Hi guys,
Now that I have my PF up and running using dual wan connections I have run into another issue that I cannot explain for the life of me.
As mentioned earlier, I am using dual wan connections with load balancing to utilize the two connections. Any redirection I did prior to using dual wan connections does not work. I can't even ping my box externally (logmein to a different machine in a different location and ping it from there). I have a feeling that something is happening with the outbound traffic but I don't know what it could be...
I have attached my pf.conf file (I am using OpenBSD 4.9):
Code:
############
## MACROS ##
############
# Interfaces
int_if = "vr0" #Internal Interface
ext_if1 = "vr1" #External Interface T1
ext_if2 = "axe0" #External Interface WiMAX
ext_gw1 = "x.x.x.x"
ext_gw2 = "y.y.y.y"
vpn_if = "tun0" #VPN Tunnel to FSJ
vlan100 = "vlan100" #VLAN Interface 10.0.2.0/24
# Misc
localnet = "10.0.0.0/24"
vlan100net = "10.0.2.0/24"
SH_Ext = "z.z.z.z"
SH_Int = "10.0.0.11"
nonroute = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"
snglextports = "{ 10000, 443, 1194, 22, 8008 }"
DHCP = "{ 67, 68 }"
icmp_types = "echoreq"
# Addresses
MFC8780 = "10.0.0.5"
# Ports
RDP = "{ 3389 }"
############
## TABLES ##
############
####################
## GLOBAL OPTIONS ##
####################
set skip on lo0
###########################
## TRAFFIC NORMALIZATION ##
###########################
####################
## QUEUEING RULES ##
####################
#########################################
## TRANSLATION RULES (NAT) & SCRUBBING ##
#########################################
match in on $ext_if1 proto tcp to $ext_if1 port 80 rdr-to 10.0.0.11 port 8008
match out on $ext_if1 from $localnet nat-to ($ext_if1)
match out on $ext_if2 from $localnet nat-to ($ext_if2)
match out on $ext_if1 from $vlan100net nat-to ($ext_if1)
match out on $ext_if2 from $vlan100net nat-to ($ext_if2)
###################
## FILTERS RULES ##
###################
block in log
block out log
# Block Non-Routable Addresses
#block drop in quick on $ext_if from $nonroute to any
#block drop out quick on $ext_if from any to $nonroute
# pass all outgoing packets on internal interface
pass out on $int_if to $localnet
pass out on $int_if to $vlan100net
# pass in quick any packets destined for the gateway itself
pass in quick on $int_if from $localnet to $int_if
pass in quick on $int_if from $vlan100net to $vlan100
### Dual WAN Configuration
pass in on $int_if from $localnet route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin
pass in on $int_if from $vlan100net route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin
# Single External Connection Path for Secure Ports
pass in on $int_if proto { tcp, udp } from $localnet to port https route-to ($ext_if1 $ext_gw1)
# General "Pass Out" Rules For External Interface
pass out on $ext_if1
pass out on $ext_if2
# Route Packets From any IPs on on $ext_if1 to $ext_gw1 and the same for $ext_if2 and $ext_gw2
pass out on $ext_if1 from $ext_if2 route-to ($ext_if2 $ext_gw2)
pass out on $ext_if2 from $ext_if1 route-to ($ext_if1 $ext_gw1)
pass out on $ext_if2 from $ext_if1 route-to ($ext_if1 $ext_gw1)
pass on $int_if inet proto tcp to $SH_Int port 8008
pass in inet proto tcp to port ssh
pass log inet proto icmp all icmp-type $icmp_types
# VPN
pass quick on $vpn_if
pass in quick proto udp from any to port 1194
block in on ! lo0 proto tcp to port 6000:6010
I have the proper redirection that works when its one WAN connection but when I add a second one to the mix it just doesn't work.
Code:
pass in on $ext_if1 inet proto tcp to $ext_if port 80 rdr-to $SH_Int port 8008
pass on $int_if inet proto tcp to $SH_Int port 8008
As always, any help is appreciated.