Creating span interface using 'dup-to' option
David DeSimone
ddesimone at verio.net
Mon Oct 12 14:29:10 UTC 2015
The man page makes it clear that "dup-to" acts just like "route-to", except that the original packet still routes the way it would have. The implication being that "dup-to" needs to determine where to route the new packet.
This means that the more useful form of this is likely to be:
pass out on em0 dup-to ( em2 X.X.X.X ) no state
Where "X.X.X.X" is the IP of the host connected via em2 that will be receiving the duplicated packet.
The difference between using a bridge to accomplish this, vs. pf, is that pf operates at layer 3 and will not preserve the layer 2 mac headers, whereas bridge will preserve these.
Hopefully this will fit your requirements.
-----Original Message-----
From: owner-freebsd-pf at freebsd.org [mailto:owner-freebsd-pf at freebsd.org] On Behalf Of Milosz Kaniewski
Sent: Sunday, October 11, 2015 6:16 AM
To: freebsd-pf at freebsd.org
Subject: Creating span interface using 'dup-to' option
uname -a:
FreeBSD freebsd11_master.kvm 11.0-CURRENT FreeBSD 11.0-CURRENT #0 r285616:
Thu Jul 16 02:21:59 UTC 2015
root at releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC
amd64
+----------+ +-----------+ +----------+
| | em0| |em1 | |
| host1 +--------+ FreeBSD +--------+ host2 |
| | | | | |
+----------+ +-----------+ +----------+
|em2
|
|
v
Hi,
I have FreeBSD machine which forwards packets between host1 and host2. This
machine has also an additional interface (em2) which act as span interface
- all traffic between host1 and host2 is copied into it.
To achieve this scenario I can set bridge with em0 and em1 as members and
em2 as span interface. But I would like to get same result using pf
instead. So I tried to use this rules:
pass out on em0 dup-to em2 no state
pass out on em1 dup-to em2 no state
But it doesn't work. No packets appear on interface em2. I've checked same
configuration on OpenBSD and everything worked well.
Is there any difference in setting dup-to rule in FreeBSD and OpenBSD pf?
Thanks for help.
Best regards.
_______________________________________________
freebsd-pf at freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
________________________________
This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. makes no warranty that this email is error or virus free. Thank you.
________________________________
This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. NTT America makes no warranty that this email is error or virus free. Thank you.
________________________________
More information about the freebsd-pf
mailing list