PF route-to example

user_new · Aug 22, 2024

Hi, I would like to ask if anyone could point me some examples of route-to with pf. thanks in advance

shurik · Aug 22, 2024

route-to option is for policy based routing. For example source based routing, when you need to select a gateway (and an outgoing interface) based on source of IP packet and not destination:

Code:

# pass all traffic via default route ($ext_if1) and traffic from 192.168.10.10 via secondary gateway ($ext_if2)
pass in on $int_if from 192.168.10.10 to any tag WAN2
pass out tagged WAN2 route-to ($ext_if2 $ext_gw2)
pass out on $ext_if1

user_new · Aug 22, 2024

Thank you so much, what are $ext_if1, $ext_if2 and $int_if?
Could you give me an example by assigning a value to each component? sorry I am inexperienced and many things are not clear

shurik · Aug 23, 2024

See an example network diagram below. In this scenario igb0 and igb1 are an external interfaces attached to ISP1 and ISP2. em0 is internal interface connected to LAN. Client 192.168.10.2 works via ISP1 (default route), however 192.168.10.10 works via ISP2 (despite default route). Please note, it is very general example.

Code:

int_if="em0"
ext_if1="igb0"
ext_if2="igb1"

ext_gw1="10.10.20.1"
ext_gw2="10.10.30.1"

block all
pass in quick on $int_if from 192.168.10.10 to any tag ISP2
pass in quick on $int_if from 192.168.10.0/24 to any
pass out quick tagged ISP2 route-to ($ext_if2 $ext_gw2)
pass out quick on $ext_if1

user_new · Aug 31, 2024

Thank you so much.
If I write the rule to the file and then load it with pfctl, how can I see the exact time when it was executed?

shurik · Sep 1, 2024

pfctl -sr -v gives you Evaluations counter, which is incremented each time a packet hits a rule.

user_new · Sep 1, 2024

thank you so much. if i use ipfw firewall, do you know how can i have the same information?

shurik · Sep 2, 2024

ipfw -t show shows you rule number, number of packets and bytes and last match timestamp

user_new · Sep 3, 2024

thank you so much! I would like to ask you one last thing. If I have two rules, one with fwd for ipfw and another with route-to for pf, do you know which of the two firewalls is activated first? if there is an activation order

Jose · Sep 3, 2024

user_new said:
thank you so much! I would like to ask you one last thing. If I have two rules, one with fwd for ipfw and another with route-to for pf, do you know which of the two firewalls is activated first? if there is an activation order

Do not use PF and IPFW at the same time. Don't take my word for it:

Solved - Questions about Firewalls (enable PF or IPFW or both together)

Hello. I'm using FreeBSD 13 release at my home-network with one server and some workstations/clients for about 2 years now. Everything's fine so far. In the beginning I enabled IPFW and PF on all systems, because I thought these 2 firewalls are using different technologies. Now, after reading...

forums.freebsd.org