Routing router-originating traffic via route-to rules
Stefan
stefanferreira at gmail.com
Tue Jan 26 11:27:39 UTC 2010
Thanks, I'll keep that approach in mind. Unfortunately that still relies
on routing tables to perform outbound routing, unless I misunderstand?
The problem is that my routing setup is a little complex for the routing
tables, so I really need to route using pf. My setup looks roughly like
this:
* Almost 600 IP ranges get routed over one set of links, with load
balancing to get better ADSL line usage (local routes)
* VPN traffic goes out over an IPSec tunnel
* Other traffic gets routed via another ADSL link (International traffic)
Most of the above can be done using routing tables (except for the load
balancing?), but having to maintain both the pf rules and the routing
tables is undesirable, especially since my setup changes quite often.
This is what I've managed so far:
1 - The default route (set to IP of lo1) loops traffic back to the
router. Without pf routing, that traffic loops until the TTL is
exceeded, as expected. But when I try to route it on the incoming
traffic of the loopback (pass in on lo1 route-to ...), the packets go
nowhere and I can't figure out what's happening with tcpdump.
2 - The above setup results in the packets looping back via lo0, despite
setting the default route to lo1. This happens even when I configure lo1
on a unique subnet. When I configure the route via the loopback IP
first, and then use "route change" to set the interface to lo1
explicitly on the default route, I get messages along the line of
"address family not supported by the protocol family" whenever packets
are routed to the loopback. This happens even after I make sure to
assign both IPv4 and IPv6 addresses to lo1.
From the above it seems I'm very close to a solution, but it just
doesn't want to work...
On 2010-01-26 13:07, Frank Behrens wrote:
> Stefan<stefanferreira at gmail.com> wrote on 26 Jan 2010 12:02:
>
>> I've googled this one to bits and pulled out quite a lot of hair:
>> Basically I need a way to route, using "route-to" filter rules, the
>> traffic originating on the freebsd router itself. The problem with doing
>> this is that pf only sees the packets on their way out, when an outbound
>> interface has already been chosen by the routing tables. Therefore pf's
>> route-to rules have no effect on locally originating traffic.
>>
> I had always some trouble with this approach. I used rules like
>
> nat inet from any to xxx port yyy tag IF2 -> $myaddr
> pass out quick on $iface from $myaddr to any tag IF2
> pass out quick on $defaultinterface route-to ($iface $hisaddr) tagged IF2
>
>
> Now I'm using an associated FIB (setfib(8)) for desired processes and it works very well
> without any trouble. Routed traffic is also assigned to the fib with pf's "rtable" option.
>
> Frank
>
>
More information about the freebsd-pf
mailing list