pf策略路由问题

zhucy_ares

我有一个网关，上面有一根xx通的线路，有一个x通的线路，一根x信的线路。
xx通的线路为默认网关。
我需要让一个内网ip，通过nat到x通的网卡上，然后以x通的默认网关出去。
我的配置如下：
nat on $telcom_if from 192.168.1.115/32 to any -> ($telcom_if)
pass in quick on $telcom_if reply-to ($telcom_if $telcom_gw) from any to any keep state
pass in quick on $ext_if reply-to ($ext_if $ext_gw) from any to any keep state
pass in quick on $unicom_if reply-to ($unicom_if $unicom_gw) from any to any keep state
pass out log keep state

配置是根据llzqq兄的文章来的。手册中的route-to我也尝试过。
现在的情况是，我仍然以xxx通的默认网关出去。感觉好像是nat没生效。
请问如果我想做这种配置，需要是否修改路由表？（我不想在路由表里添加一堆的静态路由，我只是想让内网ip：192.168.1.115通过x通路由出去。同理让内网ip：192.168.1.116通过x信的路由出去。）
如能指教，感激涕零。

zhucy_ares

顶一下。需要什么log信息，提示一下。请大家帮忙看看

feillex

不是nat没生效，而是你的内网数据包没有到达$telcom_if网卡
需要在内网卡为那个ip地址增加一条pass in route-to规则，使来自内网卡特定ip的数据包发送到$telcom_if

zhucy_ares

# test nat
nat on $telcom_if from 192.168.27.115/32 to any -> ($telcom_if)

pass in on $int_if route-to ($telcom_if $telcom_gw) from 192.168.27.115 to any keep state
pass out on $ext_if route-to ($telcom_if $telcom_gw) from $telcom_if to any keep state

这样试了一下。还是走的路由表的默认网关。

feillex

贴完整规则
pfctl -sr

zhucy_ares

scrub in all fragment reassemble
anchor "ftp-proxy/*" all
pass out on bce0 proto tcp from any to any port = http flags S/SA keep state queue ext_http
pass out on bce0 proto udp from any to any port = http keep state queue ext_http
pass out on bce0 proto tcp all flags S/SA keep state queue ext_base
pass out on bce0 proto udp all keep state queue ext_base
block drop in on bce1 proto tcp from any to any port = loc-srv
block drop in on bce1 proto tcp from any to any port = netbios-ssn
block drop in on bce1 proto tcp from any to any port = krb524
block drop in on bce1 proto tcp from any to any port = microsoft-ds
block drop in on bce1 proto tcp from any to any port = bootps
block drop in on bce1 proto tcp from any to any port = finger
block drop in on bce1 proto tcp from any to any port = 16881
block drop in on bce1 proto udp from any to any port = loc-srv
block drop in on bce1 proto udp from any to any port = netbios-ssn
block drop in on bce1 proto udp from any to any port = krb524
block drop in on bce1 proto udp from any to any port = microsoft-ds
block drop in on bce1 proto udp from any to any port = bootps
block drop in quick on bce1 from any os "NMAP" to any
block drop in quick on bce0 from any os "NMAP" to any
block drop in quick on bce0 proto tcp all flags FS/FSRA
block drop in quick on bce0 proto tcp all flags FPU/FSRPAU
block drop in quick on bce0 proto tcp all flags /FSRA
block drop in quick on bce0 proto tcp all flags F/FSRA
block drop in quick on bce0 proto tcp all flags U/FSRAU
block drop in quick on bce1 proto tcp all flags FS/FSRA
block drop in quick on bce1 proto tcp all flags FPU/FSRPAU
block drop in quick on bce1 proto tcp all flags /FSRA
block drop in quick on bce1 proto tcp all flags F/FSRA
block drop in quick on bce1 proto tcp all flags U/FSRAU
pass in quick from <vip> to any flags S/SA keep state
pass in on bce1 route-to (bce2 60.248.34.65) inet from 192.168.27.115 to any flags S/SA keep state
pass out on bce0 route-to (bce2 60.248.34.65) inet from 60.248.34.66 to any flags S/SA keep state
block drop in quick from <blockbrute> to any
pass in on bce1 all flags S/SA keep state (source-track rule, max-src-conn 300, overload <blockbrute> flush global)

大概就这些，一共四块网卡。bce0是xx通，bce1是内网，bce2是x信线路，bce3是x通线路。
默认网关在bce0对应的网关上。
我只是想让192.168.27.115这个地址。通过x信线路上网而已。

feillex

如果192.168.27.115 不属于 表<vip>
将

1. pass in on bce1 route-to (bce2 60.248.34.65) inet from 192.168.27.115 to any flags S/SA keep state

复制代码

添加一个quick关键字试试看
pass in quick on bce1 route-to (bce2 60.248.34.65) inet from 192.168.27.115 to any flags S/SA keep state

如果ip属于vip表，则需将上述规则放到vip规则之前