From owner-freebsd-pf@FreeBSD.ORG Tue Jan 1 21:44:02 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BD13916A419 for ; Tue, 1 Jan 2008 21:44:02 +0000 (UTC) (envelope-from drakyri@hotmail.com) Received: from blu139-omc2-s23.blu139.hotmail.com (blu139-omc2-s23.blu139.hotmail.com [65.55.175.193]) by mx1.freebsd.org (Postfix) with ESMTP id 7E7CA13C4DB for ; Tue, 1 Jan 2008 21:44:02 +0000 (UTC) (envelope-from drakyri@hotmail.com) Received: from BLU109-W44 ([65.55.162.186]) by blu139-omc2-s23.blu139.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 1 Jan 2008 13:32:01 -0800 Message-ID: X-Originating-IP: [24.193.106.58] From: Michael Zimmer To: Date: Tue, 1 Jan 2008 21:32:01 +0000 Importance: Normal MIME-Version: 1.0 X-OriginalArrivalTime: 01 Jan 2008 21:32:01.0373 (UTC) FILETIME=[BECD88D0:01C84CBD] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: load-balancing, DNS X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Jan 2008 21:44:02 -0000 Hi everyone, =20 I just installed pf on FreeBSD 6.2 for a firewall/NAT/load-balancer ... but= I'm having some trouble. I'm pretty sure that it isn't actually splitting= the outgoing traffic (trying to load-balance over two uplinks), and the us= ers are experiencing intermittent trouble resolving DNS entries (and being = silly users, instead of reloading the page, they yell 'the Internet isn't w= orking!' and then use that as a reason for reeeeaaally long lunches). =20 The workstations behind the FreeBSD box are mostly running some flavor of W= indows; static private IPs, gateway set to the BSD box, primary DNS set to = the DNS server of the ISP on uplink #1, secondary to the ISP on uplink #2. = I can force it to use either connection successfully, but not both. =20 =20 Thanks in advance for any help. Happy New Year! =20 -mike =20 =20 Here's my setup: =20 dc1 is uplink #1; dc0 is uplink #2 (via a DSL modem on IP pass-through); bf= e0 links to the internal network. =20 resolv.conf: =20 domain x.comnameserver 66.z.z.z # DNS provided by ISP #1 =20 ------------- rc.conf: =20 defaultrouter=3D"66.x.x.x" #this is the upstream gateway on dc0gateway_en= able=3D"YES"hostname=3D"x.x.com"ifconfig_dc0=3D"inet 68.y.y.y netmask 255.= 255.255.0" ifconfig_dc1=3D"inet 66.y.y.y netmask 255.255.255.224"ifconfig_bfe0=3D"inet= 192.168.1.1 netmask 255.255.255.0" =20 inetd_enable=3D"YES"linux_enable=3D"YES"sshd_enable=3D"YES"usbd_enable=3D"Y= ES" =20 ntpdate_enable=3D"YES"ntpdate_hosts=3D"0.us.pool.ntp.org" =20 nfs_reserved_port_only=3D"NO" pf_enable=3D"YES"pf_rules=3D"/etc/pf.conf"pf_flags=3D""pflog_enable=3D"YES"= pflog_logfile=3D"/var/log/pflog"pflog_flags=3D"" --------------- pf.conf: =20 ext_if1=3D"dc0"ext_if2=3D"dc1"int_if=3D"bfe0"ext_gw1=3D"68.x.x.x"ext_gw2=3D= "66.x.x.x" internal_net=3D"192.168.1.1/24" tcp_services=3D"( 22 )"icmp_types=3D"( 8 )" #tablestable persist file "/etc/blocktable" =20 set block-policy drop set limit { states 20000, frags 5000 } =20 set skip on lo0 =20 scrub in all =20 nat on $ext_if1 from $internal_net to any -> ($ext_if1)nat on $ext_if2 from= $internal_net to any -> ($ext_if2) block in from any to anyblock out from any to any pass out on $int_if from any to $internal_net keep state pass in quick on $ext_if1 proto tcp from any to 68.y.y.y port 22 flags S/SA= keep state #ext_if1 =20 #allows ICMP outboundpass in quick on $int_if proto icmp all keep state #allows incoming from client's serverpass in quick on {$ext_if1, $ext_if2} = proto tcp from a.b.c.d/32pass in quick on {$ext_if1, $ext_if2} proto tcp fr= om a.b.c.d/30 =20 #blocks to inside-to-outside here#spoofsblock in quick on $int_if from any = to 172.16.0.0/12block in quick on $int_if from any to 10.0.0.0/8block in qu= ick on $int_if from any to 169.254.0.0/16block in quick on $int_if from any= to 192.168.0.0/16block in quick on $int_if from any to 204.152.64.0/23bloc= k in quick on $int_if from any to 224.0.0.0/3 =20 # traffic from inside goes straight outpass in quick on $int_if from 192.16= 8.1.0/24 to $int_ifpass out on $ext_if1 from [address of $ext_if1] to any f= lags S/SA keep statepass out on $ext_if2 from [address of $ext_if2] to any = flags S/SA keep state =20 #load balancing ...? pass in quick on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2= ) } round-robin proto { tcp icmp udp } from 192.168.1.1/24 to any flags S/S= A modulate statepass in quick on $int_if route-to { ($ext_if1 $ext_gw1), ($= ext_if2 $ext_gw2) } round-robin proto { tcp icmp udp } from any to any flag= s S/SA modulate state pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to anypass = out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any =20 _________________________________________________________________ Get the power of Windows + Web with the new Windows Live. http://www.windowslive.com?ocid=3DTXT_TAGHM_Wave2_powerofwindows_122007= From owner-freebsd-pf@FreeBSD.ORG Tue Jan 1 23:35:42 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8BF7916A41B for ; Tue, 1 Jan 2008 23:35:42 +0000 (UTC) (envelope-from mksmith@adhost.com) Received: from mail-defer01.adhost.com (mail-defer01.adhost.com [216.211.128.150]) by mx1.freebsd.org (Postfix) with ESMTP id 5D1A113C4EE for ; Tue, 1 Jan 2008 23:35:42 +0000 (UTC) (envelope-from mksmith@adhost.com) Received: from mail-in08.adhost.com (mail-in08.adhost.com [10.211.128.141]) by mail-defer01.adhost.com (Postfix) with ESMTP id EC269ECF6F for ; Tue, 1 Jan 2008 15:18:46 -0800 (PST) (envelope-from mksmith@adhost.com) Received: from ad-exh01.adhost.lan (unknown [216.211.143.69]) by mail-in08.adhost.com (Postfix) with ESMTP id B189D8FC37; Tue, 1 Jan 2008 15:18:46 -0800 (PST) (envelope-from mksmith@adhost.com) Received: from [192.168.100.101] ([10.142.3.64]) by ad-exh01.adhost.lan with Microsoft SMTPSVC(6.0.3790.3959); Tue, 1 Jan 2008 15:18:46 -0800 Message-Id: From: Michael Smith To: Michael Zimmer In-Reply-To: Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v915) Date: Tue, 1 Jan 2008 15:18:45 -0800 References: X-Mailer: Apple Mail (2.915) X-OriginalArrivalTime: 01 Jan 2008 23:18:46.0084 (UTC) FILETIME=[A84EE040:01C84CCC] X-TM-AS-Product-Ver: SMEX-7.5.0.1243-5.0.1023-15640.002 X-TM-AS-Result: No--15.483500-5.000000-31 X-TM-AS-User-Approved-Sender: No X-TM-AS-User-Blocked-Sender: No Cc: freebsd-pf@freebsd.org Subject: Re: load-balancing, DNS X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Jan 2008 23:35:42 -0000 Hello Michael: I think you want to use "reply-to" instead of "route-to" on load balance rules since you need it to go out the same interface it came in on. This will work in conjunction with any connection that has state, so