Ok... So I have scratched my head for more than a week and tried several support arenas without luck. Hoping one of the FreeBSD gurus here can tell me something I don't know.
Server has 1 physical interface = eth0
Server has 1 gre tunnel = gre0
Problem: All traffic on the GRE bound IP's need to route in/out the GRE tunnel. All traffic inbound on the GRE to on of it's IP's needs to route back out the tunnel with some sort of source routing rule. All traffic on the IP's assigned to eth0 should route via eth0 only.
I've attempted a dozen different techniques between PF and ipfw, yet the only way I can force routing is:
scrub in on gre0 all fragment reassemble min-ttl 15 max-mss 1392
scrub in on gre0 all no-df
scrub on gre0 all reassemble tcp
pass in quick on gre0 reply-to gre0 inet proto tcp from any to any
pass in quick on gre0 reply-to gre0 inet proto udp from any to any
pass in quick on gre0 reply-to gre0 inet proto icmp from any to any
This seems to work for HTTP request...SOMETIMES. It still seems like FreeBSD is alternating routes unless I was to add a static route for EVERY IP communicating with one of the GRE IP's.
I have replaced int_if/ext_if with actual interface names. This works for serving http/ssh, etc.
The issue really lies in if I wanted to actually initiate an outbound request from one of the public IP's assigned to the GRE.
Say IRC for example. I want to connect to irc.serverorigin.com and I want to use the IP address (fake IP)184.108.40.206:
Then I'd start my IRC client with IP 220.127.116.11 and try to connect to irc.serverorigin.com. Nothing happens...
What seems to happen is it tries to initiate the request outbound via eth0 instead of the gre0 interface.
Any ideas on making this work? I've tried nat, rdr, ipfw fwd... I'm guessing I'm doing something stupid.
Example... How would I make ALL traffic on the GRE IP's route ONLY on the GRE interface in/out?
Anyone seen this issue and know of a solution?
I've tried to pass out all traffic from the public subnet on the GRE to the tunnel gateway, but either I have the rule incorrect or it doesn't work...