Policy Based Routing pf
fr33man
fr33man at fr33man.ru
Fri Nov 3 20:11:14 UTC 2006
The first, that I change my pf rule from this:
pass in on $ext_if reply-to ($ext_if $ext_gateway) inet proto tcp tagged
WEB_SERVER keep state
to this:
pass in log-all on $ext_if reply-to ($ext_if $ext_gateway) inet proto tcp
tagged WEB_SERVER keep state
Then, I tried to access to my site, and on console I was listening pflog0
interface with tcpdump:
web# tcpdump -i pflog0
... skipped ...
web#
I have seen icmp packets going to web server. In the packets I have seen
errors about mtu. Then I enter this command on the web server:
stronghold# ifconfig xl0
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=9<RXCSUM,VLAN_MTU>
inet6 fe80::204:79ff:fe66:2d87%xl0 prefixlen 64 scopeid 0x1
inet 10.10.20.2 netmask 0xffffff00 broadcast 10.10.20.255
ether 00:04:79:66:2d:87
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
stronghold# ifconfig xl0 mtu 1440
stronghold# ifconfig xl0
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1440
options=9<RXCSUM,VLAN_MTU>
inet6 fe80::204:79ff:fe66:2d87%xl0 prefixlen 64 scopeid 0x1
inet 10.10.20.2 netmask 0xffffff00 broadcast 10.10.20.255
ether 00:04:79:66:2d:87
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
stronghold#
I changed mtu to 1440, because my vpn channel was with mtu 1440:
shield@/root> ifconfig ng0
ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 1440
inet 84.47.165.43 --> 172.17.0.1 netmask 0xffffffff
shield@/root>
That's all.
If there will be any questions, tou can ask me. ;)
ICQ: 539-555
Skype: fr33manees
Email: fr33man at fr33man.ru
--
Goodluck
-----Original Message-----
From: Odhiambo Washington [mailto:wash at wananchi.com] On Behalf Of Odhiambo
WASHINGTON
Sent: Friday, November 03, 2006 7:29 PM
To: fr33man
Subject: Re: Policy Based Routing pf
Hi Freeman,
Could you please post the complete solution? Or just post the whole
solution to me.
Thanking you in advance!!
* On 03/11/06 17:28 +0300, fr33man wrote:
| Thanks to all, I have solved the problem. Pf doesn't wrok because of mtu,
| On shield mtu was 1440:
|
| [fr33man at shield ~]$ ifconfig ng0
| ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 1440
| inet 84.47.165.43 --> 172.17.0.1 netmask 0xffffffff
| [fr33man at shield ~]$
|
| And on the web server it was 1500. And now all works!!
|
|
| -----Original Message-----
| From: owner-freebsd-pf at freebsd.org [mailto:owner-freebsd-pf at freebsd.org]
On
| Behalf Of fr33man
| Sent: Friday, November 03, 2006 1:15 AM
| To: freebsd-pf at freebsd.org
| Subject: Policy Based Routing pf
|
| Hi all!
|
|
|
| I have one problem with pf. This is my network:
|
|
|
| ISP1 ISP2
|
| | |
|
| | |
|
| | |
|
| | |
|
| FreeBSD(shield)
|
| |
|
| |
|
| |
|
| Local_Network
|
|
|
| My configuration:
|
|
|
| Local_Network has address: 192.168.1.0/24.
|
| Ip address of freebsd(hostname is shield) is 192.168.1.254 on the
| Local_Network and 192.168.98.2 on the ISP1 and external ip(for example
| 1.1.1.1) on ISP2.
|
| The default gateway is ISP1, and ip address of default gateway is
| 192.168.98.1.
|
| ISP2 gives me internet over vpn, and gateway on ISP2 is 172.17.0.1. This
is
| output of `ifconfig`:
|
|
|
| shield@/usr/local/etc> ifconfig
|
| dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
|
| options=8<VLAN_MTU>
|
| inet 192.168.98.2 netmask 0xffffff00 broadcast 192.168.98.255
|
| ether 00:05:1c:1e:6f:9e
|
| media: Ethernet autoselect (100baseTX <full-duplex>)
|
| status: active
|
| fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
|
| options=8<VLAN_MTU>
|
| inet 192.168.1.254 netmask 0xffffff00 broadcast 192.168.1.255
|
| ether 00:00:4b:51:07:84
|
| media: Ethernet autoselect (100baseTX <full-duplex>)
|
| status: active
|
| pfsync0: flags=0<> mtu 2020
|
| pflog0: flags=0<> mtu 33208
|
| lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
|
| inet 127.0.0.1 netmask 0xff000000
|
| ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 1440
|
| inet 1.1.1.1 --> 172.17.0.1 netmask 0xffffffff
|
| shield@/usr/local/etc>
|
|
|
| I have compiled kernel with pf:
|
|
|
| device pf
|
| device pflog
|
| device pfsync
|
|
|
| And this is my pf.conf:
|
|
|
| shield@/usr/local/etc> cat /etc/pf.conf.back
|
|
|
| ext_if="ng0"
|
|
|
| scrub in all
|
|
|
| nat on $ext_if inet proto tcp from 192.168.1.230 port 80 -> $ext_if
|
|
|
| rdr on $ext_if inet proto tcp to $ext_if port www -> 192.168.1.230 port
www
|
|
|
| pass in quick on $ext_if reply-to ($ext_if 172.17.0.1) inet proto tcp
tagged
| WEB_SERVER flags S/SA keep state
|
|
|
| pass all
|
| shield@/usr/local/etc>
|
|
|
| 192.168.1.230 - web server ip address.
|
|
|
| And now I want tell you one very interesting thing! ;)
|
|
|
| If I have index.html size about 1 Kb on the web server, everyone can see
| it(from the internet), but if index.html is about 11 kb nobody can see it
| from the internet!!!
|
|
|
| Can you help me?
|
|
|
| --
|
| WBR Ozerov Vasiliy I.
|
| Good Luck
|
|
|
| _______________________________________________
| freebsd-pf at freebsd.org mailing list
| http://lists.freebsd.org/mailman/listinfo/freebsd-pf
| To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
|
|
| _______________________________________________
| freebsd-pf at freebsd.org mailing list
| http://lists.freebsd.org/mailman/listinfo/freebsd-pf
| To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
-Wash
http://www.netmeister.org/news/learn2quote.html
DISCLAIMER: See http://www.wananchi.com/bms/terms.php
--
+======================================================================+
|\ _,,,---,,_ | Odhiambo Washington <wash at wananchi.com>
Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com
|,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922
'---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121
+======================================================================+
Of course there's no reason for it, it's just our policy.
More information about the freebsd-pf
mailing list