Hi all, i'm trying to apply route-to rules to packets that have a state (because they were redirected or came in by a 'keep|modulate state'-rule), but to no avail. I'm using 3.1-stable.
The situation is as follows: I have a router with 3 interfaces: de0: external, static IP (e.g. 195.200.200.201) de1: internal, 192.168.0.1 tun0 (via de2): external, ADSL, IP via DHCP When tun0 is up (almost always) the default gateway is reachable via tun0, else via de0. I want to provide services (smtp, http, more in the future) on static IPs of de0 (the standard or preferably aliased ones). If i try to do a rdr or a binat on de0 to some private machines, the translation works correct, but the packets gets routed back to tun0! Example (Connection attempt from 1.2.3.4:2003 to 195.200.200.201:80): 1) on de0: 1.2.3.4:2003 -> 195.200.200.201:80 2) on de1: 1.2.3.4:2003 -> 192.168.0.100:80 3) on de1: 192.168.0.100:80 -> 1.2.3.4:2003 4) on tun0: 195.200.200.201:80 -> 1.2.3.4:2003 As you can see, the problem lies in the 4th step: The packet gets routed to the default interface and not the one stated in the route-to rule. I tried to apply a route-to on tun0 to get this packet to de0, but i can't get it to work. Are 'route-to' pf-rules really treated differently than 'normal' rules (as show in http://mniam.net/pf/pf.png), or are they treated just like any other filter-rule and skipped when a state is applicable? The important rules are: ######## pass in quick on de0 inet proto tcp from any to any port { http } pass out quick on tun0 route-to de0:$WLANGate inet proto tcp \ from any port { http } to any ######## rdr on de0 proto tcp from any to 195.200.200.201 port 80 \ -> 192.168.0.100 port 80 ######## A point that could confirm, that packets are treated the same, whether or not they have a routing section like 'route-to' in them, is that incoming connections aimed for the router (e.g. ssh) work with these rules (that is, when there is no state), but only as long as i don't keep state on these incoming connections! Thanks in advance, Clemens
