'Re: route-to rule.'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freebsd-pf
Subject:    Re: route-to rule.
From:       "Stephane Raimbault" <segr () hotmail ! com>
Date:       2005-01-27 18:25:32
Message-ID: BAY24-F23B5EDFAA04BD9C64A5FC1CC780 () phx ! gbl
[Download RAW message or body]

Okay, with the syntax cleaned up this is what I have:

set state-policy if-bound

int_if="rl0"
int_net="10.1.0.0/24"
ext_if1="rl1"
ext_gw1="<ISP#1 Gateway IP>"
ext_if2="rl2"
ext_gw2="<ISP#2 Gateway IP>"
vpn_if="tun0"
vpn_gw="172.16.0.1"

isp1 = "(" $ext_if1 $ext_gw1 ")"
isp2 = "(" $ext_if2 $ext_gw2 ")"
vpn = "(" $vpn_if $vpn_gw ")"

server1_int="10.1.0.20"
server1_out="63.252.160.219"
server2_int="10.1.0.21"
server2_out="63.252.160.222"
server3_int="10.1.0.22"
server3_out="63.252.160.221"
server4_int="10.1.0.23"
server4_out="63.252.160.220"

nat on $ext_if1 from $int_net to any -> ($ext_if1:0)
nat on $ext_if2 from $int_net to any -> ($ext_if2:0)
binat on $ext_if1 from $server1_int to any -> $server1_out
binat on $ext_if1 from $server2_int to any -> $server2_out
binat on $ext_if1 from $server3_int to any -> $server3_out
binat on $ext_if1 from $server4_int to any -> $server4_out

pass in quick on $int_if inet from $int_net to $int_net keep state
pass out quick on $int_if inet from $int_net to $int_net keep state

pass in on $ext_if1 tag $ext_if1 keep state
pass out on $ext_if1 route-to $ext_if1 keep state
pass out quick on $int_if reply-to $ext_if1 tagged $ext_if1 keep state

pass in on $ext_if2 tag $ext_if2 keep state
pass out on $ext_if2 route-to $ext_if2 keep state
pass out quick on $int_if reply-to $ext_if2 tagged $ext_if2 keep state

pass in on $vpn_if tag $vpn_if keep state
pass out on $vpn_if route-to $vpn_if keep state
pass out quick on $vpn_if reply-to $vpn_if tagged $vpn_if keep state

pass in quick on $int_if route-to $isp1 from 
{$server1_int,$server2_int,$server3_int,$server4_int} to {!10.0.0.0/26, 
!$int_net} keep state
pass in quick on $int_if route-to $vpn from $int_net to 10.0.0.0/26 keep 
state
pass in on $int_if route-to $isp2 from $int_net to {!10.0.0.0/26, !$int_net} 
keep state


I tried this out and it was not a success.  It seemend like nothing could 
get anywhere.  $int_net wasn't able to access the internet nor the subnets 
on the otherside of the vpn.  The binat'd servers were unaccessible from the 
internet... and I got an arp error in the /var/log/messages about a bunch of 
arp's not being on the local network... I got a stream of these types of 
messages:

Jan 27 12:12:02 router1 kernel: arplookup 69.57.244.70 failed: host is not 
on local network
Jan 27 12:12:02 router1 kernel: arpresolve: can't allocate llinfo for 
69.57.244.70
Jan 27 12:12:02 router1 kernel: arplookup 12.24.195.78 failed: host is not 
on local network
Jan 27 12:12:02 router1 kernel: arpresolve: can't allocate llinfo for 
12.24.195.78


so, we aren't quite there yet.  Could I more simply change my default route 
to ISP #2, and setup some sort of route-to statements specifically for the 
binat's instead?  Then I would also need to setup a rule for the openvpn to 
go over ISP #1 instead of ISP #2.

any suggestions... as always much apreciated.

Thanks,
Stephane.

> From: "Chris Dionissopoulos" <dionch@freemail.gr>
> Reply-To: "Chris Dionissopoulos" <dionch@freemail.gr>
> To: "Stephane Raimbault" <segr@hotmail.com>
> Subject: Re: route-to rule.
> Date: Thu, 27 Jan 2005 03:40:43 +0200
> 
> Try to negate(="!") each network for "to" field like:
> { !10.0.0.0/26, !$int_net}
> Also when you change line in a rule , you must backslash at the end ("\").
> 
> Chris.
> 
> 
> 
> > Hi Chris,  Thanks for the quick response, however I'm still getting syntax 
> > errors on 2 of the 3 lines now:
> > 
> > pass in quick on $int_if route-to $isp1 from 
> > {$server1_int,$server2_int,$server3_int,$server4_int} to !{10.0.0.0/26, 
> > $int_net} keep state
> > pass in quick on $int_if route-to $vpn from $int_net to 10.0.0.0/26 keep 
> > state
> > pass in on $int_if route-to $isp2 from $int_net to !{10.0.0.0/26, 
> > $int_net} keep state
> > 
> > /etc/pf.conf:47: syntax error
> > /etc/pf.conf:49: syntax error
> > 
> > Where line 47 is the first one above and 49 is the last (3rd line) above.
> > 
> > Any thoughts?  I'm scratching my head bald.
> > 
> > Thanks,
> > Stephane.
> > 
> > 
> 
> 
> ____________________________________________________________________
> http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου.
> http://www.freemail.gr - free email service for the Greek-speaking.

_________________________________________________________________
Powerful Parental Controls Let your child discover the best the Internet has 
to offer. 
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines \
  Start enjoying all the benefits of MSN® Premium right now and get the 
first two months FREE*.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic