not
work, and the packets generated with ip of int B are going out
by int A.
pass out log on $int_a route-to ( $int_b $int_b_gw ) from
$int_b to any
pass out log on $int_b route-to ( $int_a $int_a_gw ) from
$int_a to any
My mistake, I only looked at the header of the ping man page.
These are the rules that I would use in that situation:
if_a=em0
ip_a=192.168.0.2
gw_a=192.168.0.1
net_a=192.168.0.0/24
if_b=em1
ip_a=192.168.1.2
gw_a=192.168.1.1
net_a=192.168.1.0/24
pass out log on $if_a route-to ( $if_b $gw_b ) from $ip_a to ! $net_b
pass out log on $if_b route-to ( $if_a $gw_a ) from $ip_b to ! $net_a
The difference is that my rules are for internet traffic, I don't
have fixed destinations....
Ok so substitute the private IP addresses and networks in the rules (
and the interfaces) an you should be sorted. We use exactly the same
configuration but with both public IP Addresses on one interface.
Then if you connect from $ip_b to a public IP address not in $net_b
you should see it routed via if_b to $gw_b. The only time I have seen
these rules fail is when the IPSec code in the kernel transmits ESP
packets which seem to pass though pf with some weird interfaces set or
don't pass through pf at all. All other traffic generated on ip_a or
ip_b will always pass to the correct ISP's router.
The fact that the example rules I posted used private IP addresses is
neither here nor there, if you make the appropriate changes to:
ip_[ab]
gw_[ab]
net_[ab]
if_[ab]
Then the example rules should do what you want.
I understand that, I just don't see much difference in your rules and my
rules example... the both examples should work... but here none off then
work.....
Adding a static destination route to an external host via gw_b and ping
with int_a address, the packet exit by int_b with int_a source
address... the same behavior...
I tried your way:
pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b to !
int_b:network
pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a to !
int_a:network
# pfctl -vv -sr
@28 pass out log on int_a route-to (int_b int_b_gw) inet from int_b_ip
to ! int_b:network
[ Evaluations: 88 Packets: 0 Bytes: 0 States:
0 ]
@29 pass out log on int_b route-to (int_a int_a_gw) inet from int_a to !
int_a:network
[ Evaluations: 80 Packets: 0 Bytes: 0 States:
0 ]
Any more hints ?!
Alexandre
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
