PF redirect http traffic between interfaces

blackmomba1

New Member


Messages: 7

hi,
i have a vpn interface on my machine, out of which everything passes, and have an additional interface(wifi).
i would like to make an exception - pass a specific ruleset(e.g: access to the domain "www.potato.com" on port 443) directly via the wifi interface without the vpn

tried using route-to (pass out on vpn_interface route to wifi_interface proto tcp to potato.com port 443 , but did not work.
 

covacat

Aspiring Daemon

Reaction score: 325
Messages: 662

just add a /32 route for potato.com thru your default gw (default before vpn connects)
 
OP
B

blackmomba1

New Member


Messages: 7

thanks, any way you can show me the pf configurationfor it? i am more familiar with iptables..
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,744
Messages: 39,332

This has nothing to do with the firewall. See route(8).

A firewall is not a router, stop treating it like that.
 
OP
B

blackmomba1

New Member


Messages: 7

i see,and i get that i can use route.
i would like to solve this via pfctl(using pf) - how can i do that
 

covacat

Aspiring Daemon

Reaction score: 325
Messages: 662

it can technically be done but such things should be used as a last resort only because fw hacks like route-to and reply-to tend to not set the correct mtu and create various side efects
just add a static route to rc.conf or create one in your vpn's if-up script
 
OP
B

blackmomba1

New Member


Messages: 7

i understand, any way you can tell me why my rule does not work though?
set skip on lo0


pass out on ipsec0 route-to en0 proto tcp to www.potato.com port {80,443}
 

covacat

Aspiring Daemon

Reaction score: 325
Messages: 662

i suck at pf
what kind of vpn to you have ?
ikev2 ? l2tp + ipsec ?
how is the ipsec policy looking ? (setkey -DP)
do you see any traffic when tcpdump on ipsec0 ?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,744
Messages: 39,332

ipsec0? Is this on iOS?
 
OP
B

blackmomba1

New Member


Messages: 7

i suck at pf
what kind of vpn to you have ?
ikev2 ? l2tp + ipsec ?
how is the ipsec policy looking ? (setkey -DP)
do you see any traffic when tcpdump on ipsec0 ?
ikev2 ipsec, yes. see traffic on the ipsec0 via tcpdump.
 
Top