[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Interface groups & PF route-to



Hi all,

I've been trying to get interface groups going on a machine and have met with a
possibly interesting problem.

I have declared an interface to be part of a group, and that group shows up
correctly if I `ifconfig foogroup` or `pfctl -s Interfaces`

I have a setup where I have one VPN come in over one ISP link, and another over
a second (from different remote IPs to different local IPs).

I have the following macros defined,
[NB: Yes I changed the IPs]
"""
link2_if           = "em0"
#link2_if          = "MyIFGroup"
link2_gw           = "1.1.1.1"
link2_ip1          = "1.1.1.20"
remote_link0_ip1   = "200.200.200.200"
"""
To test, I comment out the 'em0' line and uncomment the IFGroup line.

I also have the following rules in place to correctly handle my VPN on that link

"""
pass in  log quick on $link2_if reply-to ($link2_if $link2_gw)\
    proto esp from $remote_link0_ip1 to $link2_ip1 keep state

pass out log quick on $link2_if route-to ($link2_if $link2_gw)\
    proto esp from $link2_ip1 to $remote_link0_ip1 keep state

pass in  log on $link2_if reply-to ($link2_if $link2_gw)\
    proto udp from $remote_link0_ip1 port = isakmp to $link2_if\
    port = isakmp keep state

pass out log quick on $link2_if route-to ($link2_if $link2_gw)\
    proto udp from $link2_if port = isakmp to $remote_link0_ip1\
    port = isakmp keep state
"""

What I find is that when I go over to using the MyIFGroup declaration, my rules
stop matching and the VPN doesn't get established on the group'd interface (the
other VPN comes up fine).

Is there something I'm missing ??  From reading the posts and 'man ifconfig'
about interface groups I'm pretty sure I just have to assign an interface to the
group and nothing more.  Is that correct ??

Any help appreciated,
Cheers
Dave



Visit your host, monkey.org