On Tue, Oct 29, 2002 at 06:01:05PM -0300, Helio Alexandre Lopes Loureiro wrote:
> xl0:192.168.0.254/24 > | > +----+ > gw=2.2.8.1/26 xl3=2.2.8.20/26 | |xl2=2.1.7.56/26 gw=2.1.7.1/26 > <----------------------------------| FW |------------------------------> > | | > +----+ > | > xl1=2.2.8.65/26 > > pass in quick on xl1 route-to xl3:200.211.81.1 from 200.211.81.26/26 to > any keep state The 'from ... .26/26' looks wrong, did you mean .20/26? Apart from that potential typo this rule looks fine. > Once my interface xl1 is not working too, since it is redirecting all > traffic to xl2, I tried this: With pfctl -vsr you can check whether a specific rule matches any packets. If it doesn't, find out why (there would have to be a prior matching rule with quick). If it does, the packets should be routed out through xl3. > pass in quick on xl3 route-to xl3:200.211.81.1 from 200.211.81.20/32 to > any keep state That doesn't make much sense, you hardly want to forward incoming packets on xl3 back out through xl3. And incoming packets on xl3 never have a source address of 200.211.81.20, probably. :) You can either route the packets when they come in on xl1 or go out through xl2. xl3 would be the route-to destination in both cases. > Using only one, or both rules, is just hanging my firewall. > Have anyone any idea about what is wrong? It shouldn't hang, at least I can't reproduce that with 3.2. But there have been changes in route-to since 3.1. Daniel
