How make the route-to working ?

Sat Feb 13 08:12:28 UTC 2010

Albert Shih a écrit :
>  Le 11/02/2010 à 23:38:56+0100, geoffroy desvernay a écrit
>> Albert Shih a écrit :
>>> Hi all,
>>>
>>> I've a problem with route-to.
>>>
>>> I've a server with 2 interfaces, and I'm running jail on this server. Each
>>> interface have is own public IP address.
>>>
>>> 	eth0 -- IP0             eth1 -- IP1
>>>
>>> and I've a default route (for example in IP0 subnet).
>>>
>>> So if the jail is in the IP0 subnet no problem everything work.
>>>
>>> Now if I put a jail in IP1 subnet, and some client try to connect to this
>>> jail the answer come out through eth0 because of the default route (suppose
>>> the client is not on my subnet).
>>>
>>> I don't want that. I want the answer come out through the eth1
>>>
>>> I'm trying to use pf to do that and put in my pf.conf something like 
>>>
>>> pass in all
>>> pass out all
>>> pass out on eth0 route-to {(eth0 IP0_Gateway)} from <IP0> to ! IP0_subnet
>>> pass out on eth1 route-to {(eth1 IP1_Gateway)} from <IP1> to ! IP1_subnet
>>>
>>> but it's not working, if I run a tcpdump on the host I can see the
>>> incoming packet come in from eth1 and the outgoing come out on eth0. 
>>>
>>> And if I try do remove default route the outgoing packet don't come out....
>>>
>>> Any help ? 
>>>
>>> Regards.
>>>
> Lots of thanks for your answer. 
> 
>> You just have to catch packets on the interface they would go normally:
>>
>> pass out on *eth0* route-to {(eth1 IP1_Gateway)} from <IP1> to !eth1:network
>>
>> The other rule is not needed in this case
>>
>> You may also try instead a 'reply-to' rule on eth1's inbound, as David
>> DeSimone suggested.
> 
> OK now it's working. But I have some big trouble about the bandwith. 
> 
> Now when I try to do something like a scp, or ftp or wget from inside a
> jail to outside, everything work fine. The traffic go to right interface,
> the answer too. 
> 
> But when I try to do some network connection (ssh, scp etc..) from outside
> to a jail the bandwith is catastrophic (~40kB/s on 1Gbit/s). 
> 
> And for you ? 
> 
Using this kind of setup since at least two years for ~500 real users
without complains... (three different 'ssh jails' on the same machine
with many vlans and three "default" gateways)


>> A third and cleaner solution would be to use multiple routing-tables -
>> see setfib(1) and 'options ROUTETABLES' of the kernel...
> 
> I already try this, I don't known how to make it work. I'm going to try
> again. 
> 
I'm also planning to test this... since more than a year :-|


-- 
*Geoffroy Desvernay*
C.R.I - Administration systèmes et réseaux
Ecole Centrale de Marseille

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20100213/ffe1c902/signature.pgp