View Single Post
  #4   (View Single Post)  
Old 8th December 2011
alpha202ej alpha202ej is offline
Port Guard
 
Join Date: Dec 2011
Posts: 10
Default

Still having issues with dual wan with fail over. I was able to implement Equal Cost Multipath Routing but I am not sure how to implement it in conjunction with ifstate. As far as I can tell the ifstate is a sample configuration meant for use with CARP. I followed the example on OpenBSD's FAQ 6.14.

Below is my pitiful pf.conf

Code:
############
## MACROS ##
############

# Interfaces
int_if  = "vr0" #Internal Interface
ext_if1 = "vr1" #External Interface T1
ext_if2 = "axe0" #External Interface WiMAX
ext_gw1 = "x.x.x.x"
ext_gw2 = "y.y.y.y"
vpn_if  = "tun0" #VPN Tunnel to FSJ
vlan100 = "vlan100" #VLAN Interface 10.0.2.0/24

# Misc
localnet = "10.0.0.0/24"
vlan100net = "10.0.2.0/24"
SH_Ext = "z.z.z.z"
nonroute = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
              10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
              0.0.0.0/8, 240.0.0.0/4 }"
snglextports = "{ 10000, 443, 1194, 22 }"


# Addresses
MFC8780 = "10.0.0.5"

# Ports
RDP = "{ 3389 }"

############
## TABLES ##
############


####################
## GLOBAL OPTIONS ##
####################

set skip on lo0

###########################
## TRAFFIC NORMALIZATION ##
###########################


####################
## QUEUEING RULES ##
####################


#########################################
## TRANSLATION RULES (NAT) & SCRUBBING ##
#########################################

match in log
match in all scrub (no-df max-mss 1440)
match out on $ext_if1 from $localnet nat-to ($ext_if1)
match out on $ext_if2 from $localnet nat-to ($ext_if2)
match out on $ext_if2 from $vlan100net nat-to ($ext_if2) # Limiting VLAN 100 to WiMAX only

###################
## FILTERS RULES ##
###################

antispoof for $int_if
antispoof for $ext_if1
#antispoof for $ext_if2

block in log
#block out log

# Block Non-Routable Addresses
#block drop in quick on $ext_if from $nonroute to any
#block drop out quick on $ext_if from any to $nonroute

pass inet proto { tcp, udp } from { self, $localnet, $vlan100net }

#pass out on $int_if to $localnet
#pass in quick on $int_if from $localnet to $int_if

# Single WAN
#pass out on $ext_if1 proto { tcp udp icmp } all

### Dual WAN Configuration
pass in on $int_if from $localnet route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin
pass in on $vlan100 from $vlan100net route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin

# Single External Connection Path for Secure Ports
pass in on $int_if proto { tcp, udp } from $localnet to port $snglextports route-to ($ext_if1 $ext_gw1)

# General "Pass Out" Rules For External Interface
pass out on $ext_if1
pass out on $ext_if2

# Route Packets From any IPs on on $ext_if1 to $ext_gw1 and the same for $ext_if2 and $ext_gw2
pass out on $ext_if1 from $ext_if2 route-to ($ext_if2 $ext_gw2)
pass out on $ext_if2 from $ext_if1 route-to ($ext_if1 $ext_gw1)

pass in on $int_if from $vlan100net to $MFC8780
#pass in quick on $ext_if1 inet proto tcp from any to any port 80 rdr-to 10.0.0.11 port 8008
#pass in on $ext_if1 inet proto tcp to $ext_if1 port 8008 rdr-to 10.0.0.11
#pass on $int_if inet proto tcp to 10.0.0.11 port 8008
pass in quick on $ext_if1 inet proto tcp from any to any port 8008 rdr-to 10.0.0.11
pass on $int_if inet proto tcp to 10.0.0.11 port 8008
pass in inet proto tcp to port ssh
pass inet proto icmp

# VPN
pass quick on $vpn_if
pass in quick proto udp from any to port 1194

block in on ! lo0 proto tcp to port 6000:6010
Any guidence with my configuration to accomplish this failover (on the same box) would be greatly appreciated.

Thank you!
Reply With Quote