View Single Post
  #1   (View Single Post)  
Old 14th December 2011
alpha202ej alpha202ej is offline
Port Guard
 
Join Date: Dec 2011
Posts: 10
Default Port Forwarding with Dual WAN Connections

Hi guys,

Now that I have my PF up and running using dual wan connections I have run into another issue that I cannot explain for the life of me.

As mentioned earlier, I am using dual wan connections with load balancing to utilize the two connections. Any redirection I did prior to using dual wan connections does not work. I can't even ping my box externally (logmein to a different machine in a different location and ping it from there). I have a feeling that something is happening with the outbound traffic but I don't know what it could be...

I have attached my pf.conf file (I am using OpenBSD 4.9):
Code:
############
## MACROS ##
############

# Interfaces
int_if  = "vr0" #Internal Interface
ext_if1 = "vr1" #External Interface T1
ext_if2 = "axe0" #External Interface WiMAX
ext_gw1 = "x.x.x.x"
ext_gw2 = "y.y.y.y"
vpn_if  = "tun0" #VPN Tunnel to FSJ
vlan100 = "vlan100" #VLAN Interface 10.0.2.0/24

# Misc
localnet = "10.0.0.0/24"
vlan100net = "10.0.2.0/24"
SH_Ext = "z.z.z.z"
SH_Int = "10.0.0.11"
nonroute = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
              10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
              0.0.0.0/8, 240.0.0.0/4 }"
snglextports = "{ 10000, 443, 1194, 22, 8008 }"
DHCP = "{ 67, 68 }"
icmp_types = "echoreq"

# Addresses
MFC8780 = "10.0.0.5"

# Ports
RDP = "{ 3389 }"

############
## TABLES ##
############


####################
## GLOBAL OPTIONS ##
####################

set skip on lo0

###########################
## TRAFFIC NORMALIZATION ##
###########################


####################
## QUEUEING RULES ##
####################



#########################################
## TRANSLATION RULES (NAT) & SCRUBBING ##
#########################################

match in on $ext_if1 proto tcp to $ext_if1 port 80 rdr-to 10.0.0.11 port 8008
match out on $ext_if1 from $localnet nat-to ($ext_if1)
match out on $ext_if2 from $localnet nat-to ($ext_if2)
match out on $ext_if1 from $vlan100net nat-to ($ext_if1)
match out on $ext_if2 from $vlan100net nat-to ($ext_if2)

###################
## FILTERS RULES ##
###################

block in log
block out log

# Block Non-Routable Addresses
#block drop in quick on $ext_if from $nonroute to any
#block drop out quick on $ext_if from any to $nonroute

# pass all outgoing packets on internal interface
pass out on $int_if to $localnet
pass out on $int_if to $vlan100net

# pass in quick any packets destined for the gateway itself
pass in quick on $int_if from $localnet to $int_if
pass in quick on $int_if from $vlan100net to $vlan100

### Dual WAN Configuration
pass in on $int_if from $localnet route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin
pass in on $int_if from $vlan100net route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin

# Single External Connection Path for Secure Ports
pass in on $int_if proto { tcp, udp } from $localnet to port https route-to ($ext_if1 $ext_gw1)

# General "Pass Out" Rules For External Interface
pass out on $ext_if1
pass out on $ext_if2

# Route Packets From any IPs on on $ext_if1 to $ext_gw1 and the same for $ext_if2 and $ext_gw2
pass out on $ext_if1 from $ext_if2 route-to ($ext_if2 $ext_gw2)
pass out on $ext_if2 from $ext_if1 route-to ($ext_if1 $ext_gw1)
pass out on $ext_if2 from $ext_if1 route-to ($ext_if1 $ext_gw1)

pass on $int_if inet proto tcp to $SH_Int port 8008
pass in inet proto tcp to port ssh
pass log inet proto icmp all icmp-type $icmp_types

# VPN
pass quick on $vpn_if
pass in quick proto udp from any to port 1194

block in on ! lo0 proto tcp to port 6000:6010
I have the proper redirection that works when its one WAN connection but when I add a second one to the mix it just doesn't work.

Code:
pass in on $ext_if1 inet proto tcp to $ext_if port 80 rdr-to $SH_Int port 8008
pass on $int_if inet proto tcp to $SH_Int port 8008
As always, any help is appreciated.
Reply With Quote