From owner-freebsd-pf@FreeBSD.ORG Fri May 18 15:41:45 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EE54A16A401 for ; Fri, 18 May 2007 15:41:45 +0000 (UTC) (envelope-from kurt.buff@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.232]) by mx1.freebsd.org (Postfix) with ESMTP id 9A67613C458 for ; Fri, 18 May 2007 15:41:45 +0000 (UTC) (envelope-from kurt.buff@gmail.com) Received: by nz-out-0506.google.com with SMTP id s1so1440294nze for ; Fri, 18 May 2007 08:41:44 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Vi0JRPRA+jBXidLogWRrTZetDLsyPL5R2DS2ZwLIg/9W6y34NOK+f1wVUlW/OM0GHh6xWser+Y5bOyL6UucPuFavPSeb5+A2/H+6CsBZHibtMVtNeu3KyOSnnQVojnUY4wTUhakmzrzuVNP0s0LMