Solved PF route-to anomaly. It works with 50% of flows.

[robot468]

Hello.

I'm trying to set up policy based routing with pf.

Here is my routing rule:

pass in log (all) quick on { $lan_if $guest_if }  route-to {$vps_tun $vps_gw}  from any to 104.21.67.120

here is my nat rule:

nat log (all) on $vps_tun from any to 104.21.67.120 -> ($vps_tun)

it turns into:

nat log (all) on tun0 inet from any to 104.21.67.120 -> 10.8.0.3

no round-robin

Problem is this works exactly every second ping command.

Pflog were ping worked:

16:12:18.735841 rule 6.rkn.0/0(match): pass in on igb0: 192.168.1.64 > 104.21.67.120: ICMP echo request, id 52106, seq 0, length 64
16:12:18.735856 rule 3/0(match): nat out on tun0: 10.8.0.3 > 104.21.67.120: ICMP echo request, id 52776, seq 0, length 64
16:12:18.797845 rule 3/0(match): nat in on tun0: 104.21.67.120 > 192.168.1.64: ICMP echo reply, id 52106, seq 0, length 64
16:12:18.797854 rule 6..0/0(match): pass out on igb0: 104.21.67.120 > 192.168.1.64: ICMP echo reply, id 52106, seq 0, length 64
16:12:19.726472 rule 6..0/0(match): pass in on igb0: 192.168.1.64 > 104.21.67.120: ICMP echo request, id 52106, seq 1, length 64
16:12:19.726497 rule 3/0(match): nat out on tun0: 10.8.0.3 > 104.21.67.120: ICMP echo request, id 52776, seq 1, length 64
16:12:19.788137 rule 3/0(match): nat in on tun0: 104.21.67.120 > 192.168.1.64: ICMP echo reply, id 52106, seq 1, length 64
16:12:19.788147 rule 6..0/0(match): pass out on igb0: 104.21.67.120 > 192.168.1.64: ICMP echo reply, id 52106, seq 1, length 64
16:12:20.735929 rule 6..0/0(match): pass in on igb0: 192.168.1.64 > 104.21.67.120: ICMP echo request, id 52106, seq 2, length 64
16:12:20.735954 rule 3/0(match): nat out on tun0: 10.8.0.3 > 104.21.67.120: ICMP echo request, id 52776, seq 2, length 64
16:12:20.796605 rule 3/0(match): nat in on tun0: 104.21.67.120 > 192.168.1.64: ICMP echo reply, id 52106, seq 2, length 64
16:12:20.796613 rule 6..0/0(match): pass out on igb0: 104.21.67.120 > 192.168.1.64: ICMP echo reply, id 52106, seq 2, length 64

Pflog where ping not working:

16:13:20.053687 rule 6.rkn.0/0(match): pass in on igb0: 192.168.1.64 > 104.21.67.120: ICMP echo request, id 54154, seq 0, length 64
16:13:21.058694 rule 6..0/0(match): pass in on igb0: 192.168.1.64 > 104.21.67.120: ICMP echo request, id 54154, seq 1, length 64
16:13:22.064933 rule 6..0/0(match): pass in on igb0: 192.168.1.64 > 104.21.67.120: ICMP echo request, id 54154, seq 2, length 64
16:13:23.062467 rule 6..0/0(match): pass in on igb0: 192.168.1.64 > 104.21.67.120: ICMP echo request, id 54154, seq 3, length 64

Where does the packet disappear to in the second case? Does anyone have any idea what is going on?

 

[msplsh]

Reminds me of an earlier thread. Maybe reading those replies on alternatives to using route-to for non-port-specific things will help.

 

[robot468]

It is my bad.
Erorr is use "{}" brackets in route-to instead of "()". It evaluates "{}" to round-robin
Problem solved)

 

[msplsh]

I had a question about that when I looked at the pf syntax but I wasn't sure enough to raise it. ?