Policy Based Routing pf

fr33man fr33man at fr33man.ru
Fri Nov 3 14:31:02 UTC 2006 

Thanks to all, I have solved the problem. Pf doesn't wrok because of mtu,
On shield mtu was 1440:

[fr33man at shield ~]$ ifconfig ng0
ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 1440
        inet 84.47.165.43 --> 172.17.0.1 netmask 0xffffffff
[fr33man at shield ~]$

And on the web server it was 1500. And now all works!!


-----Original Message-----
From: owner-freebsd-pf at freebsd.org [mailto:owner-freebsd-pf at freebsd.org] On
Behalf Of fr33man
Sent: Friday, November 03, 2006 1:15 AM
To: freebsd-pf at freebsd.org
Subject: Policy Based Routing pf

Hi all!

 

I have one problem with pf. This is my network:

 

ISP1     ISP2

|           |

|           |

|           |

|           |

FreeBSD(shield)

|

|

|

Local_Network

 

My configuration:

 

Local_Network has address: 192.168.1.0/24.

Ip address of freebsd(hostname is shield) is 192.168.1.254 on the
Local_Network and 192.168.98.2 on the ISP1 and external ip(for example
1.1.1.1) on ISP2.

The default gateway is ISP1, and ip address of default gateway is
192.168.98.1. 

ISP2 gives me internet over vpn, and gateway on ISP2 is 172.17.0.1. This is
output of `ifconfig`:

 

shield@/usr/local/etc> ifconfig

dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500

        options=8<VLAN_MTU>

        inet 192.168.98.2 netmask 0xffffff00 broadcast 192.168.98.255

        ether 00:05:1c:1e:6f:9e

        media: Ethernet autoselect (100baseTX <full-duplex>)

        status: active

fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500

        options=8<VLAN_MTU>

        inet 192.168.1.254 netmask 0xffffff00 broadcast 192.168.1.255

        ether 00:00:4b:51:07:84

        media: Ethernet autoselect (100baseTX <full-duplex>)

        status: active

pfsync0: flags=0<> mtu 2020

pflog0: flags=0<> mtu 33208

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384

        inet 127.0.0.1 netmask 0xff000000

ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 1440

        inet 1.1.1.1 --> 172.17.0.1 netmask 0xffffffff

shield@/usr/local/etc>

 

I have compiled kernel with pf:

 

device          pf

device          pflog

device          pfsync

 

And this is my pf.conf:

 

shield@/usr/local/etc> cat /etc/pf.conf.back

 

ext_if="ng0"

 

scrub in all

 

nat on $ext_if inet proto tcp from 192.168.1.230 port 80 -> $ext_if

 

rdr on $ext_if inet proto tcp to $ext_if port www -> 192.168.1.230 port www

 

pass in quick on $ext_if reply-to ($ext_if 172.17.0.1) inet proto tcp tagged
WEB_SERVER flags S/SA keep state

 

pass all

shield@/usr/local/etc>

 

192.168.1.230 - web server ip address.

 

And now I want tell you one very interesting thing! ;)

 

If I have index.html size about 1 Kb on the web server, everyone can see
it(from the internet), but if index.html is about 11 kb nobody can see it
from the internet!!!

 

Can you help me? 

 

--

WBR Ozerov Vasiliy I. 

Good Luck

 

_______________________________________________
freebsd-pf at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"

More information about the freebsd-pf mailing list