make sure your DNS pass rule has keep-state. Try pass in quick on $int_if reply-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto { tcp icmp udp } from 192.168.1.1/24 to any flags S/SA keep-state pass in quick on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin sticky-address proto { tcp icmp udp } from any to any flags S/SA keep-state pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any Regards, Mike On Jan 1, 2008, at 1:32 PM, Michael Zimmer wrote: > > Hi everyone, > > I just installed pf on FreeBSD 6.2 for a firewall/NAT/load- > balancer ... but I'm having some trouble. I'm pretty sure that it > isn't actually splitting the outgoing traffic (trying to load- > balance over two uplinks), and the users are experiencing > intermittent trouble resolving DNS entries (and being silly users, > instead of reloading the page, they yell 'the Internet isn't > working!' and then use that as a reason for reeeeaaally long lunches). > > The workstations behind the FreeBSD box are mostly running some > flavor of Windows; static private IPs, gateway set to the BSD box, > primary DNS set to the DNS server of the ISP on uplink #1, secondary > to the ISP on uplink #2. I can force it to use either connection > successfully, but not both. > > > Thanks in advance for any help. Happy New Year! > > -mike > > > Here's my setup: > > dc1 is uplink #1; dc0 is uplink #2 (via a DSL modem on IP pass- > through); bfe0 links to the internal network. > > resolv.conf: > > domain x.comnameserver 66.z.z.z # DNS provided by ISP #1 > > ------------- > rc.conf: > > defaultrouter="66.x.x.x" #this is the upstream gateway on > dc0gateway_enable="YES"hostname="x.x.com"ifconfig_dc0="inet > 68.y.y.y netmask 255.255.255.0" > ifconfig_dc1="inet 66.y.y.y netmask > 255.255.255.224"ifconfig_bfe0="inet 192.168.1.1 netmask > 255.255.255.0" > > inetd_enable="YES"linux_enable="YES"sshd_enable="YES"usbd_enable="YES" > > ntpdate_enable="YES"ntpdate_hosts="0.us.pool.ntp.org" > > nfs_reserved_port_only="NO" > pf_enable="YES"pf_rules="/etc/ > pf.conf"pf_flags=""pflog_enable="YES"pflog_logfile="/var/log/ > pflog"pflog_flags="" > --------------- > pf.conf: > > ext_if1 > ="dc0"ext_if2="dc1"int_if="bfe0"ext_gw1="68.x.x.x"ext_gw2="66.x.x.x" > internal_net="192.168.1.1/24" > tcp_services="( 22 )"icmp_types="( 8 )" > #tablestable persist file "/etc/blocktable" > > set block-policy drop > set limit { states 20000, frags 5000 } > > set skip on lo0 > > scrub in all > > nat on $ext_if1 from $internal_net to any -> ($ext_if1)nat on > $ext_if2 from $internal_net to any -> ($ext_if2) > block in from any to anyblock out from any to any > pass out on $int_if from any to $internal_net keep state > pass in quick on $ext_if1 proto tcp from any to 68.y.y.y port 22 > flags S/SA keep state #ext_if1 > > #allows ICMP outboundpass in quick on $int_if proto icmp all keep > state > #allows incoming from client's serverpass in quick on {$ext_if1, > $ext_if2} proto tcp from a.b.c.d/32pass in quick on {$ext_if1, > $ext_if2} proto tcp from a.b.c.d/30 > > #blocks to inside-to-outside here#spoofsblock in quick on $int_if > from any to 172.16.0.0/12block in quick on $int_if from any to > 10.0.0.0/8block in quick on $int_if from any to 169.254.0.0/16block > in quick on $int_if from any to 192.168.0.0/16block in quick on > $int_if from any to 204.152.64.0/23block in quick on $int_if from > any to 224.0.0.0/3 > > # traffic from inside goes straight outpass in quick on $int_if from > 192.168.1.0/24 to $int_ifpass out on $ext_if1 from [address of > $ext_if1] to any flags S/SA keep statepass out on $ext_if2 from > [address of $ext_if2] to any flags S/SA keep state > > #load balancing ...? > pass in quick on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 > $ext_gw2) } round-robin proto { tcp icmp udp } from 192.168.1.1/24 > to any flags S/SA modulate statepass in quick on $int_if route-to > { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto { tcp > icmp udp } from any to any flags S/SA modulate state > pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to > anypass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 > to any > > _________________________________________________________________ > Get the power of Windows + Web with the new Windows Live. > http://www.windowslive.com?ocid=TXT_TAGHM_Wave2_powerofwindows_122007_______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Wed Jan 2 06:23:16 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0983C16A417 for ; Wed, 2 Jan 2008 06:23:16 +0000 (UTC) (envelope-from tommyhp2@yahoo.com) Received: from web38204.mail.mud.yahoo.com (web38204.mail.mud.yahoo.com [209.191.124.147]) by mx1.freebsd.org (Postfix) with SMTP id D04D813C46E for ; Wed, 2 Jan 2008 06:23:15 +0000 (UTC) (envelope-from tommyhp2@yahoo.com) Received: (qmail 79895 invoked by uid 60001); 2 Jan 2008 05:56:34 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=2WifA+3UvTYFZpvr+EYAbkZOmtWSVXfl7ttHT98INRShJH4g+BRoSge8HKDwubbycZVL+PBstmI08VviBe0O8ZjzCOvugl2IHE4V4pVJJtzYSyvNuVNzoEsuu1VHJPAsCZWagFDKEkSYEA7hkeQkJHe2JvOS9TmyEzQ+QU/h5yc=; X-YMail-OSG: 372yFZUVM1l3FFzBBlUs7HkDBfbaiDAzoryOjXC4oZ4ogjXAq_5Trb3QuvdcNSg2wlUQRoSYcRrBwOCzvlRMqqHam184ysVV.H5ONepp3NgAJqCt6GKs5wZR1vdSX7taSWu0x6CLTLvMXSZ3fUt2P2vEmFV5gT2SdMU- Received: from [74.229.174.93] by web38204.mail.mud.yahoo.com via HTTP; Tue, 01 Jan 2008 21:56:34 PST Date: Tue, 1 Jan 2008 21:56:34 -0800 (PST) From: Tommy Pham To: freebsd-pf@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Message-ID: <756423.79774.qm@web38204.mail.mud.yahoo.com> Subject: Re: load-balancing, DNS X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Jan 2008 06:23:16 -0000 Hi Michael, Another method that you can try is: pass in quick on $int_if route-to ($ext_if1 $ext_gw1) \ from any to { $ns1a, $ns1b } keep state pass in quick on $int_if route-to ($ext_if2 $ext_gw2) \ from any to { $ns2a, $ns2b } keep state the number corresponds to the provider's info I also have load balancing from 2 different providers. The above rules work great for me. ~Tommy --- Michael Smith wrote: > Hello Michael: > > I think you want to use "reply-to" instead of "route-to" on load > balance rules since you need it to go out the same interface it came > > in on. This will work in conjunction with any connection that has > state, so make sure your DNS pass rule has keep-state. > > Try > > pass in quick on $int_if reply-to { ($ext_if1 $ext_gw1), ($ext_if2 > $ext_gw2) } round-robin proto { tcp icmp udp } from 192.168.1.1/24 to > > any flags S/SA keep-state > > pass in quick on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 > $ext_gw2) } round-robin sticky-address proto { tcp icmp udp } from > any > to any flags S/SA keep-state > > pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to > any > pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to > any > > Regards, > > Mike > > On Jan 1, 2008, at 1:32 PM, Michael Zimmer wrote: > > > > > Hi everyone, > > > > I just installed pf on FreeBSD 6.2 for a firewall/NAT/load- > > balancer ... but I'm having some trouble. I'm pretty sure that it > > > isn't actually splitting the outgoing traffic (trying to load- > > balance over two uplinks), and the users are experiencing > > intermittent trouble resolving DNS entries (and being silly users, > > > instead of reloading the page, they yell 'the Internet isn't > > working!' and then use that as a reason for reeeeaaally long > lunches). > > > > The workstations behind the FreeBSD box are mostly running some > > flavor of Windows; static private IPs, gateway set to the BSD box, > > > primary DNS set to the DNS server of the ISP on uplink #1, > secondary > > to the ISP on uplink #2. I can force it to use either connection > > successfully, but not both. > > > > > > Thanks in advance for any help. Happy New Year! > > > > -mike > > > > > > Here's my setup: > > > > dc1 is uplink #1; dc0 is uplink #2 (via a DSL modem on IP pass- > > through); bfe0 links to the internal network. > > > > resolv.conf: > > > > domain x.comnameserver 66.z.z.z # DNS provided by ISP #1 > > > > ------------- > > rc.conf: > > > > defaultrouter="66.x.x.x" #this is the upstream gateway on > > dc0gateway_enable="YES"hostname="x.x.com"ifconfig_dc0="inet > > 68.y.y.y netmask 255.255.255.0" > > ifconfig_dc1="inet 66.y.y.y netmask > > 255.255.255.224"ifconfig_bfe0="inet 192.168.1.1 netmask > > 255.255.255.0" > > > > > inetd_enable="YES"linux_enable="YES"sshd_enable="YES"usbd_enable="YES" > > > > ntpdate_enable="YES"ntpdate_hosts="0.us.pool.ntp.org" > > > > nfs_reserved_port_only="NO" > > pf_enable="YES"pf_rules="/etc/ > > pf.conf"pf_flags=""pflog_enable="YES"pflog_logfile="/var/log/ > > pflog"pflog_flags="" > > --------------- > > pf.conf: > > > > ext_if1 > > > ="dc0"ext_if2="dc1"int_if="bfe0"ext_gw1="68.x.x.x"ext_gw2="66.x.x.x" > > internal_net="192.168.1.1/24" > > tcp_services="( 22 )"icmp_types="( 8 )" > > #tablestable persist file "/etc/blocktable" > > > > set block-policy drop > > set limit { states 20000, frags 5000 } > > > > set skip on lo0 > > > > scrub in all > > > > nat on $ext_if1 from $internal_net to any -> ($ext_if1)nat on > > $ext_if2 from $internal_net to any -> ($ext_if2) > > block in from any to anyblock out from any to any > > pass out on $int_if from any to $internal_net keep state > > pass in quick on $ext_if1 proto tcp from any to 68.y.y.y port 22 > > flags S/SA keep state #ext_if1 > > > > #allows ICMP outboundpass in quick on $int_if proto icmp all keep > > state > > #allows incoming from client's serverpass in quick on {$ext_if1, > > $ext_if2} proto tcp from a.b.c.d/32pass in quick on {$ext_if1, > > $ext_if2} proto tcp from a.b.c.d/30 > > > > #blocks to inside-to-outside here#spoofsblock in quick on $int_if > > from any to 172.16.0.0/12block in quick on $int_if from any to > > 10.0.0.0/8block in quick on $int_if from any to 169.254.0.0/16block > > > in quick on $int_if from any to 192.168.0.0/16block in quick on > > $int_if from any to 204.152.64.0/23block in quick on $int_if from > > any to 224.0.0.0/3 > > > > # traffic from inside goes straight outpass in quick on $int_if > from > > 192.168.1.0/24 to $int_ifpass out on $ext_if1 from [address of > > $ext_if1] to any flags S/SA keep statepass out on $ext_if2 from > > [address of $ext_if2] to any flags S/SA keep state > > > > #load balancing ...? > > pass in quick on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 > > > $ext_gw2) } round-robin proto { tcp icmp udp } from 192.168.1.1/24 > > > to any flags S/SA modulate statepass in quick on $int_if route-to > > { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto { > tcp > > icmp udp } from any to any flags S/SA modulate state > > pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to > > > anypass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 > > > to any > > > > _________________________________________________________________ > > Get the power of Windows + Web with the new Windows Live. > > > http://www.windowslive.com?ocid=TXT_TAGHM_Wave2_powerofwindows_122007_______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to > "freebsd-pf-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Wed Jan 2 09:45:39 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2C45016A41A for ; Wed, 2 Jan 2008 09:45:39 +0000 (UTC) (envelope-from drakyri@hotmail.com) Received: from blu139-omc3-s25.blu139.hotmail.com (blu139-omc3-s25.blu139.hotmail.com [65.55.175.225]) by mx1.freebsd.org (Postfix) with ESMTP id E7AB213C447 for ; Wed, 2 Jan 2008 09:45:38 +0000 (UTC) (envelope-from drakyri@hotmail.com) Received: from BLU109-W51 ([65.55.162.187]) by blu139-omc3-s25.blu139.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 2 Jan 2008 01:45:38 -0800 Message-ID: X-Originating-IP: [24.193.106.58] From: Michael Zimmer To: Tommy Pham , , Date: Wed, 2 Jan 2008 09:45:38 +0000 Importance: Normal In-Reply-To: <756423.79774.qm@web38204.mail.mud.yahoo.com> References: <756423.79774.qm@web38204.mail.mud.yahoo.com> MIME-Version: 1.0 X-OriginalArrivalTime: 02 Jan 2008 09:45:38.0261 (UTC) FILETIME=[3AE9A050:01C84D24] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: RE: load-balancing, DNS X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Jan 2008 09:45:39 -0000 Thanks to both of you ... it looks okay remotely - I'll test it on-site tom= orrow. =20 -mike> Date: Tue, 1 Jan 2008 21:56:34 -0800> From: tommyhp2@yahoo.com> To: = freebsd-pf@freebsd.org> Subject: Re: load-balancing, DNS> > Hi Michael,> > = Another method that you can try is:> > pass in quick on $int_if route-to ($= ext_if1 $ext_gw1) \> from any to { $ns1a, $ns1b } keep state> pass in quick= on $int_if route-to ($ext_if2 $ext_gw2) \> from any to { $ns2a, $ns2b } ke= ep state> > the number corresponds to the provider's info> > I also have lo= ad balancing from 2 different providers. The above rules> work great for me= .> > ~Tommy> > > --- Michael Smith wrote:> > > Hello M= ichael:> > > > I think you want to use "reply-to" instead of "route-to" on = load > > balance rules since you need it to go out the same interface it ca= me > > > > in on. This will work in conjunction with any connection that ha= s > > state, so make sure your DNS pass rule has keep-state.