On Tue, Oct 29, 2002 at 07:37:36PM -0300, Helio Alexandre Lopes Loureiro wrote:
> Ops! The first mistake. I was supposed to wrote " "200.211.81.64/26", > that is my network segment on xl1. I'm trying to route xl1 network by > xl3 interface... > > @0 pass in quick on xl1 route-to xl3:200.211.81.1 inet from > 200.211.81.64/26 to any keep state > [ Evaluations: 257 Packets: 1 Bytes: 68 ] The 'Packets: 1' counter indicates that the rule did not match your ten echo requests. > 19:27:43.228992 200.207.129.199 > 200.211.81.20: icmp: echo request (DF) When 200.211.81.20 replies, the source address of those replies does not match the rule's 'from 200.211.81.64/26'. 200.211.81.20 is just not part of the network 200.211.81.64/26. Check your netmasks. Also, a 'pass in on xl1 route-to xl3' rule will only affect connections initiated from the xl1 network. If the state is created by another rule (pass in on xl3, or pass out on xl1), the 'pass in on xl1' rule just does not match/apply. To explicitely route outgoing replies of incoming connections, you'll need 'reply-to', which was introduced in 3.2-current... Daniel
