[Q] what is the correct way to filter by remote pf?

[Zeus Panchenko]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

greetings

please, advise

WHAT I HAVE:

            routerB <-> netX/16
               ^
               |
               V
clients <-> routerA <-> netX/24


WHAT I NEED:
to provide `clients <-> netX/24' traffic on the base of routerB pf rules
so, the very decission to pass or to block have to be done on routerB



HOW I THINK TO DO THAT:

=================================================================================
VARIANT I
- ---------------------------------------------------------------------------------

- ---[ routerA pf.conf quotation start ]-------------------------------------------
...
pass in log (to pflog1) on $if_clients-to-routerA from <clients> to <netX24> tag TO_AUTH
pass in log (to pflog1) route-to ($if_routerA-to-routerB $routerB_ip) tagged TO_AUTH
...
- ---[ routerA pf.conf quotation end   ]-------------------------------------------

- ---[ routerB pf.conf quotation start ]-------------------------------------------
...
pass in log (to pflog1) on $if_routerB-to-routerA from <clients-allowed> to <netX24> tag AUTHED
pass in log (to pflog1) route-to ($if_routerB-to-routerA $routerA_ip) tagged AUTHED
block <clients> to <netX>
...
- ---[ routerB pf.conf quotation end   ]-------------------------------------------


RESULTS: I see packets redirected to routerB, but there the packets are looping
	 untill the time to live exceeded



=================================================================================
VARIANT II
- ---------------------------------------------------------------------------------

- ---[ routerA pf.conf quotation start ]-------------------------------------------
...
pass in log (to pflog1) on $if_clients-to-routerA from <clients> to <netX24> tag TO_AUTH
pass in log (to pflog1) route-to ($if_routerA-to-routerB $routerB_ip) tagged TO_AUTH
...
- ---[ routerA pf.conf quotation end   ]-------------------------------------------


- ---[ routerB configuration quotation start ]-------------------------------------

rc.conf
static_routes="netX24"
route_netX24="-net A.B.C.0/24 $routerA_ip"


pf.conf
pass in log (to pflog1) on $if_routerB-to-routerA from <clients-allowed> to <netX24> tag AUTHED
block <clients> to <netX24>

- ---[ routerB configuration quotation end   ]-------------------------------------


RESULTS: are same as for VARIANT I



=================================================================================
VARIANT III
- ---------------------------------------------------------------------------------

something else ...
may it relate to pfsync somehow?


- -- 
Zeus V. Panchenko				jid:zeus at im.ibs.dn.ua
IT Dpt., I.B.S. LLC					  GMT+2 (EET)
-----BEGIN PGP SIGNATURE-----

iF0EARECAB0WIQQYIXL6FUmD7SUfqoOveOk+D/ejKgUCWVJGygAKCRCveOk+D/ej
KhQoAKCHB+55dzTYOqD6S5mSC2TtCDjV8gCgzXQfBd3U30nXJMyj5Q4Ggfq1sRA=
=ZCm0
-----END PGP SIGNATURE-----