> > > > Try> > = > > pass in quick on $int_if reply-to { ($ext_if1 $ext_gw1), ($ext_if2 > > = $ext_gw2) } round-robin proto { tcp icmp udp } from 192.168.1.1/24 to> > > = > any flags S/SA keep-state> > > > pass in quick on $int_if route-to { ($ex= t_if1 $ext_gw1), ($ext_if2 > > $ext_gw2) } round-robin sticky-address proto= { tcp icmp udp } from> > any > > to any flags S/SA keep-state> > > > pass = out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to> > any> > pas= s out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to> > any> > >= > Regards,> > > > Mike> > > > On Jan 1, 2008, at 1:32 PM, Michael Zimmer w= rote:> > > > >> > > Hi everyone,> > >> > > I just installed pf on FreeBSD 6= .2 for a firewall/NAT/load- > > > balancer ... but I'm having some trouble.= I'm pretty sure that it > > > > > isn't actually splitting the outgoing tr= affic (trying to load- > > > balance over two uplinks), and the users are e= xperiencing > > > intermittent trouble resolving DNS entries (and being sil= ly users, > > > > > instead of reloading the page, they yell 'the Internet = isn't > > > working!' and then use that as a reason for reeeeaaally long> >= lunches).> > >> > > The workstations behind the FreeBSD box are mostly run= ning some > > > flavor of Windows; static private IPs, gateway set to the B= SD box, > > > > > primary DNS set to the DNS server of the ISP on uplink #1= ,> > secondary > > > to the ISP on uplink #2. I can force it to use either = connection > > > successfully, but not both.> > >> > >> > > Thanks in advan= ce for any help. Happy New Year!> > >> > > -mike> > >> > >> > > Here's my s= etup:> > >> > > dc1 is uplink #1; dc0 is uplink #2 (via a DSL modem on IP p= ass- > > > through); bfe0 links to the internal network.> > >> > > resolv.c= onf:> > >> > > domain x.comnameserver 66.z.z.z # DNS provided by ISP #1> > = >> > > -------------> > > rc.conf:> > >> > > defaultrouter=3D"66.x.x.x" #th= is is the upstream gateway on > > > dc0gateway_enable=3D"YES"hostname=3D"x.= x.com"ifconfig_dc0=3D"inet > > > 68.y.y.y netmask 255.255.255.0"> > > ifcon= fig_dc1=3D"inet 66.y.y.y netmask > > > 255.255.255.224"ifconfig_bfe0=3D"ine= t 192.168.1.1 netmask > > > 255.255.255.0"> > >> > >> >> inetd_enable=3D"YE= S"linux_enable=3D"YES"sshd_enable=3D"YES"usbd_enable=3D"YES"> > >> > > ntpd= ate_enable=3D"YES"ntpdate_hosts=3D"0.us.pool.ntp.org"> > >> > > nfs_reserve= d_port_only=3D"NO"> > > pf_enable=3D"YES"pf_rules=3D"/etc/ > > > pf.conf"pf= _flags=3D""pflog_enable=3D"YES"pflog_logfile=3D"/var/log/ > > > pflog"pflog= _flags=3D""> > > ---------------> > > pf.conf:> > >> > > ext_if1 > > >> > = =3D"dc0"ext_if2=3D"dc1"int_if=3D"bfe0"ext_gw1=3D"68.x.x.x"ext_gw2=3D"66.x.x= .x"> > > internal_net=3D"192.168.1.1/24"> > > tcp_services=3D"( 22 )"icmp_t= ypes=3D"( 8 )"> > > #tablestable persist file "/etc/blocktable= "> > >> > > set block-policy drop> > > set limit { states 20000, frags 5000= }> > >> > > set skip on lo0> > >> > > scrub in all> > >> > > nat on $ext_i= f1 from $internal_net to any -> ($ext_if1)nat on > > > $ext_if2 from $inter= nal_net to any -> ($ext_if2)> > > block in from any to anyblock out from an= y to any> > > pass out on $int_if from any to $internal_net keep state> > >= pass in quick on $ext_if1 proto tcp from any to 68.y.y.y port 22 > > > fla= gs S/SA keep state #ext_if1> > >> > > #allows ICMP outboundpass in quick on= $int_if proto icmp all keep > > > state> > > #allows incoming from client'= s serverpass in quick on {$ext_if1, > > > $ext_if2} proto tcp from a.b.c.d/= 32pass in quick on {$ext_if1, > > > $ext_if2} proto tcp from a.b.c.d/30> > = >> > > #blocks to inside-to-outside here#spoofsblock in quick on $int_if > = > > from any to 172.16.0.0/12block in quick on $int_if from any to > > > 10= .0.0.0/8block in quick on $int_if from any to 169.254.0.0/16block> > > > > = in quick on $int_if from any to 192.168.0.0/16block in quick on > > > $int_= if from any to 204.152.64.0/23block in quick on $int_if from > > > any to 2= 24.0.0.0/3> > >> > > # traffic from inside goes straight outpass in quick o= n $int_if> > from > > > 192.168.1.0/24 to $int_ifpass out on $ext_if1 from = [address of > > > $ext_if1] to any flags S/SA keep statepass out on $ext_if= 2 from > > > [address of $ext_if2] to any flags S/SA keep state> > >> > > #= load balancing ...?> > > pass in quick on $int_if route-to { ($ext_if1 $ext= _gw1), ($ext_if2 > > > > > $ext_gw2) } round-robin proto { tcp icmp udp } f= rom 192.168.1.1/24 > > > > > to any flags S/SA modulate statepass in quick = on $int_if route-to > > > { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } roun= d-robin proto {> > tcp > > > icmp udp } from any to any flags S/SA modulate= state> > > pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2= to > > > > > anypass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ex= t_if1 > > > > > to any> > >> > > __________________________________________= _______________________> > > Get the power of Windows + Web with the new Wi= ndows Live.> > >> >> http://www.windowslive.com?ocid=3DTXT_TAGHM_Wave2_powe= rofwindows_122007_______________________________________________> > > freeb= sd-pf@freebsd.org mailing list> > > http://lists.freebsd.org/mailman/listin= fo/freebsd-pf> > > To unsubscribe, send any mail to> > "freebsd-pf-unsubscr= ibe@freebsd.org"> > > > _______________________________________________> > = freebsd-pf@freebsd.org mailing list> > http://lists.freebsd.org/mailman/lis= tinfo/freebsd-pf> > To unsubscribe, send any mail to "freebsd-pf-unsubscrib= e@freebsd.org"> > > > > _______________________________________________> fr= eebsd-pf@freebsd.org mailing list> http://lists.freebsd.org/mailman/listinf= o/freebsd-pf> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@free= bsd.org" _________________________________________________________________ Share life as it happens with the new Windows Live. http://www.windowslive.com/share.html?ocid=3DTXT_TAGHM_Wave2_sharelife_1220= 07= From owner-freebsd-pf@FreeBSD.ORG Wed Jan 2 16:46:44 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3A47A16A468 for ; Wed, 2 Jan 2008 16:46:44 +0000 (UTC) (envelope-from tommyhp2@yahoo.com) Received: from web38208.mail.mud.yahoo.com (web38208.mail.mud.yahoo.com [209.191.124.151]) by mx1.freebsd.org (Postfix) with SMTP id EDF6D13C455 for ; Wed, 2 Jan 2008 16:46:43 +0000 (UTC) (envelope-from tommyhp2@yahoo.com) Received: (qmail 96780 invoked by uid 60001); 2 Jan 2008 16:46:43 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=4x5mUdVEv3nHUGHBd+MLyxdP3jrFRjwX0NRbgKCy9v8S3qKkcK/sU7sZqNTmtPBFti7eHYAY/SpDHaCpCevIuIK3FF9P9zcWl1iXX+KUh7PIS6eo1bg1gfI/+PbNjpgmJPxdyG0Jw8rCWFklYRx5pCXkg5gI+47yIswavZSGY5Y=; X-YMail-OSG: fEVVrngVM1klGUcWxlTcslBHLXAb6sI2taiVSzknuzuGbwspkCOPOfbM9pFiHzmlDStZnNaOwiQxU5jk4ksqjvDfTgsSzsgteq6OxUa59AEMpP2vCqQVJZf0Ib4a1psKxPfyGUb5vjP.7loVFYt.ZeOYt4.oT2CiuA8- Received: from [74.229.174.93] by web38208.mail.mud.yahoo.com via HTTP; Wed, 02 Jan 2008 08:46:43 PST Date: Wed, 2 Jan 2008 08:46:43 -0800 (PST) From: Tommy Pham To: freebsd-pf@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Message-ID: <358998.94924.qm@web38208.mail.mud.yahoo.com> Subject: RE: load-balancing, DNS X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Jan 2008 16:46:44 -0000 Hi Michael, Here is my ruleset: NoRouteIPs = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" # Options: tune the behavior of pf, default values are given. #set timeout { interval 10, frag 30 } #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } #set timeout { udp.first 60, udp.single 30, udp.multiple 60 } #set timeout { icmp.first 20, icmp.error 10 } #set timeout { other.first 60, other.single 30, other.multiple 60 } #set timeout { adaptive.start 0, adaptive.end 0 } #set limit { states 60000, frags 30000 } #set loginterface re0 #set require-order yes #set fingerprints "/etc/pf.os" #set optimization aggressive set optimization normal set block-policy drop set skip on lo # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. scrub in # Queueing # nat/rdr nat on $ext_if1 from $lan_net to any -> ($ext_if1) round-robin nat on $ext_if2 from $lan_net to any -> ($ext_if2) round-robin #nat-anchor "ftp-proxy/*" #rdr-anchor "ftp-proxy/*" #rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 rdr on { $ext_if1, $ext_if2 } proto tcp from any to any \ port $www_ports -> $www_sys rdr on { $ext_if1, $ext_if2 } proto tcp from any to any \ port $www2_ports -> $www2_sys # Rules #block in log on $ext_if1 from $NoRouteIPs to any #block out log on $ext_if1 from any to $NoRouteIPs #block in log on $ext_if2 from $NoRouteIPs to any #block out log on $ext_if2 from any to $NoRouteIPs block in log block out log pass on $int_if #anchor "ftp-proxy/*" antispoof log quick for { lo $int_if } # load balance outgoing tcp traffic from internal network. pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } \ round-robin proto tcp from $lan_net to any \ flags S/SA modulate state # load balance outgoing udp and icmp traffic from internal network pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } \ round-robin proto { udp, icmp } from $lan_net to any keep state pass in quick on $int_if route-to ($ext_if1 $ext_gw1) \ from any to { $ns1a, $ns1b } keep state pass in quick on $int_if route-to ($ext_if2 $ext_gw2) \ from any to { $ns2a, $ns2b } keep state # general "pass out" rules for external interfaces pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state pass out on $ext_if1 proto { udp, icmp } from any to any keep state pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state pass out on $ext_if2 proto { udp, icmp } from any to any keep state # allowed services pass in on { $ext_if1, $ext_if2 } inet proto tcp from any to $www_sys port $www_ports \ flags S/SA synproxy state pass in on { $ext_if1, $ext_if2 } inet proto tcp from any to $www2_sys port $www2_ports \ flags S/SA synproxy state # route packets from any IPs on $ext_if1 to $ext_gw1 and the same for # $ext_if2 and $ext_gw2 pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any I still need to refine more on the rules to tighten security. ~Tommy --- Michael Zimmer wrote: > > Turns out that those actually completely (instead of the ~75% success > rate before) disabled the DNS access of the client machines. > > I can't think why that wouldn't work, though - added these to the > top, just below the SSH-allow entries: > > pass in quick on $int_if route-to ($ext_if1 $ext_gw1) from any to { > $ns1a, $ns1b } keep statepass in quick on $int_if route-to ($ext_if2 > $ext_gw2) from any to { $ns2a, $ns2b } keep state > > ...with nsXY appropriately defined. Should these be reply-to also? > ...I changed the main load-balancing rules as suggested: > > pass in quick on $int_if reply-to { ($ext_if1 $ext_gw1), ($ext_if2 > $ext_gw2) } round-robin \ > proto { tcp icmp udp } from 192.168.1.1/24 to any flags S/SA keep > state > pass in quick on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 > $ext_gw2) } round-robin \ > sticky-address proto { tcp icmp udp } from any to any flags S/SA keep > state > > pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to > any > pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to > any > > ...I'd really appreciate any suggestions. : ) > > thanks, > mike > > > > From: drakyri@hotmail.com> To: tommyhp2@yahoo.com; > freebsd-pf@freebsd.org; mksmith@adhost.com> Date: Wed, 2 Jan 2008 > 09:45:38 +0000> CC: > Subject: RE: load-balancing, DNS> > > Thanks to > both of you ... it looks okay remotely - I'll test it on-site > tomorrow.> > -mike > _________________________________________________________________ > Share life as it happens with the new Windows Live. > http://www.windowslive.com/share.html?ocid=TXT_TAGHM_Wave2_sharelife_122007 From owner-freebsd-pf@FreeBSD.ORG Wed Jan 2 17:19:45 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6DE3616A417 for ; Wed, 2 Jan 2008 17:19:45 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.freebsd.org (Postfix) with ESMTP id 1907813C455 for ; Wed, 2 Jan 2008 17:19:44 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.13.8/8.13.8) with ESMTP id m02H2LxI082132 for ; Wed, 2 Jan 2008 12:02:21 -0500 (EST) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.8/8.13.3) with ESMTP id m02H2LWb005895 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 2 Jan 2008 12:02:21 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <200801021702.m02H2LWb005895@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Wed, 02 Jan 2008 12:04:23 -0500 To: freebsd-pf@freebsd.org From: Mike Tancsa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: pf and pppoe help! X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Jan 2008 17:19:45 -0000 I have a Soekris 5501 that I want to use to do natting for a number of subnets with a number of static IPs and am not sure what the best way to handle the multiple IPs aliases is. In the past, when I aliased the /32s to lo0, I had stability problems and the box would deadlock. That firewall was on fibre, so it was easy to move the IPs to the external nic and alias them there. That box sees a lot of traffic with a LOT of internal hosts and is very stable now. However, for PPPoE its a bit different since the interface comes and goes and there is also the issue of mss Right now in the lab I have been trying the following config and it seems to work. However, not sure when it goes live with a lot of traffic if this is the best way to go. In my ppp.linkup I have pppoe: iface clear iface add 2.2.2.205/32 1.1.1.1 iface add 2.2.2.206/32 1.1.1.2 iface add 2.2.2.207/32 1.1.1.3 ! /sbin/pfctl -f /etc/pf.conf where 2.2.2.x are a bunch of /32 publicly routed IP addresses The box has 1 PPPoE connection (tun0) RFC1918 subnet 192.168.1.0/24 (vr1) DMZ 2.2.2.0/30 (vr2) RFC1918 10.0.0.0/24 (vr3) as well as a couple of BINATs on vr1 # for pppoe MSS fixup for the DMZ host scrub in on vr2 max-mss 1400 fragment reassemble scrub out on vr2 max-mss 1400 fragment reassemble #let the office people surf via one public IP and the transient sales force use a different one on the wireless nat on $ext_if from {$internaloffice} to any -> ($ext_if:0) nat on $ext_if from {$internal204,!