From owner-freebsd-pf@FreeBSD.ORG Mon Oct 19 11:06:59 2009 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 44706106568D for ; Mon, 19 Oct 2009 11:06:59 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 299DC8FC22 for ; Mon, 19 Oct 2009 11:06:59 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n9JB6xXB063527 for ; Mon, 19 Oct 2009 11:06:59 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n9JB6wrp063525 for freebsd-pf@FreeBSD.org; Mon, 19 Oct 2009 11:06:58 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 19 Oct 2009 11:06:58 GMT Message-Id: <200910191106.n9JB6wrp063525@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Oct 2009 11:06:59 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 36 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Oct 19 12:08:30 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3D328106566C for ; Mon, 19 Oct 2009 12:08:30 +0000 (UTC) (envelope-from omerfsen@gmail.com) Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.26]) by mx1.freebsd.org (Postfix) with ESMTP id CCF4E8FC0C for ; Mon, 19 Oct 2009 12:08:29 +0000 (UTC) Received: by ey-out-2122.google.com with SMTP id 9so955432eyd.9 for ; Mon, 19 Oct 2009 05:08:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=oDH5oXGvBUy7iZeDHSEwjvnKAhyRaEznuckmLijU8dQ=; b=EvFsSEQKXkHMP5LS7tlpYRjKhkqW4Rh2FwoOmN9h1Y7nScap/0/l6smAGUUM4OFWup mHAI6P4MfOvaeNdorBV0KER3SgkJgisO2vFFsq7b46PCJSf7W0ah9ziC5x6CjPCKzpjd tt6MTOmkQpBVVHJZ5IB4wtfWLl3QmRot2ANJ8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=mgsPRuDFaTd/fK3D27y/ZdZ+MjWn+aqDd45ZtBbYWt+r4PCMCY7PoedRtyJ2ZxeD5T Boh3k6lLgNdF+ejYDvts5L2YwesGGePKOFe4/LuewAHDWVkRyc+zGFXHIC2QjF68tDXY bNpEAu4jgrs0v4MxPzERq2HMeIF8WdcdiGOuI= MIME-Version: 1.0 Received: by 10.239.138.12 with SMTP id n12mr417954hbn.69.1255952124449; Mon, 19 Oct 2009 04:35:24 -0700 (PDT) Date: Mon, 19 Oct 2009 14:35:24 +0300 Message-ID: <75a268720910190435n48897e42v44afd0ba0ded1c96@mail.gmail.com> From: Omer Faruk Sen To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: port based round robin X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Oct 2009 12:08:30 -0000 Hi, As far as I have seen from manual pages round-robin works for IP addresses only. But I want it to work for port based. Here is what I want to do: 127.0.0.1:1234 ---> 127.0.0.1:1235 ---> 127.0.0.1:1236 Is that possible with pf? Regards. From owner-freebsd-pf@FreeBSD.ORG Mon Oct 19 16:15:57 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D04761065670 for ; Mon, 19 Oct 2009 16:15:57 +0000 (UTC) (envelope-from jedgainer@gmail.com) Received: from mail-yw0-f178.google.com (mail-yw0-f178.google.com [209.85.211.178]) by mx1.freebsd.org (Postfix) with ESMTP id 8D4E08FC1B for ; Mon, 19 Oct 2009 16:15:57 +0000 (UTC) Received: by ywh8 with SMTP id 8so4012446ywh.3 for ; Mon, 19 Oct 2009 09:15:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=WeNkU3VZVF0OvrdAgKJ9skdRp6LV5Z/oxTqlPMK1asM=; b=o783qRFphYPqVrW+OWcqxpuewgypJwVaAsk/O08sJReJXtjSFEj1UyES7rZ2zFgmak IgUNe+b+FSrlLxupxyxR5gXhslJ8rQJjws0GbyygcEijCjo5HoqPsKrx3hPlQzk0nZpg Wafo8BpAOscaMtC5a4GrAqBY2nWy+KQVTsugE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=hRBdtTZppYQl433ka9YxqQ4qwidFro3RZqeAnI+of0Apn4w08b9wKJPty8subiqzgQ vz26lFjpgOpv33SwhFvYruleNStusIvtXcxqhcLK0IfNNBIoetcYQLQquaGuGuAC5ozQ K9CjzJtKO4eH9U6/4agSgXJ2Ch+djWWBh6HOM= MIME-Version: 1.0 Received: by 10.150.20.4 with SMTP id 4mr8393615ybt.37.1255967283087; Mon, 19 Oct 2009 08:48:03 -0700 (PDT) Date: Mon, 19 Oct 2009 08:48:03 -0700 Message-ID: <36b1f3e60910190848h382cde04l104f2a9f466af3fa@mail.gmail.com> From: