Problem with route-to option
Alexandr Krivulya
a.krivulya at compenta.com.ua
Wed Nov 28 10:20:26 UTC 2012
25.11.2012 14:20, Shaymardanov Rushan пишет:
> Hello. I have a problem using pf in Freebsd 9.0.
> I'm using frebsd box as gateway and I have 2 ISP. I'd like to route some
> clients via second provider and a'm using pf's route-to fuction for it:
>
> ( ... )
> nat on ng0 inet from 172.18.100.254 to any -> xx.xx.xx.157
> (...)
> pass in route-to (ng0 10.0.0.1) inet from 172.18.100.254 to any tag SUBS
> (...)
>
> Packets are routed correctly (via ng0), and nat works well, but IP checksum
> is bad and I don't receive any response:
>
> gw# tcpdump -i ng0 -s 0 -v -n icmp
> tcpdump: listening on ng0, link-type NULL (BSD loopback), capture size
> 65535 bytes
> 18:11:54.456027 IP (tos 0x0, ttl 128, id 218, offset 0, flags [none], proto
> ICMP (1), length 60, bad cksum 9390 (->9093)!)
> xx.xx.xx.157 > 8.8.8.8: ICMP echo request, id 3993, seq 171, length 40
> 18:11:59.480968 IP (tos 0x0, ttl 128, id 219, offset 0, flags [none], proto
> ICMP (1), length 60, bad cksum 9290 (->9092)!)
> xx.xx.xx.157 > 8.8.8.8: ICMP echo request, id 3993, seq 172, length 40
> 18:12:04.506907 IP (tos 0x0, ttl 128, id 220, offset 0, flags [none], proto
> ICMP (1), length 60, bad cksum 9190 (->9091)!)
> xx.xx.xx.157 > 8.8.8.8: ICMP echo request, id 3993, seq 173, length 40
>
> Without route-to (if for example I change routing table for particular
> destination address), checksums are good and traffic passes correctly.
>
>
> Rushan Shaymardanov
>
Hello! I have exactly same issue with pf-nat and outgoing traffic from
ng-interfaces. With ipfw nat there is no problem. Problem exists on
9.0, 9.1-RC3 and stable.
More information about the freebsd-pf
mailing list