How make the route-to working ?

Fri Feb 12 16:44:59 UTC 2010

 Le 11/02/2010 à 23:38:56+0100, geoffroy desvernay a écrit
> Albert Shih a écrit :
> > Hi all,
> > 
> > I've a problem with route-to.
> > 
> > I've a server with 2 interfaces, and I'm running jail on this server. Each
> > interface have is own public IP address.
> > 
> > 	eth0 -- IP0             eth1 -- IP1
> > 
> > and I've a default route (for example in IP0 subnet).
> > 
> > So if the jail is in the IP0 subnet no problem everything work.
> > 
> > Now if I put a jail in IP1 subnet, and some client try to connect to this
> > jail the answer come out through eth0 because of the default route (suppose
> > the client is not on my subnet).
> > 
> > I don't want that. I want the answer come out through the eth1
> > 
> > I'm trying to use pf to do that and put in my pf.conf something like 
> > 
> > pass in all
> > pass out all
> > pass out on eth0 route-to {(eth0 IP0_Gateway)} from <IP0> to ! IP0_subnet
> > pass out on eth1 route-to {(eth1 IP1_Gateway)} from <IP1> to ! IP1_subnet
> > 
> > but it's not working, if I run a tcpdump on the host I can see the
> > incoming packet come in from eth1 and the outgoing come out on eth0. 
> > 
> > And if I try do remove default route the outgoing packet don't come out....
> > 
> > Any help ? 
> > 
> > Regards.
> > 
Lots of thanks for your answer. 

> 
> You just have to catch packets on the interface they would go normally:
> 
> pass out on *eth0* route-to {(eth1 IP1_Gateway)} from <IP1> to !eth1:network
> 
> The other rule is not needed in this case
> 
> You may also try instead a 'reply-to' rule on eth1's inbound, as David
> DeSimone suggested.

OK now it's working. But I have some big trouble about the bandwith. 

Now when I try to do something like a scp, or ftp or wget from inside a
jail to outside, everything work fine. The traffic go to right interface,
the answer too. 

But when I try to do some network connection (ssh, scp etc..) from outside
to a jail the bandwith is catastrophic (~40kB/s on 1Gbit/s). 

And for you ? 

> 
> A third and cleaner solution would be to use multiple routing-tables -
> see setfib(1) and 'options ROUTETABLES' of the kernel...

I already try this, I don't known how to make it work. I'm going to try
again. 

Regards.

Thanks again. 

-- 
Albert SHIH
SIO batiment 15
Observatoire de Paris Meudon
5 Place Jules Janssen
92195 Meudon Cedex
Téléphone : 01 45 07 76 26/06 86 69 95 71
Heure local/Local time:
Ven 12 fév 2010 17:41:22 CET