route-to not working

Dear people,

I have 2 links on a box, and I don't want to load balance it
but, only to
reply requests in the same interface that it comes.

I tried to use the route-to, but it not seems to work.

Could you please, give-me a help?

It's my configuration:

set skip on lo0
scrub on xl0 reassemble tcp no-df random-id
scrub on xl1 reassemble tcp no-df random-id
scrub on dc0 reassemble tcp no-df random-id
nat on xl0 from 172.16.0.0/24 to any -> (xl0)
static-port
rdr on dc0 inet proto tcp to port 80 -> 127.0.0.1 port
3128 round-robin
sticky-address
antispoof quick for {xl0,dc0,xl1}
block proto tcp from 172.16.0.0/24 to any port 3128
# Internal Traffic
pass in quick on dc0 from any to any
pass out quick on dc0 from any to any
# Outgoing
pass out on xl0 proto tcp all flags S/SA modulate state
pass out on xl0 proto { udp, icmp } all keep state
pass out on xl1 proto tcp all flags S/SA modulate state
pass out on xl1 proto { udp, icmp } all keep state
# Pass basic services
pass in quick on xl1 proto tcp from any to any port { 22,
21, 1194 } keep
state
pass in quick on xl0 proto tcp from any to any port { 22,
21, 1194 } keep
state
pass in on xl0 proto udp from any to any port 53
pass in on xl1 proto udp from any to any port 53
# Pass VPN
pass in quick on xl1 proto udp from any to port 1194 keep
state
pass quick on tun0
# Source nat route
pass out log on xl0 route-to ( xl1 200.232.164.1 ) from xl1
to any
pass out on xl1 route-to ( xl0 201.83.16.1 ) from xl0 to
any
# Close
block return-rst in log quick on xl0 inet proto tcp from any
to any
block return-rst in log quick on xl1 inet proto tcp from any
to any
block return-icmp in log quick on xl0 proto udp from any to
any
block return-icmp in log quick on xl1 proto udp from any to
any
block in quick on xl0 all
block in quick on xl1 all

Best Regards,

Wesley Gentine
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"

--- Wesley <wcglistgmail.com> wrote:

> Dear people,
> 
> I have 2 links on a box, and I don't want to load
balance it but,
> only to
> reply requests in the same interface that it comes.
> 
> I tried to use the route-to, but it not seems to work.
> 
> Could you please, give-me a help?
> 
Looking at your config, most of your traffic is blocked
since pf (if i
remember correctly) works on last rule matching except for
"quick". 
You might want to read the FAQs again at
http://www.o
penbsd.org/faq/pf/index.html

It has some good examples with the detailed explanations of
each part
of pf configuration.  As for reply to external interface,
you can use
something like this:

pass in quick on xl0 reply-to (xl0 $Gateway_IP_xl0) 
   proto tcp from any to any port { 22, 21, 1194 } keep
state

However, I remember reading somewhere that reply-to is
broken on
FreeBSD and that I couldn't get reply-to to work properly on
my box. 
Someone please correct me on this if I'm wrong.

BTW, route-to is not only used for outbound load balancing. 
You can
use it to route certain destinations via certain interfaces
without
having to mess around with routing table ;)

Regards,
Tommy

> It's my configuration:
> 
> set skip on lo0
> scrub on xl0 reassemble tcp no-df random-id
> scrub on xl1 reassemble tcp no-df random-id
> scrub on dc0 reassemble tcp no-df random-id
> nat on xl0 from 172.16.0.0/24 to any -> (xl0)
static-port
> rdr on dc0 inet proto tcp to port 80 -> 127.0.0.1
port 3128
> round-robin
> sticky-address
> antispoof quick for {xl0,dc0,xl1}
> block proto tcp from 172.16.0.0/24 to any port 3128
> # Internal Traffic
> pass in quick on dc0 from any to any
> pass out quick on dc0 from any to any
> # Outgoing
> pass out on xl0 proto tcp all flags S/SA modulate
state
> pass out on xl0 proto { udp, icmp } all keep state
> pass out on xl1 proto tcp all flags S/SA modulate
state
> pass out on xl1 proto { udp, icmp } all keep state
> # Pass basic services
> pass in quick on xl1 proto tcp from any to any port {
22, 21, 1194 }
> keep
> state
> pass in quick on xl0 proto tcp from any to any port {
22, 21, 1194 }
> keep
> state
> pass in on xl0 proto udp from any to any port 53
> pass in on xl1 proto udp from any to any port 53
> # Pass VPN
> pass in quick on xl1 proto udp from any to port 1194
keep state
> pass quick on tun0
> # Source nat route
> pass out log on xl0 route-to ( xl1 200.232.164.1 ) from
xl1 to any
> pass out on xl1 route-to ( xl0 201.83.16.1 ) from xl0
to any
> # Close
> block return-rst in log quick on xl0 inet proto tcp
from any to any
> block return-rst in log quick on xl1 inet proto tcp
from any to any
> block return-icmp in log quick on xl0 proto udp from
any to any
> block return-icmp in log quick on xl1 proto udp from
any to any
> block in quick on xl0 all
> block in quick on xl1 all
> 
> Best Regards,
> 
> Wesley Gentine
> _______________________________________________
> freebsd-pffreebsd.org mailing list
> 
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
> 

