Re: source routing problem

Tue, 31 May 2005 03:11:19 -0700 


--- Bernd Bednarz <[EMAIL PROTECTED]> wrote:

> j knight schrieb:
> > Bernd Bednarz wrote:
> > 
> >> j knight wrote:
> >>
> >>>   pass out on $dsl2 route-to ($dsl1 $gw1) from
> $ip1 to any
> >>>   pass out on $dsl1 route-to ($dsl2 $gw2) from
> $ip2 to any
> >>>
> >>> Why did you remove them?
> >>
> >>
> >> because the reply-to rule make the same for me
> and I don't need both
> >> of them. When I ping the router on tun1 the
> packets go trough tun1
> >> with the route-to oder reply-to and thatsway I
> only have the one rule
> >> reply-to
> > 
> > 
> > I didn't mean for you to replace the reply-to
> rules with route-to rules,
> > but to have both pair. The route-to rules will
> prevent exactly the
> > problem you're seeing: packets leaving $if1 with a
> source IP of $if2
> > (and vice-versa of course).
> 
> OK, here we go,
> 
> now my pf.conf look like this.
> 
> -snip-
> pppoe1="tun0"
> pppoe2="tun1"
> gw1="217.0.116.68"
> gw2="217.0.116.67"
> 
> supp_net="10.30.70.0/24"
> admin_net="10.30.20.0/24"
> 
> # optimize
> set loginterface $pppoe1
> set optimization aggressive
>
try this line
set state-policy if-bound
 
> nat on $pppoe1 from $supp_net to any -> ($pppoe1)
> nat on $pppoe1 from $admin_net to any -> ($pppoe1)
> nat on $pppoe2 from $supp_net to any -> ($pppoe2)
> nat on $pppoe2 from $admin_net to any -> ($pppoe2)
>
remove last 2 nat rules.you don't need them now

 
> rdr on $pppoe2 proto tcp from any to $pppoe2 port 80
> -> 10.30.70.43 port 80
> 
> pass out on $pppoe1 route-to ($pppoe2 $gw2) from
> $pppoe2 to any keep state
> pass out on $pppoe2 route-to ($pppoe1 $gw1) from
> $pppoe1 to any keep state
> pass in on $pppoe2 reply-to ($pppoe2 $gw2) proto tcp
> from any to $pppoe2
> port 80 keep state
> -snap-

pass in on $pppoe2 reply-to ($pppoe2 $gw2) proto tcp \
 from any to 10.30.70.43 port 80 keep state

> 
> But I think you didn't unstood what I said. The
> route-to rules don't
> catchs the packets wich come from 10.30.70.43 and I
> don't know why.
> 
Try this lines.Install pftop from ports, excellent
tool for monitoring pf.

Best regards
T. Koychev


Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)
Key fingerprint=2499 DE87 82ED 23A8 FD20 3078 04FE 610E 300D 6655


                
__________________________________ 
Yahoo! Mail 
Stay connected, organized, and protected. Take the tour: 
http://tour.mail.yahoo.com/mailtour.html

Reply via email to