Policy Routing Web Traffic On A FreeBSD Router

Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.


This example outlines how to configure a FreeBSD router to policy route traffic (web in this instance) towards a Squid proxy which is using a tproxy mode.

pf example rules

/!\ the "no state" are very important to make the re-routing decision a packet by packet one.

ext_if = "em0"
int_if = "em2"
proxy_if = "em1"
lan_net = ""
proxy1 = ""
proxy_net = ""
upstream_router= ""

pass in quick on $ext_if route-to ($proxy_if $proxy1) proto tcp from any port 80 to $lan_net no state
pass in quick on $int_if route-to ($proxy_if $proxy1) proto tcp from $lan_net to any port 80 no state

rc.conf example for a router

ifconfig_em0="inet netmask"
ifconfig_em1="inet netmask"
ifconfig_em2="inet netmask"
ifconfig_em3="inet netmask"

##PF default rules file is: /etc/pf.conf


# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable

FreeBSD Virtio net drivers issue

From an unknown reason the FreeBSD virtio net drivers creates invalid packets while being routed. To prevent this corruption to happen there is a need to disable two interfaces options:

  • rxcsum
  • txcsum

I wrote a small startup script to disable these options for vtnet(virtio) devices.

   1 #!/bin/sh
   3 . /etc/rc.subr
   5 name="vtnet"
   6 rcvar=vtnet_enable
   7 start_cmd="${name}_start"
   8 stop_cmd=":"
  10 vtnet_start()
  11 {
  12         echo "VTNET started."
  13         ifconfig |grep "^vtnet"|awk '{print $1}'|sed s/\://g |xargs -n1 |       while read INTERFACE
  14         do
  15                 ifconfig $INTERFACE -rxcsum
  16                 ifconfig $INTERFACE -txcsum
  17         done
  19 }
  21 load_rc_config $name
  22 run_rc_command "$1"

A Similar config on OpenBSD

PF rules

ext_if = "em0"
int_if = "em2"
proxy_if = "em1"
lan_net = ""
proxy1 = ""
proxy_net = ""
upstream_router= ""

pass in quick on $int_if proto tcp from $lan_net to any port 80 route-to ($proxy_if $proxy1) no state
pass in quick on $ext_if proto tcp from any port 80 to $lan_net route-to ($proxy_if $proxy1) no state

Additional settings for a router mode:

sysctl -w net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of IPv6 packets
sysctl -w net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets

OpenBSD Virtio net drivers issue

Similar to FreeBSD there is an issue in OpenBSD with the virtio drivers which causes packets to get corrupted.

  • /!\ I will try to contact the OpenBSD mailing list to see if something could be done.

  • I have contacted someone on the IRC channel and after testing latest(27/08/2015) current(5.8) it seems that the issue got resolved and the packets are not malformed anymore.

ConfigExamples/Intercept/PfPolicyRoute (last edited 2015-08-27 20:49:47 by Eliezer Croitoru)