$server1,!$server2} to any -> $officepublicIP nat on $ext_if from {$wireless} to any -> $publicwireless binat on $ext_if from $server1 to any -> $publicserver1 binat on $ext_if from $server2 to any -> $publicserver2 pass in quick on lo0 all pass out quick on lo0 all block in log on $ext_if all #DMZ cust machine has its own rules pass in on vr2 from any to any keep state pass in on $ext_if from any to {$publicserver1, $publicserver2,$server1,$server2, $dmzhost } keep state pass in log on tun0 proto tcp from $trustedhosts to any port 22 keep state pass out all keep state Is there a better way to handle all the aliased IP addresses then to manually put them on tun0 ? ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike From owner-freebsd-pf@FreeBSD.ORG Wed Jan 2 17:40:56 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6EDA816A419 for ; Wed, 2 Jan 2008 17:40:56 +0000 (UTC) (envelope-from antik@bsd.ee) Received: from smtp-gw1.starman.ee (smtp-out3.starman.ee [85.253.0.5]) by mx1.freebsd.org (Postfix) with ESMTP id F190D13C461 for ; Wed, 2 Jan 2008 17:40:55 +0000 (UTC) (envelope-from antik@bsd.ee) Received: from mx2.starman.ee (mx2.starman.ee [62.65.192.17]) by smtp-gw1.starman.ee (Postfix) with ESMTP id 22EB3A214E4 for ; Wed, 2 Jan 2008 19:10:40 +0200 (EET) X-Virus-Scanned: by Amavisd-New at mx2.starman.ee Received: from [192.168.2.101] (pc58.host2.ida.starman.ee [62.65.241.58]) by mx2.starman.ee (Postfix) with ESMTP id 607AA3F4062 for ; Wed, 2 Jan 2008 19:10:40 +0200 (EET) From: Andrei Kolu To: freebsd-pf@freebsd.org Date: Wed, 2 Jan 2008 19:10:38 +0200 User-Agent: KMail/1.9.7 References: <358998.94924.qm@web38208.mail.mud.yahoo.com> In-Reply-To: <358998.94924.qm@web38208.mail.mud.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200801021910.39471.antik@bsd.ee> Subject: Re: load-balancing, DNS X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Jan 2008 17:40:56 -0000 Wednesday 02 January 2008 18:46:43 kirjutas Tommy Pham: > Hi Michael, > > Here is my ruleset: > > NoRouteIPs = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 > }" > > # Options: tune the behavior of pf, default values are given. > #set timeout { interval 10, frag 30 } > #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } > #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } > #set timeout { udp.first 60, udp.single 30, udp.multiple 60 } > #set timeout { icmp.first 20, icmp.error 10 } > #set timeout { other.first 60, other.single 30, other.multiple 60 } > #set timeout { adaptive.start 0, adaptive.end 0 } > #set limit { states 60000, frags 30000 } > #set loginterface re0 > #set require-order yes > #set fingerprints "/etc/pf.os" > #set optimization aggressive > set optimization normal > set block-policy drop > set skip on lo > > # Normalization: reassemble fragments and resolve or reduce traffic > ambiguities. > scrub in > > # Queueing > > # nat/rdr > nat on $ext_if1 from $lan_net to any -> ($ext_if1) round-robin > nat on $ext_if2 from $lan_net to any -> ($ext_if2) round-robin > > #nat-anchor "ftp-proxy/*" > #rdr-anchor "ftp-proxy/*" > > #rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 > rdr on { $ext_if1, $ext_if2 } proto tcp from any to any \ > port $www_ports -> $www_sys > rdr on { $ext_if1, $ext_if2 } proto tcp from any to any \ > port $www2_ports -> $www2_sys > > # Rules > #block in log on $ext_if1 from $NoRouteIPs to any > #block out log on $ext_if1 from any to $NoRouteIPs > #block in log on $ext_if2 from $NoRouteIPs to any > #block out log on $ext_if2 from any to $NoRouteIPs > > block in log > block out log > pass on $int_if > > #anchor "ftp-proxy/*" > antispoof log quick for { lo $int_if } > > # load balance outgoing tcp traffic from internal network. > pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) > } \ > round-robin proto tcp from $lan_net to any \ > flags S/SA modulate state > # load balance outgoing udp and icmp traffic from internal network > pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) > } \ > round-robin proto { udp, icmp } from $lan_net to any keep state > > pass in quick on $int_if route-to ($ext_if1 $ext_gw1) \ > from any to { $ns1a, $ns1b } keep state > pass in quick on $int_if route-to ($ext_if2 $ext_gw2) \ > from any to { $ns2a, $ns2b } keep state > > # general "pass out" rules for external interfaces > pass out on $ext_if1 proto tcp from any to any flags S/SA modulate > state > pass out on $ext_if1 proto { udp, icmp } from any to any keep state > pass out on $ext_if2 proto tcp from any to any flags S/SA modulate > state > pass out on $ext_if2 proto { udp, icmp } from any to any keep state > > # allowed services > pass in on { $ext_if1, $ext_if2 } inet proto tcp from any to $www_sys > port $www_ports \ > flags S/SA synproxy state > pass in on { $ext_if1, $ext_if2 } inet proto tcp from any to $www2_sys > port $www2_ports \ > flags S/SA synproxy state > > # route packets from any IPs on $ext_if1 to $ext_gw1 and the same for > # $ext_if2 and $ext_gw2 > pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any > pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any > http://www.openbsd.org/faq/pf/pools.html Load Balance Incoming Connections Address pools can also be used to load balance incoming connections. For example, incoming web server connections can be distributed across a web server farm: web_servers = "{ 10.0.0.10, 10.0.0.11, 10.0.0.13 }" rdr on $ext_if proto tcp from any to any port 80 -> $web_servers \ round-robin sticky-address Successive connections will be redirected to the web servers in a round-robin manner with connections from the same source being sent to the same web server. This "sticky connection" will exist as long as there are states that refer to this connection. Once the states expire, so will the sticky connection. Further connections from that host will be redirected to the next web server in the round robin. NOTE: I seriously doubt "sticky-address" will work on FreeBSD- it was broken for couple of years already and looks like noone cares to fix it (it work on OpenBSD of course). Without this option load balancing is a joke. From owner-freebsd-pf@FreeBSD.ORG Wed Jan 2 21:26:10 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7820816A418 for ; Wed, 2 Jan 2008 21:26:10 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.freebsd.org (Postfix) with ESMTP id 22C3E13C4CE for ; Wed, 2 Jan 2008 21:26:09 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.13.8/8.13.8) with ESMTP id m02LQ9VI009688 for ; Wed, 2 Jan 2008 16:26:09 -0500 (EST) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.8/8.13.3) with ESMTP id m02LQ815007027 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 2 Jan 2008 16:26:08 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <200801022126.m02LQ815007027@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Wed, 02 Jan 2008 16:28:11 -0500 To: freebsd-pf@freebsd.org From: Mike Tancsa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: use of ! in nat broken ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Jan 2008 21:26:10 -0000 It very well could be the booze 2 nights ago making me misread something obvious, but should not nat on $ext_if from {$internal204,!$server1,!$server2} to any -> $officepublicIP be the same as nat on $ext_if from {10.0.0.1,10.0.0.4,10.0.0.5,10.0.0.6,10.0.0.7,10.0.0.8/29,10.0.0.16/28,10.0.0.32/27} to any -> $officepublicIP and the same as nat on $ext_if from <204network> to any -> $officepublicIP Where officepublicIP=67.43.133.205 internal204=10.0.0.0/26 server1=10.0.0.2/32 server2=10.0.0.3/32 table <204network> {!$server1,!$server2,$internal204} If I use the first nat statement, traffic from my DMZ (199.212.134.7) gets natted as $officepublicIP. If I use the second (explicit list) or third (define the list in a table) all works as expected and 199.212.134.7 does not get caught up in the nat statement. # pfctl -sn nat on tun0 inet from 192.168.10.0/24 to any -> (tun0:0) nat on tun0 inet from 10.0.0.0/26 to any -> 67.43.133.205 nat on tun0 inet from ! 10.0.0.2 to any -> 67.43.133.205 nat on tun0 inet from ! 10.0.0.3 to any -> 67.43.133.205 nat on tun0 inet from 192.168.1.0/24 to any -> 67.43.133.204 binat on tun0 inet from 10.0.0.2 to any -> 67.43.133.206 binat on tun0 inet from 10.0.0.3 to any -> 67.43.133.207 vs # pfctl -sn nat on tun0 inet from 192.168.10.0/24 to any -> (tun0:0) nat on tun0 inet from 10.0.0.1 to any -> 67.43.133.205 nat on tun0 inet from 10.0.0.4 to any -> 67.43.133.205 nat on tun0 inet from 10.0.0.5 to any -> 67.43.133.205 nat on tun0 inet from 10.0.0.6 to any -> 67.43.133.205 nat on tun0 inet from 10.0.0.7 to any -> 67.43.133.205 nat on tun0 inet from 10.0.0.8/29 to any -> 67.43.133.205 nat on tun0 inet from 10.0.0.16/28 to any -> 67.43.133.205 nat on tun0 inet from 10.0.0.32/27 to any -> 67.43.133.205 nat on tun0 inet from 192.168.1.0/24 to any -> 67.43.133.204 binat on tun0 inet from 10.0.0.2 to any -> 67.43.133.206 binat on tun0 inet from 10.0.0.3 to any -> 67.43.133.207 vs # pfctl -sn nat on tun0 inet from 192.168.10.0/24 to any -> (tun0:0) nat on tun0 inet from <204network> to any -> 67.43.133.205 nat on tun0 inet from 192.168.1.0/24 to any -> 67.43.133.204 binat on tun0 inet from 10.0.0.2 to any -> 67.43.133.206 binat on tun0 inet from 10.0.0.3 to any -> 67.43.133.207 Kernel is 6.3-PRERELEASE FreeBSD 6.3-PRERELEASE #0: Fri Dec 14 15:02:59 EST 2007 I dont see anything new in the pf tree since then. ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike From owner-freebsd-pf@FreeBSD.ORG Thu Jan 3 04:40:17 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3B7C816A418 for ; Thu, 3 Jan 2008 04:40:17 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout2.email.verio.net (dfw-smtpout2.email.verio.net [129.250.36.42]) by mx1.freebsd.org (Postfix) with ESMTP id 0EF6713C4F4 for ; Thu, 3 Jan 2008 04:40:17 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.64] (helo=dfw-mmp4.email.verio.net) by dfw-smtpout2.email.verio.net with esmtp id 1JAHOr-0005GY-EP for freebsd-pf@freebsd.org; Thu, 03 Jan 2008 04:09:45 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp4.email.verio.net with esmtp id 1JAHOr-0003tx-Ai for freebsd-pf@freebsd.org; Thu, 03 Jan 2008 04:09:45 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id 03EA38E296; Wed, 2 Jan 2008 22:09:42 -0600 (CST) Date: Wed, 2 Jan 2008 22:09:42 -0600 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20080103040942.GD10272@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org References: <200801022126.m02LQ815007027@lava.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <200801022126.m02LQ815007027@lava.sentex.ca> Precedence: bulk User-Agent: Mutt/1.5.9i Subject: Re: use of ! in nat broken ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Jan 2008 04:40:17 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike Tancsa wrote: > > It very well could be the booze 2 nights ago making me misread > something obvious, but should not > > nat on $ext_if from {$internal204,!$server1,!$server2} to any -> > $officepublicIP > > be the same as > > nat on $ext_if from > {10.0.0.1,10.0.0.4,10.0.0.5,10.0.0.6,10.0.0.7,10.0.0.8/29,10.0.0.16/28,10.0.0.32/27} > to any -> $officepublicIP > > and the same as > > nat on $ext_if from <204network> to any -> $officepublicIP > > Where > officepublicIP=67.43.133.205 > internal204=10.0.0.0/26 > server1=10.0.0.2/32 > server2=10.0.0.3/32 > table <204network> {!$server1,!$server2,$internal204} The mistake you're making here is the consider pf's syntax to be a combined AND'd statement of boolean logic, which it is not. It is really just simple macro expansion, which does not equate to the same thing. As you noted, a rule such as this: nat on $ext_if from {$internal204,!$server1,!$server2} \ to any -> $officepublicIP equates to the expanded ruleset: nat on $ext_if from $internal204 to any -> $officepublicIP nat on $ext_if from !$server1 to any -> $officepublicIP nat on $ext_if from !