View Single Post
  #1   (View Single Post)  
Old 16th September 2008
Calderon's Avatar
Calderon Calderon is offline
Real Name: Patrick Lindholm
Fdisk Soldier
 
Join Date: May 2008
Location: Finland
Posts: 60
Red face PF NAT and 2 external nic´s

Hi!

Im soon having another connection with static IP (from university) which has daily restrictions about the amount of transferred data. I also have this DSL connection with DHCP. I started to think that i would like to route/redirect some bandwidth eating ports from lan computers to use DSL. This also offers me a chance to "learn" some PF more. I planned that my DSL ext would be BFE0 and the STATIC one would be DC0.

oh and the ports i want to put through DSL are all the ports i have defined for LAN machines below.

edit: (coming to think of it second scenario would be that all other traffic goes thru DSL except http and port 28960 from LAN. Actually this is much straightforward too.)

here is my config now.

Code:
ext_if1="bfe0"  # Ulkoverkon kortti (DSL)
ext_if2="dc0"   # Ulkoverkon kortti (Static)
int_if="xl0"   # Sisäverkon kortti
# Macros
lahiverkko = $int_if:network
icmp_types = "{ 0, 3, 11 }"
#LAN machine 1 (pate)
pate = "{ 192.168.0.2 }"
patetcp = "{ 1412, 49995, 61027 }"      #TCP portit, erottele pilkulla, jotka ohjataan koneelle (pate)
pateudp = "{ 1412, 49995, 61027 }"      #UDP portit,  -   "  -

#LAN machine 2 (texina)
texina = "{ 192.168.0.3 }"
texinatcp = "{ 1414, 2412, 8085, 50200 }"       #TCP portit
texinaudp = "{ 1414, 2412 }"                    #UDP portit

#tablet
table <nonroutable> persist { 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12,10.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16,192.0.2.0/24, 204.152.64.0/23, \
224.0.0.0/3,255.255.255.255/32 }

# options
set block-policy return
set optimization aggressive
set loginterface $ext_if1
set skip on lo0
set skip on xl0
# scrub , Järjestele ja tarkista kaikki paketit sisään
scrub in all

# Queue. Mahdolliset siirtorajoitukset ja liikenteen priorisoinnit.
#altq on $ext_if bandwidth 848Kb hfsc queue { ack, dns, dflt }
#   queue ack        bandwidth 60% priority 7 hfsc (realtime 50%)
#   queue dns        bandwidth 10% priority 6 hfsc (realtime 5%)
#   queue dflt       bandwidth 30% priority 2 qlimit 100 hfsc (realtime 25% default)
# Testaus Primary Queue
#altq on $ext_if priq bandwidth 828Kb queue { ack, dns, dflt }
#    queue ack priority 7
#    queue dns priority 5
#    queue dflt priority 2 priq(default)
#
# Nat ja Uudelleenohjaukset (Hoidettu ylempänä makroilla, ei tarvitse välttämättä vaihtaa alempia)
nat on $ext_if1 from $int_if:network to any -> ($ext_if1)
rdr pass on $ext_if1 proto tcp from any to any port $patetcp -> $pate
rdr pass on $ext_if1 proto udp from any to any port $pateudp  -> $pate
rdr pass on $ext_if1 proto tcp from any to any port $texinatcp  -> $texina
rdr pass on $ext_if1 proto udp from any to any port $texinaudp  -> $texina

# rules
block in log all
block out on $ext_if1 from any to <nonroutable>
block in log quick on $ext_if1 from <nonroutable> to any
#pass quick on $int_if from $int_if:network to $int_if:network
pass out quick on $ext_if1 proto udp from ($ext_if1) to any port 53 keep state queue ( dns )
pass out on $ext_if1 from ($ext_if1) keep state queue ( dflt , ack )
antispoof quick for { lo0 $int_if }

# pass in rules
pass in quick on $ext_if1 inet proto tcp from any to ($ext_if1) port 80 keep state
pass in quick on $ext_if1 inet proto tcp from any to ($ext_if1) port 22 keep state
pass in on $int_if from $int_if:network to any
#pass out on $int_if from any to $int_if:network
It´s not necessary to use queueing (Ment for DSL) if it even is possible or brings some extra difficulties to the thing :-)

I also tried to understand this (found with google)
http://osdir.com/ml/os.openbsd.pf/2004-07/msg00092.html
but with poor results. Or understood it but how to adapt to my use and will it work im unsure.

I know its annoying if someone asks ready configuration/examples, but it would be very nice. Im not the type who just puts it to use and enjoys. I really like to know how the thing works before i put it into use. So i read the conf over and over again till i get it.

ofc any other help/hints conserning that conf are welcome. thank you very much for your time.

Im running FBSD 7

Last edited by Calderon; 16th September 2008 at 06:56 PM.
Reply With Quote