View Single Post
  #5   (View Single Post)  
Old 15th September 2011
n4p1 n4p1 is offline
New User
 
Join Date: Mar 2010
Posts: 9
Default

Thanks for helping me.

I was trying to set multipath route with two default gateways. But then I cant reach ssh from both interfaces. When i try to connect, I always get connection to only one, the second one was unreachable. I was trying also route-to statement in pf.conf without success. And traffic from lan goes always from both interfaces.

So the next solution was only route-to with one default gateway (I want all traffic go via pppoe0 ($ext_if1) and pass in (on $ext_if2) only 3 services via em0 - one rdr-to rule, ssh and vpn). It will be best choice for my needs. After reading a lot of faqs and manuals i try to use tags in pf.conf:

Code:
ext_if1="pppoe0"
ext_gw1="87.x.y.z"
ext_if2="em0"
ext_gw2="178.x.y.z"
int_if="fxp0"
table <net_access> { 192.168.1.0/24, !192.168.1.10 }

# SCRUBBING SECTION #
match on $ext_if1 scrub (max-mss 1440)

# priority
# UPLOAD
altq on $ext_if1 priq bandwidth 500Kb queue {up_std, up_prio}
queue up_prio priority 7
queue up_std priority 1 priq(default)

# NAT
match out on $ext_if1 from 192.168.1.0/24 to any nat-to ($ext_if1)
#match out on $ext_if2 from 192.168.1.0/24 to any nat-to ($ext_if2)

# Default policy
block in log all
set block-policy drop

# loopback
set skip on lo

# WWW from LAN
pass in log on $int_if proto tcp from <net_access> to any port 80

# RDP redirect - Windows 2008
pass in on $ext_if1 proto tcp from <rdp_direct_access> to any port 9131 rdr-to 192.168.1.50 port 3389 tag IF1
pass in on $ext_if2 proto tcp from <rdp_direct_access> to any port 9131 rdr-to 192.168.1.50 port 3389 tag IF2

# ssh
pass in on $int_if proto tcp from ($int_if:network) to any port 22           ####### SSH via LAN
pass in on $ext_if1 proto tcp from any to any port 22 queue up_prio tag IF1  ####### SSH via $ext_if1
pass in on $ext_if2 proto tcp from any to any port 22 tag IF2                ####### SSH via $ext_if2

# openvpn
pass in on $ext_if1 proto tcp from any to any port 367 tag IF1        ####### OpenVPN via $ext_if1
pass in on $ext_if2 proto tcp from any to any port 367 tag IF2        ####### OpenVPN via $ext_if2

# route-to
# pass out log on { $ext_if1, $ext_if2, $int_if } from any to {!192.168.1.0/24, !10.8.0.0/24 } route-to ($ext_if1 $ext_gw1)
pass out log on { $ext_if1, $ext_if2 } route-to ($ext_if1 $ext_gw1) tagged IF1
pass out log on { $ext_if1, $ext_if2 } route-to ($ext_if2 $ext_gw2) tagged IF2
In theory packet passed in, and tagget as "IF2" should be passed out via $ext_if2 and packet passed in and tagged as "IF1" should be passed out via $ext_if1.

But it works like that:
1. $ext_if1 port 9131 - connection is ok
2. $ext_if2 port 9131 - cant connect
3. port 22 is reached from lan and $ext_if1 but not from $ext_if2.

It is so frustrating and i don't have idea what do do next. Could anyone point me right direction?

Last edited by n4p1; 15th September 2011 at 08:41 AM.
Reply With Quote