On 2011-04-18 13:31, Per von Zweigbergk wrote:
OK, so having researched this a little more, it seems that what I
really want is to put the reply-to option on either the firewall rule
or the NAT rule (haven't quite figured out which one of those it goes
on.) as per from the manual page of pf.conf(5):
/reply-to/
The/reply-to/ option is similar to/route-to/, but routes packets that
pass in the opposite direction (replies) to the specified inter-
face. Opposite direction is only defined in the context of a state
entry, and/reply-to/ is useful only in rules that create state. It
can be used on systems with multiple external connections to route
all outgoing packets of a connection through the interface the
incoming connection arrived through (symmetric routing enforce-
ment).
You can do route-to by using the "gateway" dropdown, but a "reply-to"
dropdown seems to be missing. This would seem to be an option that
needs to be added to the web UI if I want this to work, unless I'm
missing something.
Sorry to be having a mailing list monologue here, but I managed to get
this to work.
This is what I ended up doing:
[2.0-RC1][r...@edgefw.multiwanlab.ita.local]/tmp(88): diff -u
rules.debug rules.mod
--- rules.debug 2011-04-18 11:43:21.000000000 +0000
+++ rules.mod 2011-04-18 12:12:42.000000000 +0000
@@ -99,9 +99,9 @@
pass in quick on em2 proto tcp from any to (em2) port { 80 443 22 }
keep state label "anti-lockout rule"
# User-defined rules follow
-pass in log quick on $WAN1 proto tcp from any to 172.16.0.51
flags S/SA keep state label "USER_RULE: NAT chargen wan1"
+pass in log quick on $WAN1 reply-to (em1 172.16.1.2) proto tcp from
any to 172.16.0.51 flags S/SA keep state label "USER_RULE: NAT chargen
wan1"
pass in log quick on $LAN from 172.16.0.0/24 to any keep state
label "USER_RULE: Default allow LAN to any rule"
-pass in log quick on $WAN2 proto tcp from any to 172.16.0.51
flags S/SA keep state label "USER_RULE: NAT chargen wan2"
+pass in log quick on $WAN2 reply-to (em0 172.16.2.2) proto tcp from
any to 172.16.0.51 flags S/SA keep state label "USER_RULE: NAT chargen
wan2"
# VPN Rules
anchor "tftp-proxy/*"
Then I just loaded that modified ruleset with "pfctl -f /tmp/rules.mod".
I also removed all the ineffective policy routing / floating rules stuff
out of there. All that's needed is a reply-to on the incoming firewall
rule matching the NAT traffic to begin with.
Now of course, this change isn't persistent, it's going to break
whenever I reboot or make a change to the ruleset. So I figure I'll just
have to patch pfSense to add this feature to the editor for firewall
rules - assuming it's not too complicated.