$server2 to any -> $officepublicIP Since $server1 is on the same network as $internal204, server1's traffic will be NAT'd because it matches rule 1. And worse, rule 2 matches nearly any traffic you forward, and even matches the firewall's own traffic, because almost any source IP seen by the firewall will be "not $server1's IP," so it matches the rule. It sounds like what you really want is a clever collection of "no nat" rules to prevent NAT from happening on certain addresses, followed by "nat", such as: no nat on $ext_if from {$server1,$server2} to any nat on $ext_if from $internal204 to any -> $officepublicIP This has the desired expansion: no nat on $ext_if from $server1 to any no nat on $ext_if from $server2 to any nat on $ext_if from $internal204 to any -> $officepublicIP and hopefully does what you want. - -- David DeSimone == Network Admin == fox@verio.net "This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, dis- tribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you." --Lawyer Bot 6000 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFHfGAGFSrKRjX5eCoRAnUrAKCM/NdenkUf0ZC2RacHbeC6c3jClQCglsqy lHTgA/StUPdtsbZyobehGhc= =9kR3 -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Thu Jan 3 16:10:07 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BC2C816A468 for ; Thu, 3 Jan 2008 16:10:07 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost2.sentex.ca (smarthost2.sentex.ca [205.211.164.50]) by mx1.freebsd.org (Postfix) with ESMTP id 8093913C459 for ; Thu, 3 Jan 2008 16:10:07 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost2.sentex.ca (8.14.1/8.13.8) with ESMTP id m03GA4AQ049758; Thu, 3 Jan 2008 11:10:06 -0500 (EST) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.8/8.13.3) with ESMTP id m03G9xNS011967 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 3 Jan 2008 11:10:04 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <200801031610.m03G9xNS011967@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Thu, 03 Jan 2008 11:12:04 -0500 To: David DeSimone , freebsd-pf@freebsd.org From: Mike Tancsa In-Reply-To: <20080103040942.GD10272@verio.net> References: <200801022126.m02LQ815007027@lava.sentex.ca> <20080103040942.GD10272@verio.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Cc: Subject: Re: use of ! in nat broken ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Jan 2008 16:10:07 -0000 At 11:09 PM 1/2/2008, David DeSimone wrote: >The mistake you're making here is the consider pf's syntax to be a >combined AND'd statement of boolean logic, which it is not. It is >really just simple macro expansion, which does not equate to the same >thing. Thanks for the detailed explanation! Reading it that way makes sense to me now. I am trying to think which is more readable in general and I think the table syntax is perhaps the best. It does seem to treat it in a way thats slightly more intuitive (for me anyways) in that I have one nat statement that applies to "those who I want to NAT", and the boolean logic applies in the table definition is readable enough. table <204network> {!$server1,!$server2,$internal204} nat on $ext_if from <204network> to any -> $officepublicIP Thanks again, ---Mike From owner-freebsd-pf@FreeBSD.ORG Fri Jan 4 19:23:12 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DE6A516A418 for ; Fri, 4 Jan 2008 19:23:12 +0000 (UTC) (envelope-from mailman.msc@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.183]) by mx1.freebsd.org (Postfix) with ESMTP id B6C9113C43E for ; Fri, 4 Jan 2008 19:23:12 +0000 (UTC) (envelope-from mailman.msc@gmail.com) Received: by wa-out-1112.google.com with SMTP id k17so11097286waf.3 for ; Fri, 04 Jan 2008 11:23:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:mime-version:content-type:content-transfer-encoding:content-disposition; bh=0Tz7bqF6qfl/LpIBZ3/1J2G5xXHpE9mh6A9gJbfYE8g=; b=d2L1FcHamvJwK+XCVRHkIiHiF779UOLIeSvKiR0xPlsDsYp+zZVq4/W41OmF88vcOCXvBAUh6wBDrCFSlpaD5KrQVT4JtB+iaMGCliKz9gc9hBOSrEReoA46rS0/ctpG5FDRJUMAJZVwJ6lw5drPGI9NYyquL6fQ3Oso1wdAZDM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:mime-version:content-type:content-transfer-encoding:content-disposition; b=NdhMQngWYNMk36DV5F9z23NhJlOUriMsFLtb4q0Jw+f6sifs/GxuP5BY0AOOs7mH5x8Bic0/xDcCPmtkhtXfBAW80fMAyVqSS9NOCBYKmeybiBz8ivyXkB6dwVBGF9DlMYnwLKDmDsCCBfKQXvu7xuLGuiLCa+dJBJ4HE+YXGf8= Received: by 10.114.175.16 with SMTP id x16mr17439007wae.12.1199472857913; Fri, 04 Jan 2008 10:54:17 -0800 (PST) Received: by 10.115.110.4 with HTTP; Fri, 4 Jan 2008 10:54:17 -0800 (PST) Message-ID: Date: Sat, 5 Jan 2008 02:54:17 +0800 From: "Anjang Aki" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: mailman.msc@gmail.com Subject: Really newbie reference to PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Jan 2008 19:23:13 -0000 Greetings all, I have compiled my kernel to be able to support PF but I cant find a decent website reference useful for newbies to guide me about configuring the PF. For example, i just wanted to disable IP 66.166.56.233 from entering my network either by ssh or ftp (perhaps I can try this by testing on LAN by blocking address 192.168.1.10 to LAN server 192.168.1.2) Sorry if i have put inappropriate question to this mailing list but I do appreciate all in advanced for any reply with the reference to the guidance. Thank you and Regards, -- -- Anjang Aki -- From owner-freebsd-pf@FreeBSD.ORG Fri Jan 4 20:32:57 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 711C116A417 for ; Fri, 4 Jan 2008 20:32:57 +0000 (UTC) (envelope-from ryan-bsd@trolocsis.com) Received: from zeus.kimaker.com (zeus.kimaker.com [64.62.244.66]) by mx1.freebsd.org (Postfix) with ESMTP id 6205C13C442 for ; Fri, 4 Jan 2008 20:32:57 +0000 (UTC) (envelope-from ryan-bsd@trolocsis.com) Received: by zeus.kimaker.com (Postfix, from userid 1002) id 3FF85758414; Fri, 4 Jan 2008 12:32:57 -0800 (PST) Date: Fri, 4 Jan 2008 12:32:57 -0800 From: Ryan Phillips To: Anjang Aki Message-ID: <20080104203256.GB53655@zeus.kimaker.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.17 (2007-11-01) Cc: freebsd-pf@freebsd.org Subject: Re: Really newbie reference to PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Jan 2008 20:32:57 -0000 Anjang Aki said: > Greetings all, > > I have compiled my kernel to be able to support PF but I cant find a > decent website reference useful for newbies to guide me about > configuring the PF. > > For example, i just wanted to disable IP 66.166.56.233 from entering > my network either by ssh or ftp > > (perhaps I can try this by testing on LAN by blocking address > 192.168.1.10 to LAN server 192.168.1.2) > > Sorry if i have put inappropriate question to this mailing list but I > do appreciate all in advanced for any reply with the reference to the > guidance. Amazon : The Book of PF: A No-Nonsense Guide to the OpenBSD Firewall Firewalling with PF : http://home.nuug.no/~peter/pf/ Both are authored by Peter Hansteen -Ryan