Source-based routing (sometimes)

To: current-users%netbsd.org@localhost
Subject: Source-based routing (sometimes)
From: Michael Graff <explorer%flame.org@localhost>
Date: Tue, 24 Nov 2009 10:59:01 -0600

I have what is an overly complicated home setup.  My ISP provides me
with only one address, and so I have to NAT for the boxes in my house.
I also have a tunnel, which provides IPv6 and a ipv4 /27 for some of my
machines.  Not everything is tunneled, most things are in fact NAT'd.

Until recently this all just worked because my ISP did not do ingress
filtering.  However, they seem to have finally decided to implement
this, and so packets with incorrect source addresses are now being
blocked.  I applaud them for finally implementing this very useful
anti-spoof technique, but I do wish they'd have exempted me. :)

What I want is simple to describe, but very complicated to implement.  I
want all packets with source address 149.20.7.222/27 to go out gif0, and
all other packets to follow normal destination-based routing.

I tried adding this to my pf.conf:

pass out on rtk0 route-to ( gif0 149.20.65.100 ) from 149.20.7.0/24 to
any

It seems that the route-to is ignored.

I tried spinning up a srt0 interface and using it.  It did the right
thing and set 149.20.7.222/27 out gif0, but I had to add a 0.0.0.0/0
(default-like) destination to rtk0, which then bypassed the pf-based
NAT.

Anything else I should try here?

--Michael

Follow-Ups:
- Re: Source-based routing (sometimes)
  - From: Hans Rosenfeld

Prev by Date: Re: netbsd5-i386 is broken for me after this weekend's changes
Next by Date: Re: netbsd5-i386 is broken for me after this weekend's changes
Previous by Thread: List of SAS controllers
Next by Thread: Re: Source-based routing (sometimes)
Indexes:

Home | Main Index | Thread Index | Old Index