Daily Archive for October 19th, 2009

FreeBSD: policy routing with pf in 7-STABLE is BROKEN

pass in quick on $wan1 reply-to ($wan1 $wan1gw) from !$wan1net to ($wan1) keep state
pass out  route-to ($wan1 $wan1gw) proto {udp, icmp} from $wan1net to any no state
pass out  route-to ($wan1 $wan1gw) proto tcp from $wan1net to any flags any no state

In FreeBSD 7.0, the pf.conf above worked. But it doesn’t work in recent 7-STABLE. The TCP session may connect successfully, but the performance is very very poor (~ 1KB/s).

I have do some research for days, but have no idea. Now I use ipfw to do policy routing…