-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 greetings
please, advise WHAT I HAVE: routerB <-> netX/16 ^ | V clients <-> routerA <-> netX/24 WHAT I NEED: to provide `clients <-> netX/24' traffic on the base of routerB pf rules so, the very decission to pass or to block have to be done on routerB HOW I THINK TO DO THAT: ================================================================================= VARIANT I - --------------------------------------------------------------------------------- - ---[ routerA pf.conf quotation start ]------------------------------------------- ... pass in log (to pflog1) on $if_clients-to-routerA from <clients> to <netX24> tag TO_AUTH pass in log (to pflog1) route-to ($if_routerA-to-routerB $routerB_ip) tagged TO_AUTH ... - ---[ routerA pf.conf quotation end ]------------------------------------------- - ---[ routerB pf.conf quotation start ]------------------------------------------- ... pass in log (to pflog1) on $if_routerB-to-routerA from <clients-allowed> to <netX24> tag AUTHED pass in log (to pflog1) route-to ($if_routerB-to-routerA $routerA_ip) tagged AUTHED block <clients> to <netX> ... - ---[ routerB pf.conf quotation end ]------------------------------------------- RESULTS: I see packets redirected to routerB, but there the packets are looping untill the time to live exceeded ================================================================================= VARIANT II - --------------------------------------------------------------------------------- - ---[ routerA pf.conf quotation start ]------------------------------------------- ... pass in log (to pflog1) on $if_clients-to-routerA from <clients> to <netX24> tag TO_AUTH pass in log (to pflog1) route-to ($if_routerA-to-routerB $routerB_ip) tagged TO_AUTH ... - ---[ routerA pf.conf quotation end ]------------------------------------------- - ---[ routerB configuration quotation start ]------------------------------------- rc.conf static_routes="netX24" route_netX24="-net A.B.C.0/24 $routerA_ip" pf.conf pass in log (to pflog1) on $if_routerB-to-routerA from <clients-allowed> to <netX24> tag AUTHED block <clients> to <netX24> - ---[ routerB configuration quotation end ]------------------------------------- RESULTS: are same as for VARIANT I ================================================================================= VARIANT III - --------------------------------------------------------------------------------- something else ... may it relate to pfsync somehow? - -- Zeus V. Panchenko jid:z...@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQQYIXL6FUmD7SUfqoOveOk+D/ejKgUCWVJGygAKCRCveOk+D/ej KhQoAKCHB+55dzTYOqD6S5mSC2TtCDjV8gCgzXQfBd3U30nXJMyj5Q4Ggfq1sRA= =ZCm0 -----END PGP SIGNATURE----- _______________________________________________ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"