# Send jail inet traffic through a VPN tunnel with the PF rule Ã¢Â€Âœpass out route-toÃ¢Â€Â



## Dre (Dec 5, 2010)

*Send jail inet traffic through a VPN tunnel with the PF rule â€œpass out route-toâ€*

Seriously, how hard can this really be?!?
Iâ€™m trying to get all of my jail traffic to go through a VPN tunnel where the rest of the traffic takes the normal route. I was hoping to accomplish this with the PF rule â€œpass out route-toâ€.
Could someone please tell me if this should be possible or if Iâ€™m only vesting my time.


I have one physical Ethernet interface â€œem0â€ with IP 192.168.0.10 and GW 192.168.0.1
The jail is on â€œlo1â€ with IP 10.1.1.1
The VPN is on â€œng0â€ with external IP 93.182.188.96 and GW 93.182.188.2


```
# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC>
        ether xx:xx:xx:xx:xx:xx
        inet 192.168.0.10 netmask 0xffffff00 broadcast 192.168.0.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet 10.1.1.1 netmask 0xffffff00
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1456
        inet 93.182.188.96 --> 93.182.188.2 netmask 0xffffffff
```

Everything goes through the VPN tunnel with the default route set to the VPN gateway so the VPN works (sort of but thatâ€™s another thread).  

```
# netstat -r
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            93.182.188.2       UGS         0       20    ng0
10.1.1.1           link#3             UH          0        0    lo1
93.182.188.2       192.168.0.1        UGHS        4       29    em0
93.182.188.96      link#5             UHS         0        0    lo0
localhost          link#2             UH          0        0    lo0
192.168.0.0        link#1             U           8   142018    em0
192.168.0.10       link#1             UHS         0        0    lo0

Internet6:
Destination        Gateway            Flags      Netif Expire
localhost          localhost          UH          lo0
fe80::%lo0         link#2             U           lo0
fe80::1%lo0        link#2             UHS         lo0
ff01:2::           fe80::1%lo0        U           lo0
ff02::%lo0         fe80::1%lo0        U           lo0
```

My plan was to set the default GW to 192.168.0.1 again and then use the â€œpass out route-toâ€ rule in pf.conf to route packages from the jail to the VPN GW.

Didnâ€™t get it to work unfortunately.
I started out with

```
#pass out route-to ($ext_if 93.182.188.2) from $10.1.1.1 to ! 10.1.1.1/24
```
The packages didnâ€™t go through the tunnel though. 

Instead this ends up in my IPFW log.

```
Dec  4 14:54:29 BSD kernel: ipfw: 20000 Deny TCP 93.182.188.96:39097 93.9.233.42:1539 out via em0
Dec  4 14:54:29 BSD kernel: ipfw: 20000 Deny TCP 93.182.188.96:60489 90.51.200.88:31998 out via em0
Dec  4 14:54:29 BSD kernel: ipfw: 20000 Deny TCP 93.182.188.96:60518 78.227.136.20:6880 out via em0
```

I then tried

```
#pass out route-to ($ext_if 93.182.189.2) from any to any
```
But with the same result. 
I would have expected that to override the default route but apparently that isnâ€™t the case.

Have I misunderstood the functionality of the route-to function or is it just the implementation that is wrong?

I canâ€™t use IPFW fwd rules because that isnâ€™t enabled in the kernel.


----------

