|
|||
Dual WAN & HTTPS Sites
Hi everyone,
Anyone ever have any issues accessing certain HTTPS sites? We have have our OpenBSD box acting as the firewall and it utilizes an aysmetrical dual WAN connection (two different ISPs). The error that is most telling is from LogMeIn where it states I have an IP address mismatch. This doesn't make sense to me since I have a rule that forces HTTPS traffic to only go through the first WAN interface. Furthermore, I also went ahead an reloaded my PF to only utilize the one interface and still have the same issue (did a pfctl -F all -f /etc/pf.conf). Below is my pf.conf. Code:
# PF Configuration ############ ## MACROS ## ############ # Interfaces int_if = "vr0" #Internal Interface ext_if1 = "vr1" #External Interface T1 ext_if2 = "axe0" #External Interface WiMAX ext_gw1 = "x.x.x.x" ext_gw2 = "y.y.y.y" vpn_if = "tun0" #VPN Tunnel vlan100 = "vlan100" #VLAN Interface 10.0.2.0/24 # Misc ext = "{ vr1, axe0 }" localnet = "10.0.0.0/24" vlan100net = "10.0.2.0/24" abcnet = "10.21.0.0/16" vpnnet = "172.25.0.0/24" #SH_Ext = "x.x.x.x" SH_Int = "10.0.0.11" nonroute = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" snglextports = "{ 21, 22, 443, 1194, 3389, 8008, 10000 }" abc_scanner = "{ 21, 80, 443, 990, 2002, 3000:3019 }" DHCP = "{ 67, 68 }" icmp_types = "echoreq" voipport = "{ 4569 }" # Addresses MFC8780 = "10.0.0.5" # Ports RDP = "{ 3389 }" # FTP Pass anchor "ftp-proxy/*" pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 ############ ## TABLES ## ############ #################### ## GLOBAL OPTIONS ## #################### set skip on lo0 ########################### ## TRAFFIC NORMALIZATION ## ########################### #################### ## QUEUEING RULES ## #################### ######################################### ## TRANSLATION RULES (NAT) & SCRUBBING ## ######################################### match in all scrub (no-df max-mss 1440) match out on $vpn_if from $localnet nat-to $vpn_if match out on $ext_if1 from $localnet nat-to ($ext_if1) match out on $ext_if2 from $localnet nat-to ($ext_if2) match out on $ext_if1 from $vlan100net nat-to ($ext_if1) match out on $ext_if2 from $vlan100net nat-to ($ext_if2) ################### ## FILTERS RULES ## ################### #antispoof for $int_if #antispoof for $ext_if1 #antispoof for $ext_if2 block in log block out log # Block Non-Routable Addresses #block drop in quick on $ext_if from $nonroute to any #block drop out quick on $ext_if from any to $nonroute pass inet proto { tcp, udp } from { self, $localnet, $vlan100net, $vpnnet } # Single WAN - DISABLED #pass out log on $ext_if1 proto { tcp udp icmp } all ### Dual WAN Configuration pass in log on $int_if from { $localnet, $vpnnet } route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin pass in on $vlan100 from $vlan100net route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin # Single External Connection Path for Secure Ports pass in on $int_if proto { tcp, udp } from { $localnet, $vpnnet } to port $snglextports route-to ($ext_if1 $ext_gw1) # General "Pass Out" Rules For External Interface pass out on $ext_if1 pass out on $ext_if2 # Route Packets From any IPs on on $ext_if1 to $ext_gw1 and the same for ext_if2 and $ext_gw2 pass out on $ext_if1 from $ext_if2 route-to ($ext_if2 $ext_gw2) pass out on $ext_if2 from $ext_if1 route-to ($ext_if1 $ext_gw1) pass in inet proto tcp to port ssh pass inet proto icmp # VPN pass quick on $vpn_if pass in on !$ext_if1 to $abcnet pass in on !$ext_if2 to $abcnet pass in quick proto udp from any to port 1194 block in on ! lo0 proto tcp to port 6000:6010 |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Open Source E-commerce sites under attack! | CyberJet | News | 0 | 29th July 2011 02:07 PM |
https ports on PF | mug23 | OpenBSD Security | 5 | 4th March 2011 10:11 PM |
Best Way to sync web sites | roundkat | OpenBSD General | 2 | 14th September 2008 01:48 PM |
Collect visited sites | bichumo | General software and network | 3 | 8th August 2008 06:32 PM |
Cool sites | 18Googol2 | Off-Topic | 0 | 2nd May 2008 09:19 AM |