route-to not working

Torsten at CNC-LONDON torsten at cnc-london.net
Fri Mar 21 14:17:37 UTC 2008


> --- Wesley <wcglist at gmail.com> wrote:
> 
> > Dear people,
> > 
> > I have 2 links on a box, and I don't want to load balance it but,
> > only to
> > reply requests in the same interface that it comes.
> > 
> > I tried to use the route-to, but it not seems to work.
> > 
> > Could you please, give-me a help?
> > 
> Looking at your config, most of your traffic is blocked since pf (if
> i
> remember correctly) works on last rule matching except for "quick". 
> You might want to read the FAQs again at
> http://www.openbsd.org/faq/pf/index.html
> 
> It has some good examples with the detailed explanations of each part
> of pf configuration.  As for reply to external interface, you can use
> something like this:
> 
> pass in quick on xl0 reply-to (xl0 $Gateway_IP_xl0) \
>    proto tcp from any to any port { 22, 21, 1194 } keep state
> 
> However, I remember reading somewhere that reply-to is broken on
> FreeBSD and that I couldn't get reply-to to work properly on my box. 
> Someone please correct me on this if I'm wrong.
> 
> BTW, route-to is not only used for outbound load balancing.  You can
> use it to route certain destinations via certain interfaces without
> having to mess around with routing table ;)
> 
> Regards,
> Tommy
> 
> > It's my configuration:
> > 
> > set skip on lo0
> > scrub on xl0 reassemble tcp no-df random-id
> > scrub on xl1 reassemble tcp no-df random-id
> > scrub on dc0 reassemble tcp no-df random-id
> > nat on xl0 from 172.16.0.0/24 to any -> (xl0) static-port
> > rdr on dc0 inet proto tcp to port 80 -> 127.0.0.1 port 3128
> > round-robin
> > sticky-address
> > antispoof quick for {xl0,dc0,xl1}
> > block proto tcp from 172.16.0.0/24 to any port 3128
> > # Internal Traffic
> > pass in quick on dc0 from any to any
> > pass out quick on dc0 from any to any
> > # Outgoing
> > pass out on xl0 proto tcp all flags S/SA modulate state
> > pass out on xl0 proto { udp, icmp } all keep state
> > pass out on xl1 proto tcp all flags S/SA modulate state
> > pass out on xl1 proto { udp, icmp } all keep state
> > # Pass basic services
> > pass in quick on xl1 proto tcp from any to any port { 22, 21, 1194
> }
> > keep
> > state
> > pass in quick on xl0 proto tcp from any to any port { 22, 21, 1194
> }
> > keep
> > state
> > pass in on xl0 proto udp from any to any port 53
> > pass in on xl1 proto udp from any to any port 53
> > # Pass VPN
> > pass in quick on xl1 proto udp from any to port 1194 keep state
> > pass quick on tun0
> > # Source nat route
> > pass out log on xl0 route-to ( xl1 200.232.164.1 ) from xl1 to any
> > pass out on xl1 route-to ( xl0 201.83.16.1 ) from xl0 to any
> > # Close
> > block return-rst in log quick on xl0 inet proto tcp from any to any
> > block return-rst in log quick on xl1 inet proto tcp from any to any
> > block return-icmp in log quick on xl0 proto udp from any to any
> > block return-icmp in log quick on xl1 proto udp from any to any
> > block in quick on xl0 all
> > block in quick on xl1 all
> > 
> > Best Regards,
> > 
> > Wesley Gentine
> > _______________________________________________
> > freebsd-pf at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> > To unsubscribe, send any mail to
> "freebsd-pf-unsubscribe at freebsd.org"
> > 
> 
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
> 
> Hi Wesley
> 
> Here are the rules I use for that purpose on my server (I'm still in
> the
> middle of setting it up)
> It works best on incoming connection just need to include the
> outgoing to
> balance and figure ftp.
> 
> I noticed one thing, and that I can't explain myself, if using a
> macro for
> the external IP instead
> of having the actual outside interface ip addresses in the "pass in"
> rules
> the whole thing blows up and stops working.
> 
> example:
> inet proto tcp from any to 192.168.254.10   is good
> inet proto tcp from any to $ ext_if1_IP	  is bad and not working
> 

Is the space between $ and ext_if1_IP a bad typo or intended?  If
intended, thats why your rule failed.  If you look at the screen log,
it will tell what the error is.  It should be $ext_if1_IP.

