Jay (and all)
I replaced my two separate nat lines with one testing line (using another machine since that user (wife) would kill me if I kept having her test things): nat on rl1 from 192.168.1.142 to !$internal_net -> (rl1) #and then re-enabled the route-to pass in on em0 route-to (rl1 128.195.88.1) from 192.168.1.142 to !$internal_net keep state #and added a pass out line pass out on rl1 from 192.168.1.142 to !$internal_net keep state My simple understanding of the nat function in pf is that it will only nat packets that are already heading out on the interface specified, but I could be wrong. Either way, with no other nat line was left active in PF and with the two above pass lines activated I can browse to any ipaddress that is routed out through rl1 via the route add commands, but if I try to go to something not included in the route add commands (like say, browsing to www.slickdeals.net) it just waits for a response from www.slickdeals.net forever. So, I tried sniffing the rl1 interface grepping for slickdeals' ip address, and found something really odd. With the above nat's there's no traffic to slickdeals on rl1, if I sniff rl0 (default route) I find the traffic to slickdeals: Mar 10 10:04:17.407558 0:10:b5:f:db:xx 0:50:57:0:92:20 0800 62: 192.168.1.142.3787 > 67.15.144.66.80: S 693520951:693520951(0) win 65535 <mss 1460,nop,nop,sackOK> (DF) So, it would seem that pf is ignoring the route-to command. If I re-enable the two separate nat lines, and keep the route-to command (and the pass out on rl1 line intact I get the following: Nothing on rl0, but on rl1 things get really interesting: tcpdump: listening on rl1 Mar 10 10:10:52.585188 0:10:b5:f:dc:xx 0:7:b3:a5:bc:xx 0800 60: 68.4.66.x.61861 > 67.15.144.66.80: . ack 3117311098 win 65535 (DF) Mar 10 10:10:52.585679 0:10:b5:f:dc:xx 0:7:b3:a5:bc:xx 0800 454: 68.4.66.x.61861 > 67.15.144.66.80: P 0:400(400) ack 1 win 65535 (DF) Mar 10 10:10:55.664414 0:10:b5:f:dc:xx 0:7:b3:a5:bc:xx 0800 454: 68.4.66.x.61861 > 67.15.144.66.80: P 0:400(400) ack 1 win 65535 (DF) Mar 10 10:10:55.925367 0:10:b5:f:dc:xx 0:7:b3:a5:bc:xx 0800 60: 68.4.66.x.61861 > 67.15.144.66.80: . ack 1 win 65535 (DF) Mar 10 10:11:01.789024 0:10:b5:f:dc:xx 0:7:b3:a5:bc:xx 0800 454: 68.4.66.x.61861 > 67.15.144.66.80: P 0:400(400) ack 1 win 65535 (DF) dc:xx is rl1, which is good, but 68.4.66.x is the ip address for rl0 (my cable modem), which is a very bad thing (tm). Once again I get the above when the following lines are active: <snip> nat on rl0 from $internal_net to !$internal_net -> (rl0) nat on rl1 from $internal_net to !$internal_net -> (rl1) <snip> pass in on em0 route-to (rl1 128.195.88.1) from 192.168.1.142 to !$internal_net keep state pass out on rl1 from 192.168.1.142 to !$internal_net keep state <snip> If you're so inclined, my entire pf.conf file is available at: http://members.cox.net/holysin/pf.conf Not terribly sanitized, so there is a LOT of rules there... I don't think any of the rules matter outside what's been mentioned above, and yesterday, but just in case, it's available. Also, a little something about my connection: rl0 is connected to the cable modem, rl1 is connected to the campus network (which is NOISY!), if I have to I can just have the wife plug her computer into the campus network directly, but it would be infinitely more prefered to be able to route all traffic from a spicific IP address through the campus network while still keeping a firewall between the machine and campus. (Also, I'd prefer not to have to add route to commands for each subnet she will connect to. Thanks for the help. > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of J Tingle > Sent: Thursday, March 10, 2005 12:12 AM > To: pf@benzedrine.cx > Subject: Re: Trouble with route-to: > > I've been messing around with a similar setup with dsl & > cable going into one PF firewall. One thing I noticed that > might be giving you problems is your nat rules: > > > >nat on rl0 from $internal_net to !$internal_net -> (rl0) nat on rl1 > >from $internal_net to !$internal_net -> (rl1) > > The way it's written it seems like it would try to nat > everything to both connections. I remember reading that the > first matching nat rule wins, so you don't need to make it > too fancy. Here is how I did my > nat: > > ext_if_cable="le1" > ext_if_dsl="hme0" > int_if="le0" > mynet="192.168.0.0/24" > gateway_cable="xx2xx.xxx.x" > gateway_dsl="xx.xxx.xx.x" > dslhosts="{ 192.168.0.104 }" > > #NAT > nat on $ext_if_dsl from $dslhosts to any -> ($ext_if_dsl) nat > on $ext_if_cable from $mynet to any -> ($ext_if_cable) > > Another thing is you need a rule on the external interface to > let let the re-routed packets out. I might be wrong about > this but If I remember right once you do the "route-to" it > changes the source address of the packet. So instead of the > packet being from > 192.168.1.132 it will be from the ip of your externel > interface. So it won't work if you try to do something like. > > pass out on $rl1 from 192.168.1.132 to !$internel_net keep state > > The way I got around that is to tag the packets as they come > in the internel interface. That way I can make sure I don't > get the asymetric routing. Here is how I did it(I added the > spaces to make it easier to read): > ----snip--- > #route & tag > pass in quick on $int_if route-to ($ext_if_dsl $gateway_dsl) > \ from $dslhosts to any tag DSLBOUND keep state > > pass in on $int_if route-to ($ext_if_cable $gateway_cable) \ > all tag CABLEBOUND keep state > > #Pass out the routed packets on External Interfaces pass out > quick on $ext_if_dsl proto tcp from any to any \ tagged > DSLBOUND flags S/SA modulate state > > pass out on $ext_if_cable proto tcp from any to any \ !tagged > DSLBOUND flags S/SA modulate state \ > > pass out quick on $ext_if_dsl proto { udp, icmp } \ from any > to any tagged DSLBOUND keep state > > pass out on $ext_if_cable proto { udp, icmp } from any to any > \ !tagged DSLBOUND keep state > > ---snip--- > > Hope that helps. > > -Jay > > > >Hey all, having a bit of a problem with routing one specific ip > >address out a different interface in a 2 external interface setup: > >Em0=internal interface > >Rl0=external interface #1 > >Rl1=external interface #2 > >Gw1=external gateway #2 > >$internal_net = 192.168.1.0 > > > ><snip> > >scrub in on $ext_if all > >scrub out on $ext_if all > >scrub in on rl1 all > >scrub out on rl1 all > > ><snip> > >pass in on em0 route-to (rl1 gw1) from 192.168.1.132 to > !$internal_net > >keep state > > > >Once I add the above line to pf.conf and flush the ruleset > the computer > >can no longer access the outside world. So I assume I need > some sort > >of matching rule on rl1, but can't figure out what it is. > > > >If I manually change the routing table to pass a specific > destination > >ip address out through gw1 it works without a flaw, however this > >machine needs to access more then a few subnets through > interface #2, > >so route-to is preffered. > > > > > >Let me know if anyone has any ideas, > > > > > >Ben >