Fwd: Fwd: Dual-feed: PF setup troubles
Daniel Hartmeier
daniel at benzedrine.cx
Mon Aug 15 16:27:37 GMT 2005
On Mon, Aug 15, 2005 at 08:06:03PM +0400, Sergey Lapin wrote:
> And as for other bugs - return to wrong place and NAT from wrong interface?
> #2 is serious
> http://www.mail-archive.com/freebsd-pf@freebsd.org/msg00421.html
Repeat it on 6.0RC and provide the smallest ruleset that reproduces it
completely. The order of how translation rules are evaluated with
routing rules has changed several times, 6.0RC contains the newest code.
Note that translation rules (like NAT) are executed before route-to is,
i.e. if you let outgoing packets first go out the default interface, any
NAT rule on that interface is performed, _before_ the packet is then
re-routed to the non-default interface. Using route-to on the internal
interface makes this a non-issue, but you met the bug when trying that.
Assuming that bug is fixed, it will probably be the simplest approach,
and work.
If you do want to use route-to on the outgoing default interface,
however, you can try restricting the nat rules to appropriately tagged
packets, like
nat on ... from ... to ... tagged TAG -> ...
so they only apply for packets that are not (later) re-routed.
Daniel
More information about the freebsd-pf
mailing list