route-to not working

Vlad GALU dudu at dudu.ro
Thu Mar 20 07:22:55 PDT 2008 

On 3/20/08, Stefan Lambrev <stefan.lambrev at moneybookers.com> wrote:
>
>
>  Vlad GALU wrote:
>  > On 3/20/08, Stefan Lambrev <stefan.lambrev at moneybookers.com> wrote:
>  >
>  >> Greetings,
>  >>
>  >>
>  >>
>  >>  Wesley wrote:
>  >>  >  Dear people,
>  >>  >
>  >>  > I have 2 links on a box, and I don't want to load balance it but, only to
>  >>  > reply requests in the same interface that it comes.
>  >>  >
>  >>  > I tried to use the route-to, but it not seems to work.
>  >>  >
>  >>  > Could you please, give-me a help?
>  >>  >
>  >>
>  >> I do not see where you use "reply-to" in you configuration
>  >>
>  >>  But here is working example which you can improve off course.
>  >>
>  >>  #dual home
>  >>  pass in on $ext_if1 reply-to ($ext_if1 $gw1) from any to $external_addr1
>  >>  keep state
>  >>  pass out on $ext_if2 route-to ($ext_if1 $gw1) from $external_addr1 to any
>  >>  pass in on $ext_if2 reply-to ($ext_if2 $gw2) from any to $external_addr2
>  >>  keep state
>  >>  pass out on $ext_if1 route-to ($ext_if2 $gw1) from $external_addr2 to any
>  >>
>  >>  #dual home ssh only
>  >>  pass out on $ext_if2 route-to ($ext_if1 $gw1) from $external_addr1 to any
>  >>  pass out on $ext_if1 route-to ($ext_if2 $gw1) from $external_addr2 to any
>  >>  pass in on $ext_if1 reply-to ($ext_if1 $gw1) proto tcp from any to
>  >>  $external_addr1 port 22 keep state
>  >>  pass in on $ext_if2 reply-to ($ext_if2 $gw2) proto tcp from any to
>  >>  $external_addr2 port 22 keep state
>  >>
>  >
>  >
>  >     Don't mind me asking, but isn't your example working due to your
>  > route-to rules? I, as well as Wesley, assumed that reply-to should've
>  > been enough to reach the goal.
>  >
>
> It's working because of reply-to rules - incoming packets does not match
>  "pass out route-to" rules.
>  The "pass out" rules are needed if the packet(s) is generated locally
>  and does not match the "pass in" rules.
>
>  You forget that the first rule to match wins and keep state (which is on
>  by default in 7.0)
>  will make replies to match the state not the pass out rules.


   Yes, you're right, I'm sorry :) ENOTENOUGHCOFFEE :) However, I do
recall having seen the symptom once myself.

>
> >
>  >>> It's my configuration:
>  >>>
>  >>  >
>  >>  > set skip on lo0
>  >>  > scrub on xl0 reassemble tcp no-df random-id
>  >>  > scrub on xl1 reassemble tcp no-df random-id
>  >>  > scrub on dc0 reassemble tcp no-df random-id
>  >>  > nat on xl0 from 172.16.0.0/24 to any -> (xl0) static-port
>  >>  > rdr on dc0 inet proto tcp to port 80 -> 127.0.0.1 port 3128 round-robin
>  >>  > sticky-address
>  >>  > antispoof quick for {xl0,dc0,xl1}
>  >>  > block proto tcp from 172.16.0.0/24 to any port 3128
>  >>  > # Internal Traffic
>  >>  > pass in quick on dc0 from any to any
>  >>  > pass out quick on dc0 from any to any
>  >>  > # Outgoing
>  >>  > pass out on xl0 proto tcp all flags S/SA modulate state
>  >>  > pass out on xl0 proto { udp, icmp } all keep state
>  >>  > pass out on xl1 proto tcp all flags S/SA modulate state
>  >>  > pass out on xl1 proto { udp, icmp } all keep state
>  >>  > # Pass basic services
>  >>  > pass in quick on xl1 proto tcp from any to any port { 22, 21, 1194 } keep
>  >>  > state
>  >>  > pass in quick on xl0 proto tcp from any to any port { 22, 21, 1194 } keep
>  >>  > state
>  >>  > pass in on xl0 proto udp from any to any port 53
>  >>  > pass in on xl1 proto udp from any to any port 53
>  >>  > # Pass VPN
>  >>  > pass in quick on xl1 proto udp from any to port 1194 keep state
>  >>  > pass quick on tun0
>  >>  > # Source nat route
>  >>  > pass out log on xl0 route-to ( xl1 200.232.164.1 ) from xl1 to any
>  >>  > pass out on xl1 route-to ( xl0 201.83.16.1 ) from xl0 to any
>  >>  > # Close
>  >>  > block return-rst in log quick on xl0 inet proto tcp from any to any
>  >>  > block return-rst in log quick on xl1 inet proto tcp from any to any
>  >>  > block return-icmp in log quick on xl0 proto udp from any to any
>  >>  > block return-icmp in log quick on xl1 proto udp from any to any
>  >>  > block in quick on xl0 all
>  >>  > block in quick on xl1 all
>  >>  >
>  >>  > Best Regards,
>  >>  >
>  >>  > Wesley Gentine
>  >>  > _______________________________________________
>  >>  > freebsd-net at freebsd.org mailing list
>  >>  > http://lists.freebsd.org/mailman/listinfo/freebsd-net
>  >>  > To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>  >>  >
>  >>
>  >>
>  >> --
>  >>
>  >>  Best Wishes,
>  >>  Stefan Lambrev
>  >>  ICQ# 24134177
>  >>
>  >>
>  >>  _______________________________________________
>  >>  freebsd-net at freebsd.org mailing list
>  >>  http://lists.freebsd.org/mailman/listinfo/freebsd-net
>  >>  To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>  >>
>  >>
>  >
>  >
>  >
>
>  --
>
>  Best Wishes,
>  Stefan Lambrev
>  ICQ# 24134177
>
>


-- 
~/.signature: no such file or directory

More information about the freebsd-net mailing list