PF route-to behavior

Alexandre Biancalana ale at seudns.net
Mon Mar 12 17:01:24 UTC 2007 

Tom Judge wrote:
> Alexandre Biancalana wrote:
>> Hi List,
>>
>>
>> I´m doing a firewall setup using 6-STABLE + PF with two internet 
>> links but I can't do the route-to rule function as I need.
>>
>>
>>          (default gw)    ______
>>  Link A <-----------> |int A  |
>>                                  |           |
>>  Link B <-----------> |int B  |
>>                                  |______|
>>                              FreeBSD FW
>>
>> A simple thing that I need to do is test the two Internet links to 
>> know if they are up or not. To do this I could ping or connect tcp 
>> ports on some external ips thought each link, using nc and hping I 
>> tried do this generate connections/packets from each network 
>> interface connected to each link but the packets always go out by the 
>> interface indicated by machines default route.
>>
>> I tried to add this rules in pf to force packets out by the right 
>> interface based in your source address, but this does not work, and 
>> the packets generated with ip of int B are going out by int A.
>>
>> pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b to any
>> pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a to any
>>
>>
>> Am I forgetting something ? Any comments ?
>>
>
> Have you tried setting the source IP address to int B when using ping 
> your tcp sessions,  this should force PF to do your source routing for 
> you.
>
> Hope this helps
>
> Tom

Yes, I tried the following commands:

 ping -S <int B address>
 nc -s <int B address>
 hping -I <int B>

All the commands generate the traffic with source address of int B, but 
the traffic always go out by int A... this is the problem, even with the 
rules:

pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b to any
pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a to any

that should "correct" the interface used send this traffic out... right ?!

I can provide more details if need, but I think that is a simple 
setup... I can't see why this does not work.... any other ideas ??

Regards,

Alexandre

More information about the freebsd-net mailing list