Jay (and all)
I replaced my two separate nat lines with one testing line (using another
machine since that user (wife) would kill me if I kept having her test
things):
nat on rl1 from 192.168.1.142 to !$internal_net -> (rl1)
#and then re-enabled the route-to
pass in on em0 route-to (rl1 128.195.88.1) from 192.168.1.142 to
!$internal_net keep state
#and added a pass out line
pass out on rl1 from 192.168.1.142 to !$internal_net keep state
My simple understanding of the nat function in pf is that it will only nat
packets that are already heading out on the interface specified, but I could
be wrong. Either way, with no other nat line was left active in PF and with
the two above pass lines activated I can browse to any ipaddress that is
routed out through rl1 via the route add commands, but if I try to go to
something not included in the route add commands (like say, browsing to
www.slickdeals.net) it just waits for a response from www.slickdeals.net
forever. So, I tried sniffing the rl1 interface grepping for slickdeals' ip
address, and found something really odd.
With the above nat's there's no traffic to slickdeals on rl1, if I sniff
rl0 (default route) I find the traffic to slickdeals:
Mar 10 10:04:17.407558 0:10:b5:f:db:xx 0:50:57:0:92:20 0800 62:
192.168.1.142.3787 > 67.15.144.66.80: S 693520951:693520951(0) win 65535
<mss 1460,nop,nop,sackOK> (DF)
So, it would seem that pf is ignoring the route-to command.
If I re-enable the two separate nat lines, and keep the route-to command
(and the pass out on rl1 line intact I get the following:
Nothing on rl0, but on rl1 things get really interesting:
tcpdump: listening on rl1
Mar 10 10:10:52.585188 0:10:b5:f:dc:xx 0:7:b3:a5:bc:xx 0800 60:
68.4.66.x.61861 > 67.15.144.66.80: . ack 3117311098 win 65535 (DF)
Mar 10 10:10:52.585679 0:10:b5:f:dc:xx 0:7:b3:a5:bc:xx 0800 454:
68.4.66.x.61861 > 67.15.144.66.80: P 0:400(400) ack 1 win 65535 (DF)
Mar 10 10:10:55.664414 0:10:b5:f:dc:xx 0:7:b3:a5:bc:xx 0800 454:
68.4.66.x.61861 > 67.15.144.66.80: P 0:400(400) ack 1 win 65535 (DF)
Mar 10 10:10:55.925367 0:10:b5:f:dc:xx 0:7:b3:a5:bc:xx 0800 60:
68.4.66.x.61861 > 67.15.144.66.80: . ack 1 win 65535 (DF)
Mar 10 10:11:01.789024 0:10:b5:f:dc:xx 0:7:b3:a5:bc:xx 0800 454:
68.4.66.x.61861 > 67.15.144.66.80: P 0:400(400) ack 1 win 65535 (DF)
dc:xx is rl1, which is good, but 68.4.66.x is the ip address for rl0 (my
cable modem), which is a very bad thing (tm).
Once again I get the above when the following lines are active:
<snip>
nat on rl0 from $internal_net to !$internal_net -> (rl0)
nat on rl1 from $internal_net to !$internal_net -> (rl1)
<snip>
pass in on em0 route-to (rl1 128.195.88.1) from 192.168.1.142 to
!$internal_net keep state
pass out on rl1 from 192.168.1.142 to !$internal_net keep state
<snip>
If you're so inclined, my entire pf.conf file is available at:
http://members.cox.net/holysin/pf.conf
Not terribly sanitized, so there is a LOT of rules there... I don't think
any of the rules matter outside what's been mentioned above, and yesterday,
but just in case, it's available.
Also, a little something about my connection:
rl0 is connected to the cable modem, rl1 is connected to the campus
network (which is NOISY!), if I have to I can just have the wife plug her
computer into the campus network directly, but it would be infinitely more
prefered to be able to route all traffic from a spicific IP address through
the campus network while still keeping a firewall between the machine and
campus. (Also, I'd prefer not to have to add route to commands for each
subnet she will connect to.
