pf + 8.0-RELEASE-p2 multihome

W

warmspit

Been beating my head against the wall for a few days trying to make things work. Here is the set up.

Single host providing some services, ntp in this example. Two interfaces, bce0 and bce1. Bce0 is the default route as defined in rc.conf. NTP packets arrive correctly on bce1 but exit on bce0 and I am unable to influence them to exit via bce1 using reply-to. Any suggestions?

Includes a few broken rules wrt reply-to as experiments

pf.conf
Code: 
foo_face="{bce0 bce1}"
table <rfc1918> const { 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 }
tcp_services="{27}"
udp_services="{53 123}"
bad_services="{135 137 445}"
icmp_types="echoreq"
lisp_addrs="{153.16.4.130}"
set block-policy drop
set loginterface  bce1
set state-policy if-bound
set limit states 50000
set ruleset-optimization basic
set skip on lo
block in
antispoof quick for { lo bce0 bce1 }
block drop in quick inet from <rfc1918> to any
block drop in quick on $foo_face proto tcp from any to any port $bad_services
block drop in quick on $foo_face proto udp from any to any port $bad_services
#pass in on bce1 tag BCE1
pass in on $foo_face proto tcp from any to $foo_face port $tcp_services
pass in on $foo_face proto udp from any to $foo_face port $udp_services
pass in inet proto icmp all icmp-type $icmp_types keep state
#pass in on $foo_face reply-to bce1  from bce1 to any
#pass in on bce1 reply-to (bce1 154.16.4.129) inet from bce1 to any
#pass in log quick reply-to (bce1 154.16.4.129) inet from bce1 to any
#pass in log quick reply-to (bce1 154.16.4.129) inet tagged BCE1
pass out keep state
pass in keep state

pf state
Code: 
bce1 udp 153.16.4.130:123 <- 64.16.153.2:12       NO_TRAFFIC:SINGLE
bce0 udp 153.16.4.130:123 -> 64.16.153.2:12       SINGLE:NO_TRAFFIC
bce1 udp 153.16.4.130:123 <- 75.130.67.96:61256       NO_TRAFFIC:SINGLE
bce0 udp 153.16.4.130:123 -> 75.130.67.96:61256       SINGLE:NO_TRAFFIC
bce1 udp 153.16.4.130:123 <- 66.28.241.19:123       NO_TRAFFIC:SINGLE
bce0 udp 153.16.4.130:123 -> 66.28.241.19:123       SINGLE:NO_TRAFFIC
bce1 udp 153.16.4.130:123 <- 71.237.111.9:123       NO_TRAFFIC:SINGLE
bce0 udp 153.16.4.130:123 -> 71.237.111.9:123       SINGLE:NO_TRAFFIC
 
Please post the output of [cmd=]ifconfig -a[/cmd] and [cmd=]netstat -rn[/cmd] too.

Please use [code] tags around system output to make it more readable.
 
Code: 
bce0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=1bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4>
        ether 00:1e:4f:1e:6d:89
        inet 216.129.110.50 netmask 0xfffffff0 broadcast 216.129.110.63
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:10:18:33:29:a4
        inet 172.16.10.112 netmask 0xffffff00 broadcast 172.16.10.255
        media: Ethernet autoselect (none)
        status: no carrier
bce1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 9000
        options=1bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4>
        ether 00:1e:4f:1e:6d:87
        inet 153.16.4.130 netmask 0xffffff80 broadcast 153.16.4.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33152
pfsync0: flags=0<> metric 0 mtu 1460
        syncpeer: 224.0.0.240 maxupd: 128
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 
        inet6 ::1 prefixlen 128 
        inet 127.0.0.1 netmask 0xff000000

Routing tables

Code: 
Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            216.129.110.49     UGS       807  5208908   bce0
127.0.0.1          link#6             UH          0    40987    lo0
153.16.4.128/25    link#3             U           0        0   bce1
153.16.4.130       link#3             UHS         0        0    lo0
172.16.10.0/24     link#2             U           0        0   bge0
172.16.10.112      link#2             UHS         0        0    lo0
216.129.110.48/28  link#1             U           2    16643   bce0
216.129.110.50     link#1             UHS         0        0    lo0
 
Use
Code: 
 tags, please! -> [b][url=http://forums.freebsd.org/showthread.php?t=8816]Posting and Editing in the FreeBSD Forums[/url][/b]
 
Bce0 is the default route as defined in rc.conf. NTP packets arrive correctly on bce1 but exit on bce0
Click to expand...
That's the correct behavior if the source address is not on the same subnet as bce1.
 
But isn't the point of reply-to this?

Code: 
man pf.conf
   reply-to
           The reply-to option is similar to route-to, but routes packets that
           pass in the opposite direction (replies) to the specified inter-
           face.  Opposite direction is only defined in the context of a state
           entry, and reply-to is useful only in rules that create state.  It
           can be used on systems with multiple external connections to route
           all outgoing packets of a connection through the interface the
           incoming connection arrived through (symmetric routing enforce-
           ment).
 
You must log in or register to reply here.
Back
Top