[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pf load balancing question



I'm rather new to OpenBSD firewalling and have only set up simple NAT gateways
so far. This configuration is a little bit more complicated, though my question
is probably very simple. The scenario is this:

 +-----------------+
 | My clients      |  +--------------------+
 | 192.168.30.0/24 |  | My router          |
 +-----------------+--- rl1: 192.168.30.1  |             +------------+
                      | ne3: 213.67.22.235 --ISP1--------|            |
                      | rl0: 10.100.47.252 --ISP2 (NAT)--|  Internet  |
                      +--------------------+             |            |
                                                         +------------+

This is my pf.conf as it is now (posting it might be bad, but I really need
help):

## pf.conf ##

# Macros

  # Interfaces
  if_lo = "lo0"
  if_int = "rl1"
  if_telia = "ne3"
  if_noranet = "rl0"
  if_vpn = "enc0"
  if_ipv6 = "gif0"

  # Addresses
  addr_noranet = "10.100.0.1"        # NoraNet gateway.
  addr_telia = "213.67.22.1"         # Telia gateway.
  addr_btexact = "193.113.58.80"     # BTexact IPv6 tunnel broker.
  addr_blixa = "192.168.30.2"        # Our web/file/ftp server.
  addr_neger = "192.168.30.10"       # Viktors machine.
  addr_verkstaden = "192.168.30.11"  # Moms machine.
  addr_glorfindel = "192.168.30.32"  # Elvis' laptop.
  addr_caradhras = "217.215.175.167" # The router in Linköping.

  # Networks
  net_int = "192.168.30.0/24"        # The internal client network.
  net_noranet = "10.100.0.0/16"      # NoraNet internal network.

# Options

  set block-policy return
  set optimization normal
  set loginterface $if_telia

# Packet normalization

  scrub in on $if_telia all
  scrub in on $if_noranet all

# Translation (NAT and Redirects)

  # NAT.
  nat on $if_telia inet from $net_int to any -> ($if_telia)
  nat on $if_noranet inet from $net_int to any -> ($if_noranet)

  # Redirects.
  rdr on $if_telia proto tcp from any to ($if_telia) port 80 -> $addr_blixa port 80
  rdr on $if_telia proto tcp from any to any port 21 -> $addr_blixa port 21
  rdr on $if_telia proto tcp from any to any port 60000:65535 -> $addr_blixa port 60000:65535
  rdr on $if_int proto tcp from any to any port 21 -> 127.0.0.1 port 8021
  rdr on $if_telia proto tcp from any to any port 23 -> $addr_blixa port 22
  rdr on $if_telia proto tcp from any to any port 222 -> $addr_glorfindel port 22

# Filtering

  # Block all by default.
  block all

  # Pass all on loopback.
  pass quick on $if_lo all

  # Pass all outgoing on internal.
  pass out on $if_int from any to $net_int

  # Pass all incoming on internal destined for the gateway itself.
  pass in quick on $if_int from $net_int to $if_int

  # Load balance outgoing connections across the two ISPs using round-robin.
  pass in on $if_int route-to { ($if_noranet $addr_noranet), ($if_telia $addr_telia) } round-robin proto tcp from $net_int to any flags S/SA modulate state
  pass in on $if_int route-to { ($if_noranet $addr_noranet), ($if_telia $addr_telia) } round-robin proto { udp, icmp } from $net_int to any keep state

  # Pass all outgoing on external interfaces.
  pass out on $if_telia proto tcp from any to any flags S/SA modulate state
  pass out on $if_telia proto { udp, icmp } from any to any keep state
  pass out on $if_noranet proto tcp from any to any flags S/SA modulate state
  pass out on $if_noranet proto { udp, icmp } from any to any keep state

  # Ensure that packets with source belonging to $if_telia are always routed
  # to $addr_telia, and with source belonging to $if_noranet to $addr_noranet.
  pass out on $if_telia route-to ($if_noranet $addr_noranet) from $if_noranet to any
  pass out on $if_noranet route-to ($if_telia $addr_telia) from $if_telia to any

  # Allow and log incoming (services).
  pass in log on $if_telia inet proto tcp from any to any port 80 keep state
  pass in log on $if_telia inet proto tcp from any to any port 22 keep state
  pass in log on $if_telia inet proto tcp from any to any port 21 keep state
  pass in log on $if_telia inet proto tcp from any to any port 60000 >< 65535 keep state

  # Allow IPsec key exchange protocol from/to caradhras.
  pass in on $if_telia inet proto udp from $addr_caradhras to ($if_telia) port isakmp
  pass out on $if_telia inet proto udp from ($if_telia) to $addr_caradhras port isakmp

  # Allow ESP traffic from/to caradhras.
  pass in on $if_telia inet proto esp from $addr_caradhras to ($if_telia)
  pass out on $if_telia inet proto esp from ($if_telia) to $addr_caradhras
  pass in on $if_telia inet proto ah from $addr_caradhras to ($if_telia)
  pass out on $if_telia inet proto ah from ($if_telia) to $addr_caradhras

  # Allow traffic on ESP encapsulation interface.
  pass in on $if_vpn from any to any
  pass out on $if_vpn from any to any

  # Allow IPv6-over-IPv4 traffic to/from our tunnel broker.
  pass out on $if_telia inet proto ipv6 from $if_telia to $addr_btexact keep state
  pass in on $if_telia inet proto ipv6 from $addr_btexact to $if_telia keep state

  # Allow IPv6 traffic on our tunnel interface.
  pass out on $if_ipv6 inet6 all keep state
  pass in  on $if_ipv6 inet6 all keep state

## end pf.conf ##

(Never mind the v6 and IPsec stuff in there).

Now, as you can see, I have two ISPs. One of them (Telia) gives me a public IP,
but the second one puts me behind a masquerading NAT (in 10.100.0.0/16). So
what happens with the above rules, which I don't want, is that when a client
tries to access an address in 10.100.0.0/16, the round-robin scheduling I'm
using might route it to ($if_telia $addr_telia), and the address will not be
found. Am I talking non-sense? I guess what I'd like to know is; How would you
guys do it? :)

My problem is best illustrated by this:

client$ ping 10.100.0.1
PING 10.100.0.1 (10.100.0.1): 56 data bytes
^C
client$ ping 10.100.0.1
PING 10.100.0.1 (10.100.0.1): 56 data bytes
64 bytes from 10.100.0.1: icmp_seq=0 ttl=63 time=134.821 ms
^C
client$ ping 10.100.0.1
PING 10.100.0.1 (10.100.0.1): 56 data bytes
^C

Be kind to the newbie, thanks for all answers.

Best regards,
Aron Stansvik



Visit your host, monkey.org