Jed Gainer To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: PF - load balancing outgoing connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Oct 2009 16:15:57 -0000 I wanted to setup a machine as my LAN gateway and have it load balance over multiple WANs. When I found http://www.openbsd.org/faq/pf/pools.html I choose FreeBSD as the machines OS. After getting it up and running, and acting as a gateway just using one WAN via *# macros wan1="nfe0" lan1="rl0" pc1="10.0.0.2" xb1="10.0.0.3" # options #set block-policy return #set loginterface $wan1 set skip on lo0 # scrub scrub in # nat/rdr nat on $wan1 from !($wan1) -> ($wan1:0) static-port # uTorrent rdr on $wan1 proto tcp from any to any port 41016 -> $pc1 # Xbox Live rdr on $wan1 proto {tcp, udp} from any to any port 3074 -> $xb1* I decided to try the load balancing and came up with quite a few different pf.confs that did not work, my LAN just lost all connectivity when I loaded them. * lan1r = "10.0.0.0/24" lan1 = "rl0" wan1 = "nfe0" wan2 = "rl1" gw1 = "10.0.1.2" gw2 = "10.0.2.2" # nat outgoing connections on each internet interface nat on $wan1 from $lan1r to any -> ($wan1) #static-port nat on $wan2 from $lan1r to any -> ($wan2) #static-port # default deny block in from any to any block out from any to any # pass all outgoing packets on internal interface pass out on $lan1 from any to $lan1r # pass in quick any packets destined for the gateway itself pass in quick on $lan1 from $lan1r to $lan1 # load balance outgoing tcp traffic from internal network. pass in on $lan1 route-to { ($wan1 $gw1), ($wan2 $gw2) } round-robin proto tcp from $lan1r to any flags S/SA modulate state # load balance outgoing udp and icmp traffic from internal network pass in on $lan1 route-to { ($wan1 $gw1), ($wan2 $gw2) } round-robin proto { udp, icmp } from $lan1r to any keep state # general "pass out" rules for external interfaces pass out on $wan1 proto tcp from any to any flags S/SA modulate state pass out on $wan1 proto { udp, icmp } from any to any keep state pass out on $wan2 proto tcp from any to any flags S/SA modulate state pass out on $wan2 proto { udp, icmp } from any to any keep state # route packets from any IPs on $ext_if1 to $ext_gw1 and the same for $ext_if2 and $ext_gw2 pass out on $wan1 route-to ($wan2 $gw2) from $wan2 to any pass out on $wan2 route-to ($wan1 $gw1) from $wan1 to any* ... and ... *lan = rl0 wan1 = nfe0 wan2 = rl1 wan1_gw = 173.183.32.254 wan2_gw = 10.0.1.2 nat on $wan1 from any to any -> ($wan1) nat on $wan2 from any to any -> ($wan2) pass in quick on $lan route-to { ($wan1 $wan1_gw), ($wan2 $wan2_gw) } \ round-robin inet from ($lan:network) to any flags S/SA keep state* Neither of the above worked, or the many other attempts I made. No errors are reported when I `pfctl -f /etc/pf.lb.conf` and my LAN looses internet connectivity. Does any one see the problem? I can ping Google fine using either WAN as default route so it has to be my PF conf. I am at the point where I will pay someone to get it working! -- ~ Jed Gainer From owner-freebsd-pf@FreeBSD.ORG Mon Oct 19 16:55:34 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 11A57106566C for ; Mon, 19 Oct 2009 16:55:34 +0000 (UTC) (envelope-from mike@jellydonut.org) Received: from mail-fx0-f210.google.com (mail-fx0-f210.google.com [209.85.220.210]) by mx1.freebsd.org (Postfix) with ESMTP id 914F08FC14 for ; Mon, 19 Oct 2009 16:55:33 +0000 (UTC) Received: by fxm6 with SMTP id 6so5054095fxm.43 for ; Mon, 19 Oct 2009 09:55:32 -0700 (PDT) MIME-Version: 