Oups, everything is OK with route-to and reply-to in pf, my bad. config for my situation must be like this scrub in all fragment reassemble pass in quick reply-to (em0 10.60.128.254) inet from any to 10.60.128.0/24 flags S/SA keep state pass in quick reply-to (em0 10.70.128.254) inet from any to 10.70.128.0/24 flags S/SA keep state pass in quick reply-to (em0 10.71.128.254) inet from any to 10.71.128.0/24 flags S/SA keep state pass in quick reply-to (em0 10.72.128.254) inet from any to 10.72.128.0/24 flags S/SA keep state pass in quick all flags S/SA keep state
or incoming traffic whould create keep-state wit pass in and would not go down to route-to rules. or use per-interface keep states. On Mon, Dec 7, 2009 at 10:40 PM, Max Laier <m...@love2party.net> wrote: > On Friday 04 December 2009 09:47:37 Lytochkin Boris wrote: >> It seems that FreeBSD 8 has ipfw fwd and pf's route-to malfunctioning: >> 1) ipfw fwd >> a) net.inet.ip.forwarding = 0 >> Packets altered by fwd rule are silently dropped somewhere >> between ip_output() checking forward tag and bpf (tcpdump does not >> show these packets) >> b) net.inet.ip.forwarding = 1 >> Packets altered by fwd rule are forwarded according to normal >> routing table (in my case they were forwarded to default gateway), not >> fwd statement >> >> 2) pf route-to >> Both values of net.inet.ip.forwarding replicates 1b case. >> >> Sample configs >> >> 1) ipfw >> add 60 fwd 10.60.128.254 ip from 10.60.128.0/24 to any out >> add 65534 allow ip from any to any >> >> 2) pf >> scrub in all fragment reassemble >> pass in all flags S/SA keep state >> pass out quick route-to (em0 10.60.128.254) inet from 10.60.128.0/24 >> to any flags S/SA keep state > > I can not reproduce this. My (cursory) test on a r197983 install suggests that > route-to is working as it should. Your rules are a bit strange and might > result in asymmetric states that can result in dropped tcp-sessions, but the > basic route-to is correct. Can you share more details about your setup: > netstat -rnfinet, pfctl -vvsr (after passing some traffic that was supposed to > hit the route-to rule) and how exactly your default gateway and the > alternative router are connected to your pf-box? > > Thanks in advance. > > -- > Max > > _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
