Two interface route-to problem

Matt MacDonald macdonald.matthew at gmail.com
Mon Feb 7 04:15:23 PST 2005 

I've been working on a problem for a while but it doesn't seem to be
getting fixed.

I've got two PPPoe interfaces to different ISPs.  The default route is
to ISP1 but my servers are on the ISP2.  Everything seems to be
working fine except for traffic that is destined for ISP2 get's
returned on the ISP1 interface.  The docs seem to say that route-to
will fix me problem but I can't seem to get it to work.  Hopefully
someone on this list will see what I'm doing wrong.

Here is the commands that I have tried to get this to work:

pass out log quick on $ISP1 route-to ( $ISP2 $ISP2:peer ) from ($ISP2) \ 
     to any flags S/SA
pass out log quick on $ISP1 route-to ( $ISP2 $ISP2gw  ) from ($ISP2) \ 
     to any flags S/SA
pass out log quick on $ISP1 route-to ( $ISP2 $ISP2:peer ) from $ISP2addr \
     to any flags S/SA
pass out log quick on $ISP1 route-to ( $ISP2 $ISP2gw ) from $ISP2addr \  
     to any flags S/SA

but none of them seem to work.  I do have a similar line that routes
SMTP traffic inbound on the inside interface to ISP2 and that works
fine.

Thanks,
Matt

Here is my entire config:
############### /etc/pf.conf ###########################
## Macros 
ISP1="tun0"
ISP2="tun1"
INSIDE="rl1"
MYNET="192.168.1.0/24"
ALLOWED="{ 20, 21, 22, 113 }"

## TABLES 
table <PRIVATE> const { 10/8, 172.16/12, 192.168/16, 224/8 }
table <BAD_GUYS> persist
table <ISP2_GW> { 66.x.x.x}
table <ISP1_GW> { 64.x.x.x}

## GLOBAL OPTIONS 
set loginterface $ISP2
set block-policy return

## TRAFFIC NORMALIZATION 
scrub in on { $ISP2, $ISP1 } all fragment reassemble
#scrub out on { $ISP2, $ISP1 } all fragment reassemble random-id no-df

## QUEUEING RULES


## TRANSLATION RULES (NAT)
nat on $ISP1 from $INSIDE:network to any -> ($ISP1)
nat on $ISP2 from $INSIDE:network to any -> ($ISP2)
rdr on $INSIDE proto tcp from any to any port 21 -> 127.0.0.1 \
   port 8021


## FILTER RULES 
#
# Defaults Block All
#
block log all
block in log quick on { $ISP2, $ISP1 } from <block_hosts> to any
block log quick on { $ISP2, $ISP1 } from <private> to any
#
# Tun 0 - ISP1 
# Out
pass out log quick on $ISP1 route-to ( $ISP2 $ISP2:peer ) from ($ISP2)
to any flags S/SA
pass out log on $ISP1 proto tcp all modulate state flags S/SA
pass out log on $ISP1 proto { udp, icmp } all keep state
# In
pass in log on $ISP1 proto icmp from any to ($ISP1) keep state
pass in log on $ISP1 inet proto tcp from any to ($ISP1) port $ALLOWED
flags S/SA keep state
pass in log on $ISP1 inet proto tcp from any to ($ISP1) \
               port > 49151 keep state

#
# Tun 1 - ISP2 
# Out
pass out log quick on $ISP2 route-to ( $ISP1 $ISP1:peer ) from ($ISP1)
to any flags S/SA

pass out log on $ISP2 proto tcp all modulate state flags S/SA
pass out log on $ISP2 proto { udp, icmp } all keep state
# In
pass in log on $ISP2 proto icmp from any to ($ISP2) keep state
pass in log on $ISP2 inet proto tcp from any to ($ISP2) port $ALLOWED
flags S/SA keep state
#
# rl1 - Inside 
# Out
pass in quick on $INSIDE route-to ( $ISP2 <ISP2_GW> ) inet proto tcp
from any to any port 25 modulate state

pass in on $INSIDE from $MYNET to any
pass out on $INSIDE from any to $MYNET
#
# Loopback
#
pass in quick on lo0 all
pass out quick on lo0 all

More information about the freebsd-pf mailing list