[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Headache with dual WAN and "source route verification"

On Apr 8, 2005 3:49 PM, [email protected] wrote:
> I am running pf in an environment with two WAN connections,
I noticed you don't mention the specific version of OpenBSD?
> and pf is configured to load-balance outgoing traffic.
> This worked nicely for quite a while, then one ISP turned on
> "source route verification" on their DSL circuits. This causes
> any packets coming into their equipment to get dropped if the
> source address is not within the block that they have assigned.
This sort of anti-spoofing by ISPs is generally a very good thing
for the Internet as a whole.  That said,  I'm in the same boat --
two ISP uplinks, one with an assigned subnet, and the other
doing anti-spoofing filtering on packets injected by customers.
> When state is established by an incoming connection,
> none of my rules to redirect WAN traffic are effective and
> some connections cannot be established.
> What are my options to ensure that _only_ traffic with a
> source address belonging to ext_if2 goes out ext_if2 ?
The trick is to change all of your lines that are currently of the
form :
     pass in on $ext_if1 inet proto . . . keep state
     pass in on $ext_if2 inet proto . . . keep state
By including an option specifying the 'reply-to' interface:
     pass in on $ext_if1 reply-to $ext_if1 inet proto . . . keep state
     pass in on $ext_if2 reply-to $ext_if2 inet proto . . . keep state
This instructs pf to ignore the system routing table, and instead
set the next hop for replies associated with a particular state
entry to go out via the interface specified in the 'reply-to' option.
Kevin Kadow