Regards,
Tommy


> here is my config:
> 
> 	ext_if1="rl0"
> 	ext_if2="rl1"
> 	ext_if1_IP="192.168.1.10"
> 	ext_if2_IP="192.168.254.10"
> 
> 	ext_gw1="192.168.1.254"
> 	ext_gw2="192.168.254.254"
> 	public_services = "{ 80, 443, 873, 1701 ,1721, 1723 }"
> 	
> 	pass in quick log on $ext_if1 reply-to ($ext_if1 $ext_gw1) \
> 		inet proto tcp from any to 192.168.1.10 port
> $public_services flags S/SA modulate state 
> 	
> 	pass in quick log on $ext_if2 reply-to ($ext_if2 $ext_gw2) \
> 		inet proto tcp from any to 192.168.254.10 port
> $public_services flags S/SA modulate state
> 
> 	pass in quick log on $ext_if1 reply-to ($ext_if1 $ext_gw1) \
> 		inet proto udp from any to 192.168.1.10 port
> $public_services keep state
> 
> 	pass in quick log on $ext_if2 reply-to ($ext_if2 $ext_gw2) \
> 		inet proto udp from any to 192.168.254.10 port
> $public_services keep state
> 
> 
> 
Hi Tommy

It was just a typo in the email, what I noticed is that reply-to seems to
interfere with route-to
Which more or less knocks it out in the config I have below.
I'm glad that someone has raised to issue about reply-to because I have
searched the internet for day and could not find much
Here is my config just for reference

Thanks 
Torsten

############################################################################
###################
##MACROS
############################################################################
###################
SYN_ONLY="S/FSRA"
icmp_types = "echoreq"

ext_if1="rl0"
ext_if2="rl1"
ext_if1_IP="192.168.1.10"
ext_if2_IP="192.168.254.10"

ext_gw1="192.168.1.254"
ext_gw2="192.168.254.254" 

int_if="rl2"
vpn_if="{ ng0, ng1, ng2, ng3, ng4 }"

int_net="192.168.100.0/24"

public_services = "{ 20, 21, 80, 443, 873, 1701 ,1721, 1723 }"
no_balance = "{ !=21, !=37, !=53, !=443, !=80, !=873 }"

############################################################################
###################
##TABLES AND OPTIONS
############################################################################
###################

# blacklist host
        table <blacklist> persist file "/usr/local/etc/pf/pf.blacklist"

# unrestricted internal hosts
       table <save_hosts> persist file "/usr/local/etc/pf/pf.savehosts"

# no loadbalanced PC's
        table <pc_no_balance> persist file "/usr/local/etc/pf/pc_no_balance"

# no loadbalance to Hosts
        table <hosts_no_balance> persist file
"/usr/local/etc/pf/hosts_no_balance"

## GLOBAL OPTIONS
        set block-policy return
        set loginterface $ext_if1
        set loginterface $ext_if2
        set loginterface $int_if
        set optimization normal
        set skip on lo0

## TRAFFIC NORMALIZATION
        scrub in all no-df
        scrub out all no-df

############################################################################
###################
## TRANSLATION RULES (NAT)
############################################################################
###################

# NAT for the whole office to the internet
       nat on $ext_if1 from $int_net to any -> $ext_if1
       nat on $ext_if2 from $int_net to any -> $ext_if2

############################################################################
###################
## FILTER RULES 
############################################################################
###################

# in general block all connections and alow later below
       block in log all

# allow any connection from the server to go out
       pass out keep state

# allow any connections from internal network
	pass in log quick on lo0
       pass in log quick on $int_if
       pass in log quick on $vpn_if

# allow public ports to connect and route back to both routers
#	pass in log on $ext_if1 reply-to ($ext_if1 $ext_gw1) inet proto tcp
from any to 192.168.1.10 port $public_services flags S/SA modulate state 
#	pass in log on $ext_if2 reply-to ($ext_if2 $ext_gw2) inet proto tcp
from any to 192.168.254.10 port $public_services flags S/SA modulate state
#	pass in log on $ext_if1 reply-to ($ext_if1 $ext_gw1) inet proto udp
from any to 192.168.1.10 port $public_services keep state 
#	pass in log on $ext_if2 reply-to ($ext_if2 $ext_gw2) inet proto udp
from any to 192.168.254.10 port $public_services keep state

# blacklist spam networks and so on
        block log from <blacklist> to any 
        block log from any to <blacklist>

# VPN GRE PROTOCALL
        pass in proto gre all keep state
        pass out proto gre all keep state

# make sure no one spoofes internal addresses
       antispoof log for { $ext_if1 $ext_if2 }

#allow ping request from anywhere but filter it
        pass in log inet proto icmp all icmp-type $icmp_types keep state

#load balance over two
routers#################################################################
	# load balance outgoing tcp traffic from internal network.
	pass in on $int_if route-to \
	   { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
	   proto { tcp } from $int_net to any keep state

	# load balance outgoing udp and icmp traffic from internal network
	pass in on $int_if route-to \
    	{ ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
    	proto { udp, icmp } from $int_net to any keep state



 




More information about the freebsd-pf mailing list