Thanks for the help.
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> On Behalf Of J Tingle
> Sent: Thursday, March 10, 2005 12:12 AM
> To: pf@benzedrine.cx
> Subject: Re: Trouble with route-to:
>
> I've been messing around with a similar setup with dsl &
> cable going into one PF firewall. One thing I noticed that
> might be giving you problems is your nat rules:
>
>
> >nat on rl0 from $internal_net to !$internal_net -> (rl0) nat on rl1
> >from $internal_net to !$internal_net -> (rl1)
>
> The way it's written it seems like it would try to nat
> everything to both connections. I remember reading that the
> first matching nat rule wins, so you don't need to make it
> too fancy. Here is how I did my
> nat:
>
> ext_if_cable="le1"
> ext_if_dsl="hme0"
> int_if="le0"
> mynet="192.168.0.0/24"
> gateway_cable="xx2xx.xxx.x"
> gateway_dsl="xx.xxx.xx.x"
> dslhosts="{ 192.168.0.104 }"
>
> #NAT
> nat on $ext_if_dsl from $dslhosts to any -> ($ext_if_dsl) nat
> on $ext_if_cable from $mynet to any -> ($ext_if_cable)
>
> Another thing is you need a rule on the external interface to
> let let the re-routed packets out. I might be wrong about
> this but If I remember right once you do the "route-to" it
> changes the source address of the packet. So instead of the
> packet being from
> 192.168.1.132 it will be from the ip of your externel
> interface. So it won't work if you try to do something like.
>
> pass out on $rl1 from 192.168.1.132 to !$internel_net keep state
>
> The way I got around that is to tag the packets as they come
> in the internel interface. That way I can make sure I don't
> get the asymetric routing. Here is how I did it(I added the
> spaces to make it easier to read):
> ----snip---
> #route & tag
> pass in quick on $int_if route-to ($ext_if_dsl $gateway_dsl)
> \ from $dslhosts to any tag DSLBOUND keep state
>
> pass in on $int_if route-to ($ext_if_cable $gateway_cable) \
> all tag CABLEBOUND keep state
>
> #Pass out the routed packets on External Interfaces pass out
> quick on $ext_if_dsl proto tcp from any to any \ tagged
> DSLBOUND flags S/SA modulate state
>
> pass out on $ext_if_cable proto tcp from any to any \ !tagged
> DSLBOUND flags S/SA modulate state \
>
> pass out quick on $ext_if_dsl proto { udp, icmp } \ from any
> to any tagged DSLBOUND keep state
>
> pass out on $ext_if_cable proto { udp, icmp } from any to any
> \ !tagged DSLBOUND keep state
>
> ---snip---
>
> Hope that helps.
>
> -Jay
>
>
> >Hey all, having a bit of a problem with routing one specific ip
> >address out a different interface in a 2 external interface setup:
> >Em0=internal interface
> >Rl0=external interface #1
> >Rl1=external interface #2
> >Gw1=external gateway #2
> >$internal_net = 192.168.1.0
> >
> ><snip>
> >scrub in on $ext_if all
> >scrub out on $ext_if all
> >scrub in on rl1 all
> >scrub out on rl1 all
>
> ><snip>
> >pass in on em0 route-to (rl1 gw1) from 192.168.1.132 to
> !$internal_net
> >keep state
> >
> >Once I add the above line to pf.conf and flush the ruleset
> the computer
> >can no longer access the outside world. So I assume I need
> some sort
> >of matching rule on rl1, but can't figure out what it is.
> >
> >If I manually change the routing table to pass a specific
> destination
> >ip address out through gw1 it works without a flaw, however this
> >machine needs to access more then a few subnets through
> interface #2,
> >so route-to is preffered.
> >
> >
> >Let me know if anyone has any ideas,
> >
> >
> >Ben
>
