route-to rule.

Stephane Raimbault segr at hotmail.com
Fri Feb 4 08:43:13 PST 2005 

Any other suggestions for this problem?  Or am I hitting the limitations of 
pf?  A bug perhaps?

>From: "Stephane Raimbault" <segr at hotmail.com>
>To: dionch at freemail.gr, freebsd-pf at freebsd.org
>Subject: Re: route-to rule.
>Date: Thu, 27 Jan 2005 11:25:32 -0700
>
>Okay, with the syntax cleaned up this is what I have:
>
>set state-policy if-bound
>
>int_if="rl0"
>int_net="10.1.0.0/24"
>ext_if1="rl1"
>ext_gw1="<ISP#1 Gateway IP>"
>ext_if2="rl2"
>ext_gw2="<ISP#2 Gateway IP>"
>vpn_if="tun0"
>vpn_gw="172.16.0.1"
>
>isp1 = "(" $ext_if1 $ext_gw1 ")"
>isp2 = "(" $ext_if2 $ext_gw2 ")"
>vpn = "(" $vpn_if $vpn_gw ")"
>
>server1_int="10.1.0.20"
>server1_out="63.252.160.219"
>server2_int="10.1.0.21"
>server2_out="63.252.160.222"
>server3_int="10.1.0.22"
>server3_out="63.252.160.221"
>server4_int="10.1.0.23"
>server4_out="63.252.160.220"
>
>nat on $ext_if1 from $int_net to any -> ($ext_if1:0)
>nat on $ext_if2 from $int_net to any -> ($ext_if2:0)
>binat on $ext_if1 from $server1_int to any -> $server1_out
>binat on $ext_if1 from $server2_int to any -> $server2_out
>binat on $ext_if1 from $server3_int to any -> $server3_out
>binat on $ext_if1 from $server4_int to any -> $server4_out
>
>pass in quick on $int_if inet from $int_net to $int_net keep state
>pass out quick on $int_if inet from $int_net to $int_net keep state
>
>pass in on $ext_if1 tag $ext_if1 keep state
>pass out on $ext_if1 route-to $ext_if1 keep state
>pass out quick on $int_if reply-to $ext_if1 tagged $ext_if1 keep state
>
>pass in on $ext_if2 tag $ext_if2 keep state
>pass out on $ext_if2 route-to $ext_if2 keep state
>pass out quick on $int_if reply-to $ext_if2 tagged $ext_if2 keep state
>
>pass in on $vpn_if tag $vpn_if keep state
>pass out on $vpn_if route-to $vpn_if keep state
>pass out quick on $vpn_if reply-to $vpn_if tagged $vpn_if keep state
>
>pass in quick on $int_if route-to $isp1 from 
>{$server1_int,$server2_int,$server3_int,$server4_int} to {!10.0.0.0/26, 
>!$int_net} keep state
>pass in quick on $int_if route-to $vpn from $int_net to 10.0.0.0/26 keep 
>state
>pass in on $int_if route-to $isp2 from $int_net to {!10.0.0.0/26, 
>!$int_net} keep state
>
>
>I tried this out and it was not a success.  It seemend like nothing could 
>get anywhere.  $int_net wasn't able to access the internet nor the subnets 
>on the otherside of the vpn.  The binat'd servers were unaccessible from 
>the internet... and I got an arp error in the /var/log/messages about a 
>bunch of arp's not being on the local network... I got a stream of these 
>types of messages:
>
>Jan 27 12:12:02 router1 kernel: arplookup 69.57.244.70 failed: host is not 
>on local network
>Jan 27 12:12:02 router1 kernel: arpresolve: can't allocate llinfo for 
>69.57.244.70
>Jan 27 12:12:02 router1 kernel: arplookup 12.24.195.78 failed: host is not 
>on local network
>Jan 27 12:12:02 router1 kernel: arpresolve: can't allocate llinfo for 
>12.24.195.78
>
>
>so, we aren't quite there yet.  Could I more simply change my default route 
>to ISP #2, and setup some sort of route-to statements specifically for the 
>binat's instead?  Then I would also need to setup a rule for the openvpn to 
>go over ISP #1 instead of ISP #2.
>
>any suggestions... as always much apreciated.
>
>Thanks,
>Stephane.
>
>>From: "Chris Dionissopoulos" <dionch at freemail.gr>
>>Reply-To: "Chris Dionissopoulos" <dionch at freemail.gr>
>>To: "Stephane Raimbault" <segr at hotmail.com>
>>Subject: Re: route-to rule.
>>Date: Thu, 27 Jan 2005 03:40:43 +0200
>>
>>Try to negate(="!") each network for "to" field like:
>>{ !10.0.0.0/26, !$int_net}
>>Also when you change line in a rule , you must backslash at the end ("\").
>>
>>Chris.
>>
>>
>>
>>>Hi Chris,  Thanks for the quick response, however I'm still getting 
>>>syntax errors on 2 of the 3 lines now:
>>>
>>>pass in quick on $int_if route-to $isp1 from 
>>>{$server1_int,$server2_int,$server3_int,$server4_int} to !{10.0.0.0/26, 
>>>$int_net} keep state
>>>pass in quick on $int_if route-to $vpn from $int_net to 10.0.0.0/26 keep 
>>>state
>>>pass in on $int_if route-to $isp2 from $int_net to !{10.0.0.0/26, 
>>>$int_net} keep state
>>>
>>>/etc/pf.conf:47: syntax error
>>>/etc/pf.conf:49: syntax error
>>>
>>>Where line 47 is the first one above and 49 is the last (3rd line) above.
>>>
>>>Any thoughts?  I'm scratching my head bald.
>>>
>>>Thanks,
>>>Stephane.
>>>
>>>
>>
>>
>>____________________________________________________________________
>>http://www.freemail.gr - äùñåÜí õðçñåóßá çëåêôñïíéêïý ôá÷õäñïìåßïõ.
>>http://www.freemail.gr - free email service for the Greek-speaking.
>
>_________________________________________________________________
>Powerful Parental Controls Let your child discover the best the Internet 
>has to offer. 
>http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines 
>  Start enjoying all the benefits of MSN® Premium right now and get the 
>first two months FREE*.
>
>_______________________________________________
>freebsd-pf at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"

_________________________________________________________________
Designer Mail isn't just fun to send, it's fun to receive. Use special 
stationery, fonts and colors. 
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines 
  Start enjoying all the benefits of MSN® Premium right now and get the 
first two months FREE*.

More information about the freebsd-pf mailing list