On 2013-05-21, Aaron Dewell <aaron.dew...@gmail.com> wrote: > Hey all, > > I know this is slightly off-topic on this list, I'm hoping the OpenBSD answer > will be "close enough" to the MacOS X (10.8) answer that I'll get what I need > done. I have gotten zero replies from the Apple communities, so I'm asking > here. That said, here's what I'm trying to accomplish. > > This server has 5 VLAN tagged interfaces (already set up and reachable). > First one holds the default route (used for administration). > Ostinato (traffic generator) is installed. > The other 4 VLAN interfaces are to be used for traffic generation/receiving. > > What I want is for traffic sourced (via Ostinato) from a particular IP > address to be sent via it's own VLAN interface to it's own router. I have > accomplished this on Linux (the far end of this test) using: > > ip route add default via <gateway-X> dev ethX table X > ip rule add from <network-X> table X priority X > > Research online suggests that this used to work before ipfw was deprecated: > > ipfw add X fwd <gateway-X> ip from <IP-address-X> to any > > (I did try this, and nothing actually happened.) > > Further searching led me to this as the possible OpenBSD answer: > > route -T X add 0.0.0.0/0 -iface <gateway-X> > echo pass in from <network-X> to 0.0.0.0/0 rtable X | pfctl -mf - > > However, this particular version of the OS does not support the -T option to > route, so I presume that multiple tables are not supported. However, that > step may be not needed. > > Reading the pfctl man page made my brain hurt. :-) It seems a very > functional utility and able to do many, many things, but it's so far away > from things I have used in the past (mostly Linux) that the learning curve > seems steep. > > I'm thinking maybe the extra routing table is not strictly necessary in this > application, and that pfctl (which in this case is directly from OpenBSD) > might be able to do exactly what I want it to do by itself. To that end, I'm > hoping someone could give me some hints on the syntax I need to feed it to > make this work. > > Thanks in advance! I appreciate any and all suggestions. > > Aaron > >
For states created by outgoing traffic, you're looking for "route-to". You may also need "reply-to" if you have incoming traffic to that address where replies should also be forced via that path. e.g. pass in from <network-X> route-to 10.1.1.1@vlan9 OpenBSD doesn't have the "pfctl -m" syntax you mention, but looking at Apple's manpage I don't think it does what you expect. It looks like it is meant for merging "set" options, but it doesn't say what effect it has on the ruleset; for all I can tell it might well replace the whole ruleset with the single rule you're piping to it. Probably better to write the ruleset in a pf.conf file and load that. Unlike ipfw, PF normally treats the whole ruleset as a unit and switches to a new ruleset atomically, if you want something other than this (e.g. on-the-fly replacing of certain rules under script control) you would normally use an "anchor" so that other rules can be left alone.
