View Single Post
  #1   (View Single Post)  
Old 31st January 2012
alpha202ej alpha202ej is offline
Port Guard
 
Join Date: Dec 2011
Posts: 10
Default Dual WAN & HTTPS Sites

Hi everyone,

Anyone ever have any issues accessing certain HTTPS sites? We have have our OpenBSD box acting as the firewall and it utilizes an aysmetrical dual WAN connection (two different ISPs). The error that is most telling is from LogMeIn where it states I have an IP address mismatch. This doesn't make sense to me since I have a rule that forces HTTPS traffic to only go through the first WAN interface. Furthermore, I also went ahead an reloaded my PF to only utilize the one interface and still have the same issue (did a pfctl -F all -f /etc/pf.conf).

Below is my pf.conf.

Code:
# PF Configuration

############
## MACROS ##
############

# Interfaces
int_if  = "vr0" #Internal Interface
ext_if1 = "vr1" #External Interface T1
ext_if2 = "axe0" #External Interface WiMAX
ext_gw1 = "x.x.x.x"
ext_gw2 = "y.y.y.y"
vpn_if  = "tun0" #VPN Tunnel
vlan100 = "vlan100" #VLAN Interface 10.0.2.0/24

# Misc
ext = "{ vr1, axe0 }"
localnet = "10.0.0.0/24"
vlan100net = "10.0.2.0/24"
abcnet = "10.21.0.0/16"
vpnnet = "172.25.0.0/24"
#SH_Ext = "x.x.x.x"
SH_Int = "10.0.0.11"
nonroute = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
              10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
              0.0.0.0/8, 240.0.0.0/4 }"
snglextports = "{ 21, 22, 443, 1194, 3389, 8008, 10000 }"
abc_scanner = "{ 21, 80, 443, 990, 2002, 3000:3019 }"
DHCP = "{ 67, 68 }"
icmp_types = "echoreq"
voipport = "{ 4569 }"

# Addresses
MFC8780 = "10.0.0.5"

# Ports
RDP = "{ 3389 }"

# FTP Pass
anchor "ftp-proxy/*"
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021

############
## TABLES ##
############


####################
## GLOBAL OPTIONS ##
####################

set skip on lo0

###########################
## TRAFFIC NORMALIZATION ##
###########################


####################
## QUEUEING RULES ##
####################


#########################################
## TRANSLATION RULES (NAT) & SCRUBBING ##
#########################################

match in all scrub (no-df max-mss 1440)

match out on $vpn_if from $localnet nat-to $vpn_if
match out on $ext_if1 from $localnet nat-to ($ext_if1)
match out on $ext_if2 from $localnet nat-to ($ext_if2)
match out on $ext_if1 from $vlan100net nat-to ($ext_if1)
match out on $ext_if2 from $vlan100net nat-to ($ext_if2)

###################
## FILTERS RULES ##
###################

#antispoof for $int_if
#antispoof for $ext_if1
#antispoof for $ext_if2

block in log
block out log

# Block Non-Routable Addresses
#block drop in quick on $ext_if from $nonroute to any
#block drop out quick on $ext_if from any to $nonroute

pass inet proto { tcp, udp } from { self, $localnet, $vlan100net, $vpnnet }

# Single WAN - DISABLED
#pass out log on $ext_if1 proto { tcp udp icmp } all

### Dual WAN Configuration
pass in log on $int_if from { $localnet, $vpnnet } route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin
pass in on $vlan100 from $vlan100net route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin

# Single External Connection Path for Secure Ports
pass in on $int_if proto { tcp, udp } from { $localnet, $vpnnet } to port $snglextports route-to ($ext_if1 $ext_gw1)

# General "Pass Out" Rules For External Interface
pass out on $ext_if1
pass out on $ext_if2

# Route Packets From any IPs on on $ext_if1 to $ext_gw1 and the same for ext_if2 and $ext_gw2
pass out on $ext_if1 from $ext_if2 route-to ($ext_if2 $ext_gw2)
pass out on $ext_if2 from $ext_if1 route-to ($ext_if1 $ext_gw1)

pass in inet proto tcp to port ssh
pass inet proto icmp

# VPN
pass quick on $vpn_if
pass in on !$ext_if1 to $abcnet
pass in on !$ext_if2 to $abcnet
pass in quick proto udp from any to port 1194

block in on ! lo0 proto tcp to port 6000:6010
Anyone know what might be going on because at this point I am baffled. Thanks!
Reply With Quote