How make the route-to working ?

geoffroy desvernay dgeo at centrale-marseille.fr
Thu Feb 11 22:58:07 UTC 2010


Albert Shih a écrit :
> Hi all,
> 
> I've a problem with route-to.
> 
> I've a server with 2 interfaces, and I'm running jail on this server. Each
> interface have is own public IP address.
> 
> 	eth0 -- IP0             eth1 -- IP1
> 
> and I've a default route (for example in IP0 subnet).
> 
> So if the jail is in the IP0 subnet no problem everything work.
> 
> Now if I put a jail in IP1 subnet, and some client try to connect to this
> jail the answer come out through eth0 because of the default route (suppose
> the client is not on my subnet).
> 
> I don't want that. I want the answer come out through the eth1
> 
> I'm trying to use pf to do that and put in my pf.conf something like 
> 
> pass in all
> pass out all
> pass out on eth0 route-to {(eth0 IP0_Gateway)} from <IP0> to ! IP0_subnet
> pass out on eth1 route-to {(eth1 IP1_Gateway)} from <IP1> to ! IP1_subnet
> 
> but it's not working, if I run a tcpdump on the host I can see the
> incoming packet come in from eth1 and the outgoing come out on eth0. 
> 
> And if I try do remove default route the outgoing packet don't come out....
> 
> Any help ? 
> 
> Regards.
> 
> 
Hi,

I'm using that for the same case:

You just have to catch packets on the interface they would go normally:

pass out on *eth0* route-to {(eth1 IP1_Gateway)} from <IP1> to !eth1:network

The other rule is not needed in this case

You may also try instead a 'reply-to' rule on eth1's inbound, as David
DeSimone suggested.

A third and cleaner solution would be to use multiple routing-tables -
see setfib(1) and 'options ROUTETABLES' of the kernel...

HTH
-- 
*Geoffroy Desvernay*
C.R.I - Administration systèmes et réseaux
Ecole Centrale de Marseille

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20100211/5ab224c6/signature.pgp


More information about the freebsd-pf mailing list