[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Trouble with route-to:

     I've been messing around with a similar setup with dsl & cable
going into one PF firewall.  One thing I noticed that might be giving
you problems is your nat rules: 
>nat on rl0 from $internal_net to !$internal_net -> (rl0)
>nat on rl1 from $internal_net to !$internal_net -> (rl1)
 The way it's written it seems like it would try to nat everything to
both connections.  I remember reading that the first matching nat rule
wins, so you don't need to make it too fancy.  Here is how I did my
dslhosts="{  }"
nat on $ext_if_dsl from $dslhosts to any -> ($ext_if_dsl)
nat on $ext_if_cable from $mynet to any -> ($ext_if_cable)
Another thing is you need a rule on the external interface to let let
the re-routed packets out.  I might be wrong about this but If I
remember right once you do the "route-to" it changes the source
address of the packet.  So instead of the packet being from it will be from the ip of your externel interface.  So
it won't work if you try to do something like.
pass out on $rl1 from to !$internel_net keep state 
The way I got around that is to tag the packets as they come in the
internel interface.  That way I can make sure I don't get the
asymetric routing.  Here is how I did it(I added the spaces to make it
easier to read):
#route & tag
pass in quick on $int_if route-to ($ext_if_dsl $gateway_dsl) \
from  $dslhosts to any tag DSLBOUND keep state 
pass in  on $int_if route-to ($ext_if_cable $gateway_cable) \
all tag CABLEBOUND keep state 
#Pass out the routed packets on External Interfaces
pass out quick on $ext_if_dsl proto tcp from any to any \
tagged DSLBOUND flags S/SA modulate state 
pass out on $ext_if_cable proto tcp from any to any \
!tagged DSLBOUND flags S/SA modulate state \
pass out quick on $ext_if_dsl proto { udp, icmp } \
from any to any tagged DSLBOUND keep state 
pass out on $ext_if_cable proto { udp, icmp } from any to any \
!tagged DSLBOUND keep state 
Hope that helps.
>Hey all,  having a bit of a problem with routing one specific ip address out
>a different interface in a 2 external interface setup:
>Em0=internal interface
>Rl0=external interface #1
>Rl1=external interface #2
>Gw1=external gateway #2
>$internal_net =
>scrub in on $ext_if all
>scrub out on $ext_if all
>scrub in on rl1 all
>scrub out on rl1 all
>pass in on em0 route-to (rl1 gw1) from to !$internal_net keep
>Once I add the above line to pf.conf and flush the ruleset the computer can
>no longer access the outside world.  So I assume I need some sort of
>matching rule on rl1,  but can't figure out what it is.  
>If I manually change the routing table to pass a specific destination ip
>address out through gw1 it works without a flaw, however this machine needs
>to access more then a few subnets through interface #2, so route-to is
>Let me know if anyone has any ideas,