DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 14th December 2011
alpha202ej alpha202ej is offline
Port Guard
 
Join Date: Dec 2011
Posts: 10
Thanked 0 Times in 0 Posts
Default Port Forwarding with Dual WAN Connections

Hi guys,

Now that I have my PF up and running using dual wan connections I have run into another issue that I cannot explain for the life of me.

As mentioned earlier, I am using dual wan connections with load balancing to utilize the two connections. Any redirection I did prior to using dual wan connections does not work. I can't even ping my box externally (logmein to a different machine in a different location and ping it from there). I have a feeling that something is happening with the outbound traffic but I don't know what it could be...

I have attached my pf.conf file (I am using OpenBSD 4.9):
Code:
############
## MACROS ##
############

# Interfaces
int_if  = "vr0" #Internal Interface
ext_if1 = "vr1" #External Interface T1
ext_if2 = "axe0" #External Interface WiMAX
ext_gw1 = "x.x.x.x"
ext_gw2 = "y.y.y.y"
vpn_if  = "tun0" #VPN Tunnel to FSJ
vlan100 = "vlan100" #VLAN Interface 10.0.2.0/24

# Misc
localnet = "10.0.0.0/24"
vlan100net = "10.0.2.0/24"
SH_Ext = "z.z.z.z"
SH_Int = "10.0.0.11"
nonroute = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
              10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
              0.0.0.0/8, 240.0.0.0/4 }"
snglextports = "{ 10000, 443, 1194, 22, 8008 }"
DHCP = "{ 67, 68 }"
icmp_types = "echoreq"

# Addresses
MFC8780 = "10.0.0.5"

# Ports
RDP = "{ 3389 }"

############
## TABLES ##
############


####################
## GLOBAL OPTIONS ##
####################

set skip on lo0

###########################
## TRAFFIC NORMALIZATION ##
###########################


####################
## QUEUEING RULES ##
####################



#########################################
## TRANSLATION RULES (NAT) & SCRUBBING ##
#########################################

match in on $ext_if1 proto tcp to $ext_if1 port 80 rdr-to 10.0.0.11 port 8008
match out on $ext_if1 from $localnet nat-to ($ext_if1)
match out on $ext_if2 from $localnet nat-to ($ext_if2)
match out on $ext_if1 from $vlan100net nat-to ($ext_if1)
match out on $ext_if2 from $vlan100net nat-to ($ext_if2)

###################
## FILTERS RULES ##
###################

block in log
block out log

# Block Non-Routable Addresses
#block drop in quick on $ext_if from $nonroute to any
#block drop out quick on $ext_if from any to $nonroute

# pass all outgoing packets on internal interface
pass out on $int_if to $localnet
pass out on $int_if to $vlan100net

# pass in quick any packets destined for the gateway itself
pass in quick on $int_if from $localnet to $int_if
pass in quick on $int_if from $vlan100net to $vlan100

### Dual WAN Configuration
pass in on $int_if from $localnet route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin
pass in on $int_if from $vlan100net route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin

# Single External Connection Path for Secure Ports
pass in on $int_if proto { tcp, udp } from $localnet to port https route-to ($ext_if1 $ext_gw1)

# General "Pass Out" Rules For External Interface
pass out on $ext_if1
pass out on $ext_if2

# Route Packets From any IPs on on $ext_if1 to $ext_gw1 and the same for $ext_if2 and $ext_gw2
pass out on $ext_if1 from $ext_if2 route-to ($ext_if2 $ext_gw2)
pass out on $ext_if2 from $ext_if1 route-to ($ext_if1 $ext_gw1)
pass out on $ext_if2 from $ext_if1 route-to ($ext_if1 $ext_gw1)

pass on $int_if inet proto tcp to $SH_Int port 8008
pass in inet proto tcp to port ssh
pass log inet proto icmp all icmp-type $icmp_types

# VPN
pass quick on $vpn_if
pass in quick proto udp from any to port 1194

block in on ! lo0 proto tcp to port 6000:6010
I have the proper redirection that works when its one WAN connection but when I add a second one to the mix it just doesn't work.

Code:
pass in on $ext_if1 inet proto tcp to $ext_if port 80 rdr-to $SH_Int port 8008
pass on $int_if inet proto tcp to $SH_Int port 8008
As always, any help is appreciated.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
X forwarding fails Graaf_van_Vlaanderen OpenBSD General 7 10th January 2010 12:57 AM
OpenBSD, vpnc and packets forwarding problems Tritone OpenBSD General 3 2nd July 2009 09:59 PM
x11 forwarding over ssh not working kasse OpenBSD General 14 23rd December 2008 02:21 PM
port forwarding ikevmowe OpenBSD Security 13 21st November 2008 06:03 PM
VNC port forwarding help revzalot OpenBSD Security 3 10th September 2008 06:59 AM


All times are GMT. The time now is 08:51 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick