PF route-to behavior

Alexandre Biancalana ale at seudns.net
Mon Mar 12 17:19:19 UTC 2007 

Tom Judge wrote:
> Alexandre Biancalana wrote:
>> Tom Judge wrote:
>>> Alexandre Biancalana wrote:
>>>> Hi List,
>>>>
>>>>
>>>> I´m doing a firewall setup using 6-STABLE + PF with two internet 
>>>> links but I can't do the route-to rule function as I need.
>>>>
>>>>
>>>>          (default gw)    ______
>>>>  Link A <-----------> |int A  |
>>>>                                  |           |
>>>>  Link B <-----------> |int B  |
>>>>                                  |______|
>>>>                              FreeBSD FW
>>>>
>>>> A simple thing that I need to do is test the two Internet links to 
>>>> know if they are up or not. To do this I could ping or connect tcp 
>>>> ports on some external ips thought each link, using nc and hping I 
>>>> tried do this generate connections/packets from each network 
>>>> interface connected to each link but the packets always go out by 
>>>> the interface indicated by machines default route.
>>>>
>>>> I tried to add this rules in pf to force packets out by the right 
>>>> interface based in your source address, but this does not work, and 
>>>> the packets generated with ip of int B are going out by int A.
>>>>
>>>> pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b to 
>>>> any
>>>> pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a to 
>>>> any
>>>>
>>>>
>>>> Am I forgetting something ? Any comments ?
>>>>
>>>
>>> Have you tried setting the source IP address to int B when using 
>>> ping your tcp sessions,  this should force PF to do your source 
>>> routing for you.
>>>
>>> Hope this helps
>>>
>>> Tom
>>
>> Yes, I tried the following commands:
>>
>> ping -S <int B address>
>> nc -s <int B address>
>> hping -I <int B>
>>
>> All the commands generate the traffic with source address of int B, 
>> but the traffic always go out by int A... this is the problem, even 
>> with the rules:
>>
>> pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b to any
>> pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a to any
>>
>> that should "correct" the interface used send this traffic out... 
>> right ?!
>>
>> I can provide more details if need, but I think that is a simple 
>> setup... I can't see why this does not work.... any other ideas ??
>>
>
>
> Did you try:
>
> ping -S <ip B addr> -I <if A>
# ping -S <ip B addr> -I <if A>
ping: invalid multicast interface: `<if A>'

but it should be ping -S <ip B addr> -I <if B> , for the traffic go out 
by int B with int B source address right ? I tried too and the same 
error happens.


 From ping man page:

[...]
 -I iface
             Source multicast packets with the given interface address.  
This
             flag only applies if the ping destination is a multicast 
address.
[...]

More information about the freebsd-net mailing list