1.0 Received: by 10.223.14.145 with SMTP id g17mr1032303faa.51.1255970047643; Mon, 19 Oct 2009 09:34:07 -0700 (PDT) In-Reply-To: <36b1f3e60910190848h382cde04l104f2a9f466af3fa@mail.gmail.com> References: <36b1f3e60910190848h382cde04l104f2a9f466af3fa@mail.gmail.com> Date: Mon, 19 Oct 2009 12:34:07 -0400 Message-ID: <1de79840910190934w358e711t781f39061e16991@mail.gmail.com> From: Michael Proto To: Jed Gainer Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: PF - load balancing outgoing connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Oct 2009 16:55:34 -0000 On Mon, Oct 19, 2009 at 11:48 AM, Jed Gainer wrote: > I wanted to setup a machine as my LAN gateway and have it load balance ov= er > multiple WANs. When I found http://www.openbsd.org/faq/pf/pools.html I > choose FreeBSD as the machines OS. After getting it up and running, and > acting as a gateway just using one WAN via > > *# macros > wan1=3D"nfe0" > lan1=3D"rl0" > > pc1=3D"10.0.0.2" > xb1=3D"10.0.0.3" > > # options > #set block-policy return > #set loginterface $wan1 > set skip on lo0 > > # scrub > scrub in > > # nat/rdr > nat on $wan1 from !($wan1) -> ($wan1:0) static-port > > # uTorrent > rdr on $wan1 proto tcp from any to any port 41016 -> $pc1 > > # Xbox Live > rdr on $wan1 proto {tcp, udp} from any to any port 3074 -> $xb1* > > I decided to try the load balancing and came up with quite a few differen= t > pf.confs that did not work, my LAN just lost all connectivity when I load= ed > them. > * > lan1r =3D "10.0.0.0/24" > lan1 =A0=3D "rl0" > wan1 =3D "nfe0" > wan2 =3D "rl1" > gw1 =3D "10.0.1.2" > gw2 =3D "10.0.2.2" > > # nat outgoing connections on each internet interface > nat on $wan1 from $lan1r to any -> ($wan1) #static-port > nat on $wan2 from $lan1r to any -> ($wan2) #static-port > > # default deny > block in from any to any > block out from any to any > > # pass all outgoing packets on internal interface > pass out on $lan1 from any to $lan1r > > # pass in quick any packets destined for the gateway itself > pass in quick on $lan1 from $lan1r to $lan1 > > # load balance outgoing tcp traffic from internal network. > pass in on $lan1 route-to { ($wan1 $gw1), ($wan2 $gw2) } round-robin prot= o > tcp from $lan1r to any flags S/SA modulate state > > # load balance outgoing udp and icmp traffic from internal network > pass in on $lan1 route-to { ($wan1 $gw1), ($wan2 $gw2) } round-robin prot= o { > udp, icmp } from $lan1r to any keep state > > # general "pass out" rules for external interfaces > pass out on $wan1 proto tcp from any to any flags S/SA modulate state > pass out on $wan1 proto { udp, icmp } from any to any keep state > pass out on $wan2 proto tcp from any to any flags S/SA modulate state > pass out on $wan2 proto { udp, icmp } from any to any keep state > > # route packets from any IPs on $ext_if1 to $ext_gw1 and the same for > $ext_if2 and $ext_gw2 > pass out on $wan1 route-to ($wan2 $gw2) from $wan2 to any > pass out on $wan2 route-to ($wan1 $gw1) from $wan1 to any* > > ... and ... > > *lan =3D rl0 > wan1 =3D nfe0 > wan2 =3D rl1 > wan1_gw =3D 173.183.32.254 > wan2_gw =3D 10.0.1.2 > > nat on $wan1 from any to any -> ($wan1) > nat on $wan2 from any to any -> ($wan2) > > pass in quick on $lan route-to { ($wan1 $wan1_gw), ($wan2 $wan2_gw) } \ > =A0round-robin inet from ($lan:network) to any flags S/SA keep state* > > Neither of the above worked, or the many other attempts I made. > > No errors are reported when I `pfctl -f /etc/pf.lb.conf` and my LAN loose= s > internet connectivity. > > Does any