route-to rule.

Stephane Raimbault segr at hotmail.com
Thu Jan 27 10:27:06 PST 2005


Okay, with the syntax cleaned up this is what I have:

set state-policy if-bound

int_if="rl0"
int_net="10.1.0.0/24"
ext_if1="rl1"
ext_gw1="<ISP#1 Gateway IP>"
ext_if2="rl2"
ext_gw2="<ISP#2 Gateway IP>"
vpn_if="tun0"
vpn_gw="172.16.0.1"

isp1 = "(" $ext_if1 $ext_gw1 ")"
isp2 = "(" $ext_if2 $ext_gw2 ")"
vpn = "(" $vpn_if $vpn_gw ")"

server1_int="10.1.0.20"
server1_out="63.252.160.219"
server2_int="10.1.0.21"
server2_out="63.252.160.222"
server3_int="10.1.0.22"
server3_out="63.252.160.221"
server4_int="10.1.0.23"
server4_out="63.252.160.220"

nat on $ext_if1 from $int_net to any -> ($ext_if1:0)
nat on $ext_if2 from $int_net to any -> ($ext_if2:0)
binat on $ext_if1 from $server1_int to any -> $server1_out
binat on $ext_if1 from $server2_int to any -> $server2_out
binat on $ext_if1 from $server3_int to any -> $server3_out
binat on $ext_if1 from $server4_int to any -> $server4_out

pass in quick on $int_if inet from $int_net to $int_net keep state
pass out quick on $int_if inet from $int_net to $int_net keep state

pass in on $ext_if1 tag $ext_if1 keep state
pass out on $ext_if1 route-to $ext_if1 keep state
pass out quick on $int_if reply-to $ext_if1 tagged $ext_if1 keep state

pass in on $ext_if2 tag $ext_if2 keep state
pass out on $ext_if2 route-to $ext_if2 keep state
pass out quick on $int_if reply-to $ext_if2 tagged $ext_if2 keep state

pass in on $vpn_if tag $vpn_if keep state
pass out on $vpn_if route-to $vpn_if keep state
pass out quick on $vpn_if reply-to $vpn_if tagged $vpn_if keep state

pass in quick on $int_if route-to $isp1 from 
{$server1_int,$server2_int,$server3_int,$server4_int} to {!10.0.0.0/26, 
!$int_net} keep state
pass in quick on $int_if route-to $vpn from $int_net to 10.0.0.0/26 keep 
state
pass in on $int_if route-to $isp2 from $int_net to {!10.0.0.0/26, !$int_net} 
keep state


I tried this out and it was not a success.  It seemend like nothing could 
get anywhere.  $int_net wasn't able to access the internet nor the subnets 
on the otherside of the vpn.  The binat'd servers were unaccessible from the 
internet... and I got an arp error in the /var/log/messages about a bunch of 
arp's not being on the local network... I got a stream of these types of 
messages:

Jan 27 12:12:02 router1 kernel: arplookup 69.57.244.70 failed: host is not 
on local network
Jan 27 12:12:02 router1 kernel: arpresolve: can't allocate llinfo for 
69.57.244.70
Jan 27 12:12:02 router1 kernel: arplookup 12.24.195.78 failed: host is not 
on local network
Jan 27 12:12:02 router1 kernel: arpresolve: can't allocate llinfo for 
12.24.195.78


so, we aren't quite there yet.  Could I more simply change my default route 
to ISP #2, and setup some sort of route-to statements specifically for the 
binat's instead?  Then I would also need to setup a rule for the openvpn to 
go over ISP #1 instead of ISP #2.

any suggestions... as always much apreciated.

Thanks,
Stephane.

>From: "Chris Dionissopoulos" <dionch at freemail.gr>
>Reply-To: "Chris Dionissopoulos" <dionch at freemail.gr>
>To: "Stephane Raimbault" <segr at hotmail.com>
>Subject: Re: route-to rule.
>Date: Thu, 27 Jan 2005 03:40:43 +0200
>
>Try to negate(="!") each network for "to" field like:
>{ !10.0.0.0/26, !$int_net}
>Also when you change line in a rule , you must backslash at the end ("\").
>
>Chris.
>
>
>
>>Hi Chris,  Thanks for the quick response, however I'm still getting syntax 
>>errors on 2 of the 3 lines now:
>>
>>pass in quick on $int_if route-to $isp1 from 
>>{$server1_int,$server2_int,$server3_int,$server4_int} to !{10.0.0.0/26, 
>>$int_net} keep state
>>pass in quick on $int_if route-to $vpn from $int_net to 10.0.0.0/26 keep 
>>state
>>pass in on $int_if route-to $isp2 from $int_net to !{10.0.0.0/26, 
>>$int_net} keep state
>>
>>/etc/pf.conf:47: syntax error
>>/etc/pf.conf:49: syntax error
>>
>>Where line 47 is the first one above and 49 is the last (3rd line) above.
>>
>>Any thoughts?  I'm scratching my head bald.
>>
>>Thanks,
>>Stephane.
>>
>>
>
>
>____________________________________________________________________
>http://www.freemail.gr - äùñåÜí õðçñåóßá çëåêôñïíéêïý ôá÷õäñïìåßïõ.
>http://www.freemail.gr - free email service for the Greek-speaking.

_________________________________________________________________
Powerful Parental Controls Let your child discover the best the Internet has 
to offer. 
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines 
  Start enjoying all the benefits of MSN® Premium right now and get the 
first two months FREE*.



More information about the freebsd-pf mailing list