route-to not working

Stefan Lambrev stefan.lambrev at moneybookers.com
Thu Mar 20 06:43:58 PDT 2008 


Vlad GALU wrote:
> On 3/20/08, Stefan Lambrev <stefan.lambrev at moneybookers.com> wrote:
>   
>> Greetings,
>>
>>
>>
>>  Wesley wrote:
>>  >  Dear people,
>>  >
>>  > I have 2 links on a box, and I don't want to load balance it but, only to
>>  > reply requests in the same interface that it comes.
>>  >
>>  > I tried to use the route-to, but it not seems to work.
>>  >
>>  > Could you please, give-me a help?
>>  >
>>
>> I do not see where you use "reply-to" in you configuration
>>
>>  But here is working example which you can improve off course.
>>
>>  #dual home
>>  pass in on $ext_if1 reply-to ($ext_if1 $gw1) from any to $external_addr1
>>  keep state
>>  pass out on $ext_if2 route-to ($ext_if1 $gw1) from $external_addr1 to any
>>  pass in on $ext_if2 reply-to ($ext_if2 $gw2) from any to $external_addr2
>>  keep state
>>  pass out on $ext_if1 route-to ($ext_if2 $gw1) from $external_addr2 to any
>>
>>  #dual home ssh only
>>  pass out on $ext_if2 route-to ($ext_if1 $gw1) from $external_addr1 to any
>>  pass out on $ext_if1 route-to ($ext_if2 $gw1) from $external_addr2 to any
>>  pass in on $ext_if1 reply-to ($ext_if1 $gw1) proto tcp from any to
>>  $external_addr1 port 22 keep state
>>  pass in on $ext_if2 reply-to ($ext_if2 $gw2) proto tcp from any to
>>  $external_addr2 port 22 keep state
>>     
>
>
>     Don't mind me asking, but isn't your example working due to your
> route-to rules? I, as well as Wesley, assumed that reply-to should've
> been enough to reach the goal.
>   
It's working because of reply-to rules - incoming packets does not match 
"pass out route-to" rules.
The "pass out" rules are needed if the packet(s) is generated locally 
and does not match the "pass in" rules.

You forget that the first rule to match wins and keep state (which is on 
by default in 7.0)
will make replies to match the state not the pass out rules.
>   
>>> It's my configuration:
>>>       
>>  >
>>  > set skip on lo0
>>  > scrub on xl0 reassemble tcp no-df random-id
>>  > scrub on xl1 reassemble tcp no-df random-id
>>  > scrub on dc0 reassemble tcp no-df random-id
>>  > nat on xl0 from 172.16.0.0/24 to any -> (xl0) static-port
>>  > rdr on dc0 inet proto tcp to port 80 -> 127.0.0.1 port 3128 round-robin
>>  > sticky-address
>>  > antispoof quick for {xl0,dc0,xl1}
>>  > block proto tcp from 172.16.0.0/24 to any port 3128
>>  > # Internal Traffic
>>  > pass in quick on dc0 from any to any
>>  > pass out quick on dc0 from any to any
>>  > # Outgoing
>>  > pass out on xl0 proto tcp all flags S/SA modulate state
>>  > pass out on xl0 proto { udp, icmp } all keep state
>>  > pass out on xl1 proto tcp all flags S/SA modulate state
>>  > pass out on xl1 proto { udp, icmp } all keep state
>>  > # Pass basic services
>>  > pass in quick on xl1 proto tcp from any to any port { 22, 21, 1194 } keep
>>  > state
>>  > pass in quick on xl0 proto tcp from any to any port { 22, 21, 1194 } keep
>>  > state
>>  > pass in on xl0 proto udp from any to any port 53
>>  > pass in on xl1 proto udp from any to any port 53
>>  > # Pass VPN
>>  > pass in quick on xl1 proto udp from any to port 1194 keep state
>>  > pass quick on tun0
>>  > # Source nat route
>>  > pass out log on xl0 route-to ( xl1 200.232.164.1 ) from xl1 to any
>>  > pass out on xl1 route-to ( xl0 201.83.16.1 ) from xl0 to any
>>  > # Close
>>  > block return-rst in log quick on xl0 inet proto tcp from any to any
>>  > block return-rst in log quick on xl1 inet proto tcp from any to any
>>  > block return-icmp in log quick on xl0 proto udp from any to any
>>  > block return-icmp in log quick on xl1 proto udp from any to any
>>  > block in quick on xl0 all
>>  > block in quick on xl1 all
>>  >
>>  > Best Regards,
>>  >
>>  > Wesley Gentine
>>  > _______________________________________________
>>  > freebsd-net at freebsd.org mailing list
>>  > http://lists.freebsd.org/mailman/listinfo/freebsd-net
>>  > To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>>  >
>>
>>
>> --
>>
>>  Best Wishes,
>>  Stefan Lambrev
>>  ICQ# 24134177
>>
>>
>>  _______________________________________________
>>  freebsd-net at freebsd.org mailing list
>>  http://lists.freebsd.org/mailman/listinfo/freebsd-net
>>  To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>>
>>     
>
>
>   

-- 

Best Wishes,
Stefan Lambrev
ICQ# 24134177

More information about the freebsd-net mailing list