_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"

--- Wesley <wcglistgmail.com> wrote:

> Dear people,
> 
> I have 2 links on a box, and I don't want to load
balance it but,
> only to
> reply requests in the same interface that it comes.
> 
> I tried to use the route-to, but it not seems to work.
> 
> Could you please, give-me a help?
> 
Looking at your config, most of your traffic is blocked
since pf (if i
remember correctly) works on last rule matching except for
"quick". 
You might want to read the FAQs again at
http://www.o
penbsd.org/faq/pf/index.html

It has some good examples with the detailed explanations of
each part
of pf configuration.  As for reply to external interface,
you can use
something like this:

pass in quick on xl0 reply-to (xl0 $Gateway_IP_xl0) 
   proto tcp from any to any port { 22, 21, 1194 } keep
state

However, I remember reading somewhere that reply-to is
broken on
FreeBSD and that I couldn't get reply-to to work properly on
my box. 
Someone please correct me on this if I'm wrong.

BTW, route-to is not only used for outbound load balancing. 
You can
use it to route certain destinations via certain interfaces
without
having to mess around with routing table ;)

Regards,
Tommy

> It's my configuration:
> 
> set skip on lo0
> scrub on xl0 reassemble tcp no-df random-id
> scrub on xl1 reassemble tcp no-df random-id
> scrub on dc0 reassemble tcp no-df random-id
> nat on xl0 from 172.16.0.0/24 to any -> (xl0)
static-port
> rdr on dc0 inet proto tcp to port 80 -> 127.0.0.1
port 3128
> round-robin
> sticky-address
> antispoof quick for {xl0,dc0,xl1}
> block proto tcp from 172.16.0.0/24 to any port 3128
> # Internal Traffic
> pass in quick on dc0 from any to any
> pass out quick on dc0 from any to any
> # Outgoing
> pass out on xl0 proto tcp all flags S/SA modulate
state
> pass out on xl0 proto { udp, icmp } all keep state
> pass out on xl1 proto tcp all flags S/SA modulate
state
> pass out on xl1 proto { udp, icmp } all keep state
> # Pass basic services
> pass in quick on xl1 proto tcp from any to any port {
22, 21, 1194 }
> keep
> state
> pass in quick on xl0 proto tcp from any to any port {
22, 21, 1194 }
> keep
> state
> pass in on xl0 proto udp from any to any port 53
> pass in on xl1 proto udp from any to any port 53
> # Pass VPN
> pass in quick on xl1 proto udp from any to port 1194
keep state
> pass quick on tun0
> # Source nat route
> pass out log on xl0 route-to ( xl1 200.232.164.1 ) from
xl1 to any
> pass out on xl1 route-to ( xl0 201.83.16.1 ) from xl0
to any
> # Close
> block return-rst in log quick on xl0 inet proto tcp
from any to any
> block return-rst in log quick on xl1 inet proto tcp
from any to any
> block return-icmp in log quick on xl0 proto udp from
any to any
> block return-icmp in log quick on xl1 proto udp from
any to any
> block in quick on xl0 all
> block in quick on xl1 all
> 
> Best Regards,
> 
> Wesley Gentine
> _______________________________________________
> freebsd-pffreebsd.org mailing list
> 
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
> 

_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"

Hi Wesley

Here are the rules I use for that purpose on my server (I'm
still in the
middle of setting it up)
It works best on incoming connection just need to include
the outgoing to
balance and figure ftp.

I noticed one thing, and that I can't explain myself, if
using a macro for
the external IP instead
of having the actual outside interface ip addresses in the
"pass in" rules
the whole thing blows up and stops working.

example:
inet proto tcp from any to 192.168.254.10   is good
inet proto tcp from any to $ ext_if1_IP	  is bad and not
working

here is my config:

	ext_if1="rl0"
	ext_if2="rl1"
	ext_if1_IP="192.168.1.10"
	ext_if2_IP="192.168.254.10"

	ext_gw1="192.168.1.254"
	ext_gw2="192.168.254.254"
	public_services = "{ 80, 443, 873, 1701 ,1721, 1723
}"
	
	pass in quick log on $ext_if1 reply-to ($ext_if1 $ext_gw1)

		inet proto tcp from any to 192.168.1.10 port
$public_services flags S/SA modulate state 
	
	pass in quick log on $ext_if2 reply-to ($ext_if2 $ext_gw2)

		inet proto tcp from any to 192.168.254.10 port
$public_services flags S/SA modulate state

	pass in quick log on $ext_if1 reply-to ($ext_if1 $ext_gw1)

		inet proto udp from any to 192.168.1.10 port
$public_services keep state

	pass in quick log on $ext_if2 reply-to ($ext_if2 $ext_gw2)

		inet proto udp from any to 192.168.254.10 port
$public_services keep state



_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"