[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-pf
Subject:    route-to issues
From:       Miachel Wallis <mwallis () knightsofthegriffin ! org>
Date:       2002-08-04 22:09:36
[Download RAW message or body]


fxp0 is 192.168.0.1 netmask 255.255.255.0 <- LAN
dc0 is 192.168.1.2 netmask 255.255.255.0 <- DSL
xl0 is 192.168.2.2 netmask 255.255.255.0 <- cable

The default route for DSL is 192.168.1.1 and the default route for
cable is 192.168.2.1, while all of the boxes on the LAN have a default
gateway of 192.168.0.1.  In this example let's assume the firewall has
a default route of 192.168.1.1 (using the DSL link by default).

--- start pf.conf ---
nat on dc0 from 192.168.0.0/24 to any -> 192.168.1.2
nat on xl0 from 192.168.0.0/24 to any -> 192.168.2.2

pass out quick on fxp0 from 192.168.0.1 to 192.168.0.0/24
pass out quick on dc0 from 192.168.1.2 to any keep state
pass out quick on xl0 from 192.168.2.2 to any keep state

pass in quick on fxp0 inet proto udp from 192.168.0.0/24 to any port =
53 keep state
pass in quick on fxp0 inet proto tcp from 192.168.0.0/24 to any port =
110 keep state

# only one of the following rules is active at once, numbered for
# reference below
1) pass in quick on fxp0 route-to xl0:192.168.2.1 inet proto tcp from
192.168.0.0/24 to any port = 80 keep state
2) pass in quick on fxp0 route-to xl0 inet proto tcp from
192.168.0.0/24 to any port = 80 keep state
3) pass in quick on fxp0 route-to 192.168.2.1 inet proto tcp from
192.168.0.0/24 to any port = 80 keep state

block in log all
block out log all
--- end pf.conf ---

With the following in place I would expect all dns and pop3 traffic to
use the DSL line and all http to use the cable one.  This isn't what
is happening though.  No traffic goes out over the xl0 interface and
nothing is logged via pflog0, the traffic also doesn't go out using
the default DSL.  Don't know what is happening but checking pfctl the
packets are hitting the re-route rules and being processed (into
/dev/null or something it seems).  All three examples give the same
results (exept with rule 1 if you use pfctl to list the rules you have
garbage is displayed, binary data, along with the rest of the rule).
I wouldn't expect rule 2 to work since it still wouldn't know the next
hop for the packets to get outside the LAN but I was trying anything.
Do I just not understand the use of route-to or is something else the
matter with this example?  If you delete the "route-to" section
everything works just right (like one would expect with all traffic
using the DSL link).  I searched the net and found another thread with
this same issue but at the time packets weren't being passed through
NAT more than once so packets were going out the proper interface but
with the wrong address.  Since then I believe that issue has been
resolved but I'm not even getting that far.  It would be greatly
appreciated if someone could share some insight on this matter.
Thanks in advance...

Mike


_______________________________________________________
Free Email with your domain at http://www.lowcostdomains.com

[prev in list] [next in list] [prev in thread] [next in thread]