PF - reply-to

Ludovit Koren ludovit.koren at gmail.com
Wed Mar 10 18:15:29 UTC 2021 

>>>>> Ultima  <ultima1252 at gmail.com> writes:

    > Hello Ludovit,
    > I'm going to need to see pf.conf and routing table to help further.
    > Feel free to obfuscate if required. It may also help if you ask the
    > freebsd-net and freebsd-pf mailing list as well.

    > Best regards,
    > Richard Gallamore

Hi,

please, see the attached file

Regards,

lk

    > On Mon, Mar 8, 2021 at 3:36 AM Ludovit Koren <ludovit.koren at gmail.com> wrote:

    >>>>>> Ultima  <ultima1252 at gmail.com> writes:

    >> Hey Ludovit,
    >> More details would be helpful. There can be a few reasons why it is not working that I can see.

    >> 1. Do you have an rdr rule to redirect to $web_addr for the pass rule?

    >  yes, I have a rdr rule. but there are rules without rdr and it seems
    >  they are not working either.

    >> 2. Rules out of order

    >  I do not understand. I have definitions, nat, rdr, and rules.

    >> 3. Conflicting rules.

    >  I did not find any.

    >> The best way to debug this would be logging the rules and watching where the traffic is going via tcpdump.

    >  I did exactly what you suggest. The block rule logged reset packet from
    >  the source of the web traffic. As soon as I changed the default router,
    >  everything have started to work with the same unchanged pf.conf.

    >  Regards,

    >  lk

    >> Best regards,
    >> Richard Gallamore

    >> On Sun, Mar 7, 2021 at 10:58 AM Ludovit Koren <ludovit.koren at gmail.com> wrote:

    >> Hi all,

    >> we have 2 Internet connections coming on the same interface. One is
    >> primarily used for incoming connections and services that we provide to
    >> Internet (web, mail). The other connection is primarily used for
    >> browsing (cache/proxy) and DNS. There are 2 different routers.

    >> I am using FreeBSD 12.2-STABLE r369178 and PF. The question is which
    >> router should I set as default router. I suppose, I can use reply-to
    >> and/or route-to, respectively. If I use (default router $router2):

    >> pass in on $ext_if reply-to (bge0 $router1) inet proto tcp from any to $web_addr port 443 keep state

    >> it is not working. The following setup is working (default router $router1):

    >> pass out on $ext_if route-to (bge0 $router2) inet proto tcp from any to any keep state

    >> Is it bug or I do not understand the manual page correctly?

    >> Thank you very much.

    >> Regards,
    >> lk
    >> _______________________________________________
    >> freebsd-questions at freebsd.org mailing list
    >> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
    >> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"


-------------- next part --------------
A non-text attachment was scrubbed...
Name: pf.conf
Type: application/octet-stream
Size: 15058 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20210310/006f966f/attachment.obj>

More information about the freebsd-questions mailing list