Hello lists! (sorry if cross-list posting is frowned upon)
I'm setting up a BSD/pf machine that will be working as a binat
firewall for a number of hosts on two /28 subnets belonging to the
same co-location provider.
The BSD machine is already live, working hard for one subnet, and I
don't have extra hardware to test this out in a lab environment (nice,
I know), so I'd just like a little wisdom from the lists before I go
live with this pf change:
I'm wondering if I can use the "route to" option with pf in order to
force all traffic from subnet A through subnet A's gateway, while
subnet B's traffic goes through subnet B's gateway. Right now, subnet
B is setup and running with B's gateway as the host for the 0.0.0.0
network. Now, with straight routing, I can't seem to find a way to
enable multi-path routing to the 0.0.0.0 network along these lines:
if src is from netA: pass traffic to gwA
if src is from netB: pass traffic to gwB
Now, since I have only one external interface (see diagram at bottom),
how can I rearrange the following pf statements (from the pf faq):
pass out on em0 route-to (em0 $ext_gw2) from em0 to any
pass out on em0 route-to (em0 $ext_gw1) from em0 to any
Can I get by by simply aliasing all of the IPs on em0 (external
interface) or do I have to vlan the external device to get distinct
interface names?
Thanks, Pete.
Quick/Dirty Diagram:
204.15.193.0\28 <----+ (aliases 204.15.193.2->14)
|
+--> (em0) BSD (em1) <--+ (Tagged VLAN)
| |
204.15.193.16\28 <-- + |
( aliases 204.15.193.18->30) +---------+
|
+-----+-----> VLAN2 (192.168.3/24)
| |
| +-----> VLAN5 (10.10.5/24)
|
+-----------> VLAN6 (10.10.6/24)
