Hello,
I have a FreeBSD 5.3 server with 2 Internet connections:
- ADSL, ($UntrustInterface): A.B.C.D, $NextHop1: a.b.c.d
- VDSL, ($UntrustInterface2): E.F.G.H, $NextHop2: e.f.g.h
I would like to be able to access server's services via both connections
independently.
ADSL connection is more like a "primary" connection, so its $NextHop1 (a.b.c.d)
is also
set as default route. Obviously, when I try to ping the E.F.G.H from the
internet, the
answer gets routed via a.b.c.d which is not what I want. So I need pf's
route-to.
I have this in my pf.conf:
pass out on $UntrustInterface proto tcp all flags S/SA modulate state
pass out on $UntrustInterface proto { udp, icmp } all keep state
pass out on $UntrustInterface2 proto tcp all flags S/SA modulate state
pass out on $UntrustInterface2 proto { udp, icmp } all
pass out on $UntrustInterface route-to ($UntrustInterface2 $NextHop2) from
$UntrustInterface2 to any keep state
pass out on $UntrustInterface2 route-to ($UntrustInterface $NextHop1) from
$UntrustInterface to any keep state
I thought this would do the following: if I ping E.F.G.H from w.x.y.z
(somewhere on the
Internet), the packet goes in through $UntrustInterface2, kernel crafts the
ping-reply
packet and sends it out to default route via the $UntrustInterface - but since
there is
a route-to rule, the packet should get routed to $UntrustInterface2 and
$NextHop2
instead. Is this reasoning correct?
However, this does not work for me. If I ping the E.F.G.H and watch the traffic
on
both interfaces with tcpdump, the packet is sent to $NextHop1 via the
$UntrustInterface,
so it looks like the route-to rule is just ignored.
How could I debug this situation properly?
You can find the full pf.conf here: http://nejc.skoberne.net/pf.conf
Thanks for your help.
Best regards,
Nejc Skoberne
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
