On Tue, 2 Feb 2010 12:54, stefanferreira@ wrote:
Hi
In my quest to route traffic originating on the freebsd machine, I've managed
to loop back outbound traffic via lo0 so that I can try and route it inbound
on lo0 (pf can't apply route-to logic to outbound traffic; by then it's to
late to try and route it over a different interface).
The loopback works when I switch off skip on lo0, and pass all lo0 traffic,
so that traffic is definitely processed by pf. I also know the looping works,
because when I try to ping an outside IP, I get a response that the TTL has
been exceeded, and traceroute shows repeating entries of 127.0.0.1 (in other
words, the packets jost loop back through the pf box repeatedly till their
TTL is exceeded).
The problem is the moment I change my rule to try and route the inbound
traffic on lo0, the packets just seem to go nowhere. They are not routed
correctly and I can't tell what happens to them. In the ruleset below,
enabling the second rule results in the packets looping back to the pf box
repeatedly, and the first rule results in the packets "disappearing". The
only difference is the route-to statement, which works for all traffic
originating elsewhere on the lan.
#pass in quick on lo0 route-to (adsl-int0 196.210.140.129) from any to !
$IPs_LAN $KEEPSTATE $ALTQ_DEFAULT label zSA_Local tag zSA_Local
#pass in quick on lo0 from any to ! $IPs_LAN $KEEPSTATE $ALTQ_DEFAULT label
zSA_Local tag zSA_Local
pass out quick all $KEEPSTATE tagged zSA_Local
pass quick on lo0
Please help! I really need to route traffic originating on the pf box via pf,
and not via rtables!
Have you tried implementing "binat" and possibly making use of rdr while
using some tables to hold your addresses and subnets ?
# BINAT
# Translate outgoing packets' source address (any protocol).
# Translate incoming packets' destination address to an internal machine
# (bidirectional).
binat on $ext_if from 10.1.2.150 to any -> $ext_ifA
you could change that to:
binat on $ext_if from <binathosts> to any -> $ext_ifA
Looping traffic that is originating internally back around to a loopback
interface is not going to solve this, and it will cause you a lot more
frustration.
Best of luck.
--
jhell
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"
