PF route-to behavior
Tom Judge
tom at tomjudge.com
Mon Mar 12 16:47:34 UTC 2007
Alexandre Biancalana wrote:
> Hi List,
>
>
> I´m doing a firewall setup using 6-STABLE + PF with two internet links
> but I can't do the route-to rule function as I need.
>
>
> (default gw) ______
> Link A <-----------> |int A |
> | |
> Link B <-----------> |int B |
> |______|
> FreeBSD FW
>
> A simple thing that I need to do is test the two Internet links to know
> if they are up or not. To do this I could ping or connect tcp ports on
> some external ips thought each link, using nc and hping I tried do this
> generate connections/packets from each network interface connected to
> each link but the packets always go out by the interface indicated by
> machines default route.
>
> I tried to add this rules in pf to force packets out by the right
> interface based in your source address, but this does not work, and the
> packets generated with ip of int B are going out by int A.
>
> pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b to any
> pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a to any
>
>
> Am I forgetting something ? Any comments ?
>
Have you tried setting the source IP address to int B when using ping
your tcp sessions, this should force PF to do your source routing for you.
Hope this helps
Tom
More information about the freebsd-net
mailing list