Vlad GALU wrote:
On 3/20/08, Stefan Lambrev <[EMAIL PROTECTED]> wrote:
Greetings,
Wesley wrote:
> Dear people,
>
> I have 2 links on a box, and I don't want to load balance it but, only to
> reply requests in the same interface that it comes.
>
> I tried to use the route-to, but it not seems to work.
>
> Could you please, give-me a help?
>
I do not see where you use "reply-to" in you configuration
But here is working example which you can improve off course.
#dual home
pass in on $ext_if1 reply-to ($ext_if1 $gw1) from any to $external_addr1
keep state
pass out on $ext_if2 route-to ($ext_if1 $gw1) from $external_addr1 to any
pass in on $ext_if2 reply-to ($ext_if2 $gw2) from any to $external_addr2
keep state
pass out on $ext_if1 route-to ($ext_if2 $gw1) from $external_addr2 to any
#dual home ssh only
pass out on $ext_if2 route-to ($ext_if1 $gw1) from $external_addr1 to any
pass out on $ext_if1 route-to ($ext_if2 $gw1) from $external_addr2 to any
pass in on $ext_if1 reply-to ($ext_if1 $gw1) proto tcp from any to
$external_addr1 port 22 keep state
pass in on $ext_if2 reply-to ($ext_if2 $gw2) proto tcp from any to
$external_addr2 port 22 keep state
Don't mind me asking, but isn't your example working due to your
route-to rules? I, as well as Wesley, assumed that reply-to should've
been enough to reach the goal.
It's working because of reply-to rules - incoming packets does not match
"pass out route-to" rules.
The "pass out" rules are needed if the packet(s) is generated locally
and does not match the "pass in" rules.
You forget that the first rule to match wins and keep state (which is on
by default in 7.0)
will make replies to match the state not the pass out rules.
It's my configuration:
>
> set skip on lo0
> scrub on xl0 reassemble tcp no-df random-id
> scrub on xl1 reassemble tcp no-df random-id
> scrub on dc0 reassemble tcp no-df random-id
> nat on xl0 from 172.16.0.0/24 to any -> (xl0) static-port
> rdr on dc0 inet proto tcp to port 80 -> 127.0.0.1 port 3128 round-robin
> sticky-address
> antispoof quick for {xl0,dc0,xl1}
> block proto tcp from 172.16.0.0/24 to any port 3128
> # Internal Traffic
> pass in quick on dc0 from any to any
> pass out quick on dc0 from any to any
> # Outgoing
> pass out on xl0 proto tcp all flags S/SA modulate state
> pass out on xl0 proto { udp, icmp } all keep state
> pass out on xl1 proto tcp all flags S/SA modulate state
> pass out on xl1 proto { udp, icmp } all keep state
> # Pass basic services
> pass in quick on xl1 proto tcp from any to any port { 22, 21, 1194 } keep
> state
> pass in quick on xl0 proto tcp from any to any port { 22, 21, 1194 } keep
> state
> pass in on xl0 proto udp from any to any port 53
> pass in on xl1 proto udp from any to any port 53
> # Pass VPN
> pass in quick on xl1 proto udp from any to port 1194 keep state
> pass quick on tun0
> # Source nat route
> pass out log on xl0 route-to ( xl1 200.232.164.1 ) from xl1 to any
> pass out on xl1 route-to ( xl0 201.83.16.1 ) from xl0 to any
> # Close
> block return-rst in log quick on xl0 inet proto tcp from any to any
> block return-rst in log quick on xl1 inet proto tcp from any to any
> block return-icmp in log quick on xl0 proto udp from any to any
> block return-icmp in log quick on xl1 proto udp from any to any
> block in quick on xl0 all
> block in quick on xl1 all
>
> Best Regards,
>
> Wesley Gentine
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"
>
--
Best Wishes,
Stefan Lambrev
ICQ# 24134177
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
--
Best Wishes,
Stefan Lambrev
ICQ# 24134177
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
