PF route-to behavior

Tom Judge tom at tomjudge.com
Mon Mar 12 17:10:58 UTC 2007 

Alexandre Biancalana wrote:
> Tom Judge wrote:
>> Alexandre Biancalana wrote:
>>> Hi List,
>>>
>>>
>>> I´m doing a firewall setup using 6-STABLE + PF with two internet 
>>> links but I can't do the route-to rule function as I need.
>>>
>>>
>>>          (default gw)    ______
>>>  Link A <-----------> |int A  |
>>>                                  |           |
>>>  Link B <-----------> |int B  |
>>>                                  |______|
>>>                              FreeBSD FW
>>>
>>> A simple thing that I need to do is test the two Internet links to 
>>> know if they are up or not. To do this I could ping or connect tcp 
>>> ports on some external ips thought each link, using nc and hping I 
>>> tried do this generate connections/packets from each network 
>>> interface connected to each link but the packets always go out by the 
>>> interface indicated by machines default route.
>>>
>>> I tried to add this rules in pf to force packets out by the right 
>>> interface based in your source address, but this does not work, and 
>>> the packets generated with ip of int B are going out by int A.
>>>
>>> pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b to any
>>> pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a to any
>>>
>>>
>>> Am I forgetting something ? Any comments ?
>>>
>>
>> Have you tried setting the source IP address to int B when using ping 
>> your tcp sessions,  this should force PF to do your source routing for 
>> you.
>>
>> Hope this helps
>>
>> Tom
> 
> Yes, I tried the following commands:
> 
> ping -S <int B address>
> nc -s <int B address>
> hping -I <int B>
> 
> All the commands generate the traffic with source address of int B, but 
> the traffic always go out by int A... this is the problem, even with the 
> rules:
> 
> pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b to any
> pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a to any
> 
> that should "correct" the interface used send this traffic out... right ?!
> 
> I can provide more details if need, but I think that is a simple 
> setup... I can't see why this does not work.... any other ideas ??
> 


Did you try:

ping -S <ip B addr> -I <if A>

Tom

More information about the freebsd-net mailing list