PF - reply-to

Ludovit Koren ludovit.koren at gmail.com
Mon Mar 8 11:36:13 UTC 2021 

>>>>> Ultima  <ultima1252 at gmail.com> writes:

    > Hey Ludovit,
    > More details would be helpful. There can be a few reasons why it is not working that I can see.

    > 1. Do you have an rdr rule to redirect to $web_addr for the pass rule?

yes, I have a rdr rule. but there are rules without rdr and it seems
they are not working either.

    > 2. Rules out of order

I do not understand. I have definitions, nat, rdr, and rules.

    > 3. Conflicting rules.

I did not find any.

    > The best way to debug this would be logging the rules and watching where the traffic is going via tcpdump.

I did exactly what you suggest. The block rule logged reset packet from
the source of the web traffic. As soon as I changed the default router,
everything have started to work with the same unchanged pf.conf.

Regards,

lk


    > Best regards,
    > Richard Gallamore

    > On Sun, Mar 7, 2021 at 10:58 AM Ludovit Koren <ludovit.koren at gmail.com> wrote:

    >  Hi all,

    >  we have 2 Internet connections coming on the same interface. One is
    >  primarily used for incoming connections and services that we provide to
    >  Internet (web, mail). The other connection is primarily used for
    >  browsing (cache/proxy) and DNS. There are 2 different routers.

    >  I am using FreeBSD 12.2-STABLE r369178 and PF. The question is which
    >  router should I set as default router. I suppose, I can use reply-to
    >  and/or route-to, respectively. If I use (default router $router2):

    >  pass in on $ext_if reply-to (bge0 $router1) inet proto tcp from any to $web_addr port 443 keep state

    >  it is not working. The following setup is working (default router $router1):

    >  pass out on $ext_if route-to (bge0 $router2) inet proto tcp from any to any keep state

    >  Is it bug or I do not understand the manual page correctly?

    >  Thank you very much.

    >  Regards,
    >  lk
    >  _______________________________________________
    >  freebsd-questions at freebsd.org mailing list
    >  https://lists.freebsd.org/mailman/listinfo/freebsd-questions
    >  To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"


-- 
A: Because it fouls the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet and in e-mail?

More information about the freebsd-questions mailing list