Subject: IPFilter Policy Routing Question
To: None <netbsd-users@netbsd.org>
From: Michael Gorsuch <michael.gorsuch@gmail.com>
List: netbsd-users
Date: 01/09/2007 10:45:37
I have a firewall with two internal networks and two connections to
the internet.

I need a specific internal network to always route out of a specific
internet interface when trying to reach outbound traffic.

Setup:

wm0: 10.123.0.0/24
wm1: 10.123.1.0/24

re0: 100.100.100.1/30, next hop: 100.100.100.2
re1: 200.200.200.1/24, next hop: 200.200.200.2

server A is addressed as 10.123.1.10/24, NAT'd to 200.200.200.10.

I need to ALWAYS send internet bound traffic from wm1 out of re1.

I have a rule like so:

pass out log quick on re0 to re1:200.200.200.2 from 10.123.1.0/24 to any

Here's the kicker:

If I run 'ipmon', I can see outbound traffic hit that rule.  BUT, when
I run tcpdump -i re0, I still see the traffic passing out of re0
instead of re1.

The easiest way for me to test is to use ICMP from an external host
against Server A.   I can see the inbound request come in on re1 (as
it should), but my replies leave on re0.

Any pointers to how I may dig deeper to understand why it wants to
route on re0?

As of now, my ISP on re0 is allowing asymmetric traffic, but that can
change at any time.

Thank you,

Michael Gorsuch