one see the problem? I can ping Google fine using either WAN as > default route so it has to be my PF conf. > > I am at the point where I will pay someone to get it working! > -- > ~ Jed Gainer > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > Correct me if I'm wrong, but I don't think you can do this without running a routing protocol with your upstream ISP. The problem is, regardless of which connection you send your traffic out, the return traffic will always come the same route from your ISP(s). If you send your traffic out $wan2 but your IP space is advertised by your ISP on $wan1 the traffic will always come back in $wan1 and you'll have an asymmetric route (as well as messed-up states in pf on the $wan1 and $wan2 interfaces). The only way I've been able to load-balance outbound traffic is to have different upstream routers advertise different routes back to my network via BGP and work the load-balancing that way. -Proto From owner-freebsd-pf@FreeBSD.ORG Tue Oct 20 00:20:23 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ECA421065694 for ; Tue, 20 Oct 2009 00:20:23 +0000 (UTC) (envelope-from leccine@gmail.com) Received: from mail-fx0-f210.google.com (mail-fx0-f210.google.com [209.85.220.210]) by mx1.freebsd.org (Postfix) with ESMTP id 5DDF38FC1B for ; Tue, 20 Oct 2009 00:20:23 +0000 (UTC) Received: by fxm6 with SMTP id 6so5495155fxm.43 for ; Mon, 19 Oct 2009 17:20:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=sFiXvwHCwGE2a9MB6V3Pfq8/vr9C7PtDasSaAAKtxCY=; b=NGn3vmf0cczVeYnfQjBYc/HGWjdCQ8NVzxbkJTMQ7fmJnDhASc/qhZqgxiVGftJAIH yNLhErbn220obviPd/wNJx4gl29paD2YXzirfRZlaL/aJXNm5wz3km4TJvaBUleOMmY3 XufMnP6djq5jKJGHpP0EJBVglzAhq6gH3SZHY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=m8ryCT8cHsD9bsILiVxtDRk5S9mLOrd6W1PVV0Rrz1j7nmCewX8wVz/umnR1tdC6rE RXz+OwTIsxFdmqg0mcV34wtpBDK/rOpngTwLPilSSYnXWNLtlt4r+rMiPBPOiURS6qlo BbeY9haugn/4HNzusH6A3Zf96nZ20pQiSwku8= MIME-Version: 1.0 Received: by 10.204.34.72 with SMTP id k8mr5618591bkd.98.1255998022209; Mon, 19 Oct 2009 17:20:22 -0700 (PDT) In-Reply-To: <36b1f3e60910190848h382cde04l104f2a9f466af3fa@mail.gmail.com> References: <36b1f3e60910190848h382cde04l104f2a9f466af3fa@mail.gmail.com> Date: Tue, 20 Oct 2009 01:20:22 +0100 Message-ID: From: =?UTF-8?Q?Istv=C3=A1n?= To: Jed Gainer Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: PF - load balancing outgoing connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Oct 2009 00:20:24 -0000 what does pflogd say about this? i mean have you tried to enable logging and check it? http://www.openbsd.org/cgi-bin/man.cgi?query=pflogd&sektion=8 Regards, Istvan On Mon, Oct 19, 2009 at 4:48 PM, Jed Gainer wrote: > I wanted to setup a machine as my LAN gateway and have it load balance over > multiple WANs. When I found http://www.openbsd.org/faq/pf/pools.html I > choose FreeBSD as the machines OS. After getting it up and running, and > acting as a gateway just using one WAN via > > *# macros > wan1="nfe0" > lan1="rl0" > > pc1="10.0.0.2" > xb1="10.0.0.3" > > # options > #set block-policy return > #set loginterface $wan1 > set skip on lo0 > > # scrub > scrub in > > # nat/rdr > nat on $wan1 from !