[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
pf load balancing question
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: pf load balancing question
- From: Aron Stansvik <elvstone_(_at_)_home_(_dot_)_se>
- Date: Thu, 27 May 2004 01:50:22 +0200
- Mail-followup-to: misc_(_at_)_openbsd_(_dot_)_org
I'm rather new to OpenBSD firewalling and have only set up simple NAT gateways
so far. This configuration is a little bit more complicated, though my question
is probably very simple. The scenario is this:
+-----------------+
| My clients | +--------------------+
| 192.168.30.0/24 | | My router |
+-----------------+--- rl1: 192.168.30.1 | +------------+
| ne3: 213.67.22.235 --ISP1--------| |
| rl0: 10.100.47.252 --ISP2 (NAT)--| Internet |
+--------------------+ | |
+------------+
This is my pf.conf as it is now (posting it might be bad, but I really need
help):
## pf.conf ##
# Macros
# Interfaces
if_lo = "lo0"
if_int = "rl1"
if_telia = "ne3"
if_noranet = "rl0"
if_vpn = "enc0"
if_ipv6 = "gif0"
# Addresses
addr_noranet = "10.100.0.1" # NoraNet gateway.
addr_telia = "213.67.22.1" # Telia gateway.
addr_btexact = "193.113.58.80" # BTexact IPv6 tunnel broker.
addr_blixa = "192.168.30.2" # Our web/file/ftp server.
addr_neger = "192.168.30.10" # Viktors machine.
addr_verkstaden = "192.168.30.11" # Moms machine.
addr_glorfindel = "192.168.30.32" # Elvis' laptop.
addr_caradhras = "217.215.175.167" # The router in Linköping.
# Networks
net_int = "192.168.30.0/24" # The internal client network.
net_noranet = "10.100.0.0/16" # NoraNet internal network.
# Options
set block-policy return
set optimization normal
set loginterface $if_telia
# Packet normalization
scrub in on $if_telia all
scrub in on $if_noranet all
# Translation (NAT and Redirects)
# NAT.
nat on $if_telia inet from $net_int to any -> ($if_telia)
nat on $if_noranet inet from $net_int to any -> ($if_noranet)
# Redirects.
rdr on $if_telia proto tcp from any to ($if_telia) port 80 -> $addr_blixa port 80
rdr on $if_telia proto tcp from any to any port 21 -> $addr_blixa port 21
rdr on $if_telia proto tcp from any to any port 60000:65535 -> $addr_blixa port 60000:65535
rdr on $if_int proto tcp from any to any port 21 -> 127.0.0.1 port 8021
rdr on $if_telia proto tcp from any to any port 23 -> $addr_blixa port 22
rdr on $if_telia proto tcp from any to any port 222 -> $addr_glorfindel port 22
# Filtering
# Block all by default.
block all
# Pass all on loopback.
pass quick on $if_lo all
# Pass all outgoing on internal.
pass out on $if_int from any to $net_int
# Pass all incoming on internal destined for the gateway itself.
pass in quick on $if_int from $net_int to $if_int
# Load balance outgoing connections across the two ISPs using round-robin.
pass in on $if_int route-to { ($if_noranet $addr_noranet), ($if_telia $addr_telia) } round-robin proto tcp from $net_int to any flags S/SA modulate state
pass in on $if_int route-to { ($if_noranet $addr_noranet), ($if_telia $addr_telia) } round-robin proto { udp, icmp } from $net_int to any keep state
# Pass all outgoing on external interfaces.
pass out on $if_telia proto tcp from any to any flags S/SA modulate state
pass out on $if_telia proto { udp, icmp } from any to any keep state
pass out on $if_noranet proto tcp from any to any flags S/SA modulate state
pass out on $if_noranet proto { udp, icmp } from any to any keep state
# Ensure that packets with source belonging to $if_telia are always routed
# to $addr_telia, and with source belonging to $if_noranet to $addr_noranet.
pass out on $if_telia route-to ($if_noranet $addr_noranet) from $if_noranet to any
pass out on $if_noranet route-to ($if_telia $addr_telia) from $if_telia to any
# Allow and log incoming (services).
pass in log on $if_telia inet proto tcp from any to any port 80 keep state
pass in log on $if_telia inet proto tcp from any to any port 22 keep state
pass in log on $if_telia inet proto tcp from any to any port 21 keep state
pass in log on $if_telia inet proto tcp from any to any port 60000 >< 65535 keep state
# Allow IPsec key exchange protocol from/to caradhras.
pass in on $if_telia inet proto udp from $addr_caradhras to ($if_telia) port isakmp
pass out on $if_telia inet proto udp from ($if_telia) to $addr_caradhras port isakmp
# Allow ESP traffic from/to caradhras.
pass in on $if_telia inet proto esp from $addr_caradhras to ($if_telia)
pass out on $if_telia inet proto esp from ($if_telia) to $addr_caradhras
pass in on $if_telia inet proto ah from $addr_caradhras to ($if_telia)
pass out on $if_telia inet proto ah from ($if_telia) to $addr_caradhras
# Allow traffic on ESP encapsulation interface.
pass in on $if_vpn from any to any
pass out on $if_vpn from any to any
# Allow IPv6-over-IPv4 traffic to/from our tunnel broker.
pass out on $if_telia inet proto ipv6 from $if_telia to $addr_btexact keep state
pass in on $if_telia inet proto ipv6 from $addr_btexact to $if_telia keep state
# Allow IPv6 traffic on our tunnel interface.
pass out on $if_ipv6 inet6 all keep state
pass in on $if_ipv6 inet6 all keep state
## end pf.conf ##
(Never mind the v6 and IPsec stuff in there).
Now, as you can see, I have two ISPs. One of them (Telia) gives me a public IP,
but the second one puts me behind a masquerading NAT (in 10.100.0.0/16). So
what happens with the above rules, which I don't want, is that when a client
tries to access an address in 10.100.0.0/16, the round-robin scheduling I'm
using might route it to ($if_telia $addr_telia), and the address will not be
found. Am I talking non-sense? I guess what I'd like to know is; How would you
guys do it? :)
My problem is best illustrated by this:
client$ ping 10.100.0.1
PING 10.100.0.1 (10.100.0.1): 56 data bytes
^C
client$ ping 10.100.0.1
PING 10.100.0.1 (10.100.0.1): 56 data bytes
64 bytes from 10.100.0.1: icmp_seq=0 ttl=63 time=134.821 ms
^C
client$ ping 10.100.0.1
PING 10.100.0.1 (10.100.0.1): 56 data bytes
^C
Be kind to the newbie, thanks for all answers.
Best regards,
Aron Stansvik
Visit your host, monkey.org