On Mon, May 21, 2012 at 02:20:04PM +0000, Joerg Pulz wrote: > ext_if="bge0" > int_if="bge1" > vpn_net="10.1.1.0/24" > srv_net="172.16.1.0/24" > gw_addr="172.16.1.254" > > scrub in all > > pass out on $ext_if route-to ($int_if $gw_addr) from $vpn_net to any keep > state > pass out on $int_if route-to ($int_if $gw_addr) from $vpn_net to $srv_net > keep state
So something from $vpn_net comes in, gets routed to the default gateway (on $ext_if side), attempts to pass out on $ext_if, matches the first rule, route-to applies, packet gets re-routed to $gw_addr, passes out on $int_if, matches the second rule, double route-to. All you need to do is prevent the second rule from applying for packets where the first rule matched, like with tags: pass out on $ext_if route-to ($int_if $gw_addr) from $vpn_net to any keep state tag from_vpn pass out on $int_if route-to ($int_if $gw_addr) from $vpn_net to $srv_net keep state pass out on $int_if from $vpn_net to $srv_net keep state tagged from_vpn i.e. you add 'tag from_vpn' to the first rule, so packets matching it get tagged, then you add a third rule without route-to that applies to tagged packets, which wins last-match for such packets. Or, instead of adding a third rule, add '! tagged from_vpn' to the second rule, if tagged packets can still pass out on $int_if by another rule. Kind regards, Daniel _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[email protected]"
