[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PF and two interfaces
On Thu, Nov 04, 2004 at 10:47:06PM -0600, Matt Sellers wrote:
> ## PF.CONF
> # Trial Test - Route all 80 over SBC, rest to RCN
> int_if = "bge0"
> lan_net = "10.0.0.0/24"
> ext_if_sbc = "fxp0"
> ext_if_rcn = "re0"
> ext_gw_sbc = "126.96.36.199"
> nat on $ext_if_sbc from $lan_net to any -> ($ext_if_sbc)
> nat on $ext_if_rcn from $lan_net to any -> ($ext_if_rcn)
this second nat line isn't ever going to be evaluated by a packet
seen, as nat rules are first-match:
For each packet processed by the translator, the translation rules are
evaluated in sequential order, from first to last. The first matching
rule decides what action is taken.
> pass in on $int_if tag INT_NET keep state
> pass in on $int_if proto tcp to port 80 tag INT_NET_HTTP keep state
> pass in quick on $int_if tagged INT_NET_HTTP route-to $ext_if_sbc,
> $ext_gw_sbc from $lan_net to any keep$
when i use tags, i try to keep my rule where i actually tag the
packet be as precise as they need to be, but then later, the rule where
i act upon those tags pretty vague.
pass on $i inet6 from $ipv6_ip to !<firewall> keep state tag "ipv6ext" label "outbound"
pass on $e any tagged "ipv6ext" keep state
that's somewhat of what i do for queueing my traffic. think of it
as trying to tag a packet if it matches a specific condition; but then
later on, any packet tagged X gets acted on without any additional
conditions. ( looks like in your "pass quick tagged" rule, you also
need it to match the $lan_net to any - which is just adding
complexity it seems, in this context. )
been a while since i used route-to; but maybe try something like:
pass in on $i inet proto tcp from $lan_net to any port 80 keep state tag INT_NET_HTTP
pass in on $i route-to $ext_if_sbc, $ext_gw_sbc all tagged INT_NET_HTTP keep state
[ openbsd 3.6 GENERIC ( oct 12 ) // i386 ]