Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Source-based routing (sometimes)

I have what is an overly complicated home setup.  My ISP provides me
with only one address, and so I have to NAT for the boxes in my house.
I also have a tunnel, which provides IPv6 and a ipv4 /27 for some of my
machines.  Not everything is tunneled, most things are in fact NAT'd.

Until recently this all just worked because my ISP did not do ingress
filtering.  However, they seem to have finally decided to implement
this, and so packets with incorrect source addresses are now being
blocked.  I applaud them for finally implementing this very useful
anti-spoof technique, but I do wish they'd have exempted me. :)

What I want is simple to describe, but very complicated to implement.  I
want all packets with source address to go out gif0, and
all other packets to follow normal destination-based routing.

I tried adding this to my pf.conf:

pass out on rtk0 route-to ( gif0 ) from to

It seems that the route-to is ignored.

I tried spinning up a srt0 interface and using it.  It did the right
thing and set out gif0, but I had to add a
(default-like) destination to rtk0, which then bypassed the pf-based

Anything else I should try here?


Home | Main Index | Thread Index | Old Index