PF route-to behavior

Alexandre Biancalana ale at seudns.net
Mon Mar 12 15:00:09 UTC 2007


Hi List,


I´m doing a firewall setup using 6-STABLE + PF with two internet links 
but I can't do the route-to rule function as I need.


          (default gw)    ______
  Link A <-----------> |int A  |
                                  |           |
  Link B <-----------> |int B  |
                                  |______|
                              FreeBSD FW

A simple thing that I need to do is test the two Internet links to know 
if they are up or not. To do this I could ping or connect tcp ports on 
some external ips thought each link, using nc and hping I tried do this 
generate connections/packets from each network interface connected to 
each link but the packets always go out by the interface indicated by 
machines default route.

I tried to add this rules in pf to force packets out by the right 
interface based in your source address, but this does not work, and the 
packets generated with ip of int B are going out by int A.

pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b to any
pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a to any


Am I forgetting something ? Any comments ?


Regards,

Alexandre


More information about the freebsd-net mailing list