PF route-to behavior

Mon Mar 12 19:08:20 UTC 2007

Tom Judge wrote:
> Alexandre Biancalana wrote:
>> Tom Judge wrote:
>>> Alexandre Biancalana wrote:
>>>> Tom Judge wrote:
>>>>> Alexandre Biancalana wrote:
>>>>>> Tom Judge wrote:
>>>>>>> Alexandre Biancalana wrote:
>>>>>>>> Hi List,
>>>>>>>>
>>>>>>>>
>>>>>>>> I´m doing a firewall setup using 6-STABLE + PF with two internet 
>>>>>>>> links but I can't do the route-to rule function as I need.
>>>>>>>>
>>>>>>>>
>>>>>>>>          (default gw)    ______
>>>>>>>>  Link A <-----------> |int A  |
>>>>>>>>                                  |           |
>>>>>>>>  Link B <-----------> |int B  |
>>>>>>>>                                  |______|
>>>>>>>>                              FreeBSD FW
>>>>>>>>
>>>>>>>> A simple thing that I need to do is test the two Internet links 
>>>>>>>> to know if they are up or not. To do this I could ping or 
>>>>>>>> connect tcp ports on some external ips thought each link, using 
>>>>>>>> nc and hping I tried do this generate connections/packets from 
>>>>>>>> each network interface connected to each link but the packets 
>>>>>>>> always go out by the interface indicated by machines default route.
>>>>>>>>
>>>>>>>> I tried to add this rules in pf to force packets out by the 
>>>>>>>> right interface based in your source address, but this does not 
>>>>>>>> work, and the packets generated with ip of int B are going out 
>>>>>>>> by int A.
>>>>>>>>
>>>>>>>> pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b 
>>>>>>>> to any
>>>>>>>> pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a 
>>>>>>>> to any
>>>>>>>>
>>>
>>>
>>>
>>> My mistake,  I only looked at the header of the ping man page.
>>>
>>> These are the rules that I would use in that situation:
>>>
>>> if_a=em0
>>> ip_a=192.168.0.2
>>> gw_a=192.168.0.1
>>> net_a=192.168.0.0/24
>>> if_b=em1
>>> ip_a=192.168.1.2
>>> gw_a=192.168.1.1
>>> net_a=192.168.1.0/24
>>>
>>>
>>> pass out log on $if_a route-to ( $if_b $gw_b ) from $ip_a to ! $net_b
>>> pass out log on $if_b route-to ( $if_a $gw_a ) from $ip_b to ! $net_a 
>>
>>
>> The difference is that my rules are for internet traffic, I don't have 
>> fixed destinations....
>>
>>
> 
> Ok so substitute the private IP addresses and networks in the rules ( 
> and the interfaces) an you should be sorted.  We use exactly the same 
> configuration but with both public IP Addresses on one interface.  Then 
> if you connect from $ip_b to a public IP address not in $net_b you 
> should see it routed via if_b to $gw_b.  The only time I have seen these 
> rules fail is when the IPSec code in the kernel transmits ESP packets 
> which seem to pass though pf with some weird interfaces set or don't 
> pass through pf at all.  All other traffic generated on ip_a or ip_b 
> will always pass to the correct ISP's router.
> 
> The fact that the example rules I posted used private IP addresses is 
> neither here nor there, if you make the appropriate changes to:
> 
> ip_[ab]
> gw_[ab]
> net_[ab]
> if_[ab]
> 
> Then the example rules should do what you want.
> 

I just had an idea of one way to possibly test this,  add a static 
destination route to an external host,  e.g. www.google.com,  via gw_b 
then ping said host with the source address of ip_a,  this should cause 
the packet from ip_a to pass out if_b.  The rules i posted above will 
catch the packet and then change the route to gw_a and transmit the 
packet via if_a.

This is totally untested and may not work but it should do.

Tom