netbsd-users: Re: mark and route traffic with two links

Subject: Re: mark and route traffic with two links
To: Matthias Scheler <tron@zhadum.org.uk>
From: Paul Newhouse <newhouse@rockhead.com>
List: netbsd-users
Date: 01/24/2007 10:00:50
On Wed, 24 Jan 2007 13:31:17 +0000 Matthias Scheler wrote:
>  
>  On Wed, Jan 24, 2007 at 09:05:48AM -0300, Roberto Pereyra wrote:
>  > I using netbsd 3.1.
>  > 
>  > --------inet1 ------fxp0----|            |
>  >                                |  netbsd | --------clients
>  > --------inet2-------fxp1----|            |
>  > 
>  > 
>  > I would like to mark some kind of traffic (like www outbound) and route  
>  > through inet2.
>  > 
>  > Any hint ?
>  
>  You can use PF to achieve that. From "man 5 pf.conf":
>  
>       route-to
>             The route-to option routes the packet to the specified interface
>             with an optional address for the next hop.  When a route-to rule
>             creates state, only packets that pass in the same direction as the
>             filter rule specifies will be routed in this way.  Packets passing
>             in the opposite direction (replies) are not affected and are routed
>             normally.
>  
>  	Kind regards
>  
>  -- 
>  Matthias Scheler                                  http://zhadum.org.uk/

I tried this on 3.0.1:

  #
  #  multi-homed @ home
  #
  ext_if="tlp1"               # cable, DHCP and default route (NAT'd to fake
                                                               space on int_if)
  int_if="re0"                # LAN (assigned fake space)
  dsl_if="tlp0"               # DSL and fixed ip's
  dsl_net="209.128.91.40/29"  # DSL static ip CIDR (NAT'd to fake space on
                                                    dsl_if)
  dsl_ip="209.128.91.46"      # static ip addr on DSL interface
  dsl_hop="209.128.91.41"     # static IP for DSL router
  int_net="172.16.89.0/24"    # LAN assigned fake space addresses

  set debug loud

  pass in  proto tcp from $dsl_if to $dsl_net port 25 keep state
  pass out log on $ext_if route-to $dsl_if proto { tcp udp icmp } from \
         {$dsl_net} to any

The above trap the messages going out on the wrong interface BUT, then they
disappear.  If ext_if (tlp1) is the default route then all incoming on dsl_if
(tlp0) which are not specifically routed to dsl_if get routed to ext_if.
The above rules stop that but, the replies do not go out dsl_if (or any other
interface).

  #
  #pass out log on $ext_if route-to $dsl_if proto udp from {$dsl_net} to any
  #
  # following don't work - produce parsing error messages
  #
  #pass out log on $ext_if route-to $dsl_if:$dsl_hop proto tcp from \
         {$dsl_ip} to any
  #pass out log on $ext_if route-to $dsl_if:$dsl_hop proto udp from \
         {$dsl_ip} to any
  #pass out log on $ext_if reply-to $dsl_if proto tcp from {$dsl_ip} to any \
  #pass out log on $ext_if reply-to $dsl_if proto udp from {$dsl_ip} to any \
  #pass out log on $ext_if reply-to $dsl_if:209.128.91.41 proto tcp from \
         {$dsl_ip} to any
  #pass out log on $ext_if reply-to $dsl_if:209.128.91.41 proto udp from \
         {$dsl_ip} to any

Where did I go wrong?

TIA,
Paul