Subject: Re: question about ipf "fastroute"
To: Michael Richardson <>
From: Andrew Brown <>
List: tech-net
Date: 02/13/2003 15:21:49
>I want to do source address based routing for some particular IPs.
>This is easy when I am trying to put the packets into a tunnel:
>pass out quick on tlp0 to gif470 from to any 
>But, how do I do this with an ethernet? 
>I need to specify the next hop somehow. At the least, I need
>to change the MAC address (which would be some kind of bridging...)

now that i read this, i realize did.  last week, in fact.  or maybe it
was this week.  i don't remember.

you want to do this:

pass out quick on tlp0 to tlp1:gate.way.add.ress from to any 

that will change the l2 (ie, ethernet, etc) or mac address on the
packet.  not the destination ip address.

using this sort of thing, i managed to make a machine have two
globally reachable ip addresses, that are reachable via different
providers, such that traffic that arrives on tlp0 leaves on tlp0 and
traffic that arrives on tlp2, leaves on tlp2.  the default route,
however, points out tlp0, so i need the rule on tlp0 that shoves the
tlp2 traffic back out tlp2.

the tricky bit is that it's O(n^2) problem.  in order to make your
default route into something you can flip-flop back and forth from
interface to interface without breaking things, you need an ipf rule
for each interface (for broadcast interfaces, that is, like ethernet,
that describe how to reach the local subnet) and then one rule on each
outside interface for each outside interface that describes how the
traffic for each interface's address should move.

|-----< "CODE WARRIOR" >-----|             * "ah!  i see you have the internet (Andrew Brown)                that goes *ping*!"       * "information is power -- share the wealth."