route-to configuration questions

Wed, 15 Mar 2006 18:22:04 -0800 

Hi,

I'm attempting to set up alternative routing for a given source IP
address on a network.  I think I should do this with route-to.  If there
is a better/easier/whatever way to do this, I'm happy with that too.

normal default route (10.255.254.254)
        ^
        | (em7)
OpenBSD fw ------(em0)---->alternative route (10.255.253.254)
        ^
        | (vlan2)
openbsd host (10.1.2.79)

I have the following in pf.conf:

pass in on vlan2 route-to { em0 10.255.253.254 } from 10.1.2.79 to any keep 
state

along with pass rules for given packets like so:

pass quick proto tcp from 10.1.2.79 to any port http keep state

As one would expect, packets get routed out em7 normally.  With the
above statement, I am attempting to route packets out the alternative
interface (em0), which is a faster link.

However, a packet dump on em0 shows no packets from 10.1.2.79.  A packet
dump on em7 shows the packets going via the normal default route.  So I
try a quick:

pass in quick on vlan2 route-to { em0 10.255.253.254 } from 10.1.2.79 to any 
keep state

Which yields the following on the console of the firewall (when I try a
lynx www.google.com from the openbsd host):

Mar 15 17:46:40 fw0 /bsd: arplookup: unable to enter address for 216.239.36.10
Mar 15 17:46:40 fw0 /bsd: arpresolve: can't allocate llinfo

Which is very odd.  I am clearly doing something wrong here --- what?

# arp -an |egrep "10.255.254.254|10.255.253.254|10.1.2.79"
? (10.1.2.79) at 00:03:ba:11:d3:c1 on vlan2
? (10.255.253.254) at 00:15:c6:49:ef:d8 on em0
? (10.255.254.254) at 00:d0:bb:fc:84:20 on em7
# netstat -rn |egrep "10.255.254.254|10.255.253.254|10.1.2.79"
default            10.255.254.254     UGS         0 94103645      - em7
10.1.2.79          0:3:ba:11:d3:c1    UHLc        0      890      - vlan2
10.255.253.254     0:15:c6:49:ef:d8   UHLc        1    30889      - em0
10.255.254.254     0:d0:bb:fc:84:20   UHLc        1   248623      - em7

As you can see, all I really want is to be able to specify source
address when deciding how to route packets.  If there is a way to do
this sans-pf that doesn't use route-to (since route-to seems to be for
load-balancing, not picking routes), I'd love to know.  I saw a post on
undeadly about source-routing, but the cvs commit log for route.c says
something about it being killed circa june 2k5.

TIA,

-- 
adam

Reply via email to