Forcing a route using pf

James Morris jamesmorris8 at outlook.com
Fri Nov 11 08:41:14 UTC 2016 

Hey,

I ended up going with the following:

nat on ! igb0 to 10.10.10.100 port 80 -> igb0
pass out on ! igb0 route-to ( igb0 10.0.0.1 ) from 10.0.0.10 to 10.10.10.100 

This should scale to more interfaces and restrict the routing by port too.

Thanks,

James

 
From: owner-freebsd-pf at freebsd.org <owner-freebsd-pf at freebsd.org> on behalf of Max <maximos at als.nnov.ru>
Sent: 31 October 2016 07:30:17
To: freebsd-pf at freebsd.org
Subject: Re: Forcing a route using pf
    
Interface igb0:

nat on igb1 to 10.10.10.100 -> igb0

pass out on igb1 route-to ( igb0 10.0.0.1 ) from igb0 to 10.10.10.100


Why don't you use igb1 interface?

nat on igb1 to 10.10.10.100 -> igb0

And on Server B:
route add -host 10.0.0.10 10.10.10.10



29.10.2016 13:14, James Morris пишет:
> Hi,
>
> I added the pf rule:
>
> pass out on igb1 route-to ( igb0 10.0.0.1 ) from any to 10.10.10.100
>
> But now when I try to reach 10.10.10.100 traffic goes out igb0 as expected, but it has the source IP of igb1
>
> # ping 10.10.10.100
>
> # tshark -i igb0
> Capturing on 'igb0'
>    1   0.000000 10.10.10.10 -> 10.10.10.100  ICMP 98 Echo (ping) request  id=0xb403, seq=0/0, ttl=64
>    2   0.001509 RealtekU_12:35:02 -> Broadcast    ARP 60 Who has 10.10.10.10? Tell 10.0.0.1
>    3   1.020896 10.10.10.10 -> 10.10.10.100  ICMP 98 Echo (ping) request  id=0xb403, seq=1/256, ttl=64
>    4   1.022268 RealtekU_12:35:02 -> Broadcast    ARP 60 Who has 10.10.10.10? Tell 10.0.0.1
>
>
> Traffic is flowing out the correct interface, but has the wrong source IP address.
>
> What am I doing wrong here?
>
> Thanks,
>
> James
>
>
>
> From: Patrick Lamaiziere <patrick at davenulle.org>
> Sent: 28 October 2016 11:21
> To: James Morris
> Cc: freebsd-pf at freebsd.org
> Subject: Re: Forcing a route using pf
>      
> Le Thu, 27 Oct 2016 19:23:38 +0000,
> James Morris <jamesmorris8 at outlook.com> a écrit :
>
> Hi,
>
> Hello,
>
>> While this does solve the issue of pushing traffic through igb0,
>> however any income connections to igb1 from server B also get shunted
>> out igb0.
>>
>> I was wondering if there is a way to do this in pf.
> see PF route-to option.
>
> Regards,
>
>      
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-pf


freebsd-pf Info Page
lists.freebsd.org
This is a forum for technical discussions concerning the packet filter (pf) firewall as well as for general issues and questions around the use of pf in terms of FreeBSD.
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"

_______________________________________________
freebsd-pf at freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf


freebsd-pf Info Page
lists.freebsd.org
This is a forum for technical discussions concerning the packet filter (pf) firewall as well as for general issues and questions around the use of pf in terms of FreeBSD.
To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"

More information about the freebsd-pf mailing list