($wan1) -> ($wan1:0) static-port > > # uTorrent > rdr on $wan1 proto tcp from any to any port 41016 -> $pc1 > > # Xbox Live > rdr on $wan1 proto {tcp, udp} from any to any port 3074 -> $xb1* > > I decided to try the load balancing and came up with quite a few different > pf.confs that did not work, my LAN just lost all connectivity when I loaded > them. > * > lan1r = "10.0.0.0/24" > lan1 = "rl0" > wan1 = "nfe0" > wan2 = "rl1" > gw1 = "10.0.1.2" > gw2 = "10.0.2.2" > > # nat outgoing connections on each internet interface > nat on $wan1 from $lan1r to any -> ($wan1) #static-port > nat on $wan2 from $lan1r to any -> ($wan2) #static-port > > # default deny > block in from any to any > block out from any to any > > # pass all outgoing packets on internal interface > pass out on $lan1 from any to $lan1r > > # pass in quick any packets destined for the gateway itself > pass in quick on $lan1 from $lan1r to $lan1 > > # load balance outgoing tcp traffic from internal network. > pass in on $lan1 route-to { ($wan1 $gw1), ($wan2 $gw2) } round-robin proto > tcp from $lan1r to any flags S/SA modulate state > > # load balance outgoing udp and icmp traffic from internal network > pass in on $lan1 route-to { ($wan1 $gw1), ($wan2 $gw2) } round-robin proto > { > udp, icmp } from $lan1r to any keep state > > # general "pass out" rules for external interfaces > pass out on $wan1 proto tcp from any to any flags S/SA modulate state > pass out on $wan1 proto { udp, icmp } from any to any keep state > pass out on $wan2 proto tcp from any to any flags S/SA modulate state > pass out on $wan2 proto { udp, icmp } from any to any keep state > > # route packets from any IPs on $ext_if1 to $ext_gw1 and the same for > $ext_if2 and $ext_gw2 > pass out on $wan1 route-to ($wan2 $gw2) from $wan2 to any > pass out on $wan2 route-to ($wan1 $gw1) from $wan1 to any* > > ... and ... > > *lan = rl0 > wan1 = nfe0 > wan2 = rl1 > wan1_gw = 173.183.32.254 > wan2_gw = 10.0.1.2 > > nat on $wan1 from any to any -> ($wan1) > nat on $wan2 from any to any -> ($wan2) > > pass in quick on $lan route-to { ($wan1 $wan1_gw), ($wan2 $wan2_gw) } \ > round-robin inet from ($lan:network) to any flags S/SA keep state* > > Neither of the above worked, or the many other attempts I made. > > No errors are reported when I `pfctl -f /etc/pf.lb.conf` and my LAN looses > internet connectivity. > > Does any one see the problem? I can ping Google fine using either WAN as > default route so it has to be my PF conf. > > I am at the point where I will pay someone to get it working! > -- > ~ Jed Gainer > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- the sun shines for all http://l1xl1x.blogspot.com From owner-freebsd-pf@FreeBSD.ORG Tue Oct 20 23:01:54 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6A8E4106566B for ; Tue, 20 Oct 2009 23:01:54 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from c-0500.emailmediator.com (c-0500.emailmediator.com [64.85.162.118]) by mx1.freebsd.org (Postfix) with ESMTP id 49BF38FC14 for ; Tue, 20 Oct 2009 23:01:54 +0000 (UTC) Received: from pool-71-252-138-179.dllstx.fios.verizon.net ([71.252.138.179] helo=reedmedia.net) by c-0500.emailmediator.com with esmtpa (Exim 4.69) (envelope-from ) id 1N0NKG-0007hs-Oo for freebsd-pf@freebsd.org; Tue, 20 Oct 2009 18:37:09 -0400 Received: from reed@reedmedia.net by reedmedia.net with local (mailout 0.17) id 17190-1256078230; Tue, 20 Oct 2009 17:37:10 -0500 Date: Tue, 20 Oct 2009 17:37:10 -0500 (CDT) From: "Jeremy C. Reed" X-X-Sender: reed@t1.m.reedmedia.net To: freebsd-pf@freebsd.org Message-ID: User-Agent: Alpine 2.01 (NEB 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: tool to dump and restore pf(4) state X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Oct 2009 23:01:54 -0000 See this blog: http://blog.netbsd.org/tnf/entry/summer_of_code_results_a "... a working pfs tool which is able to dump / restore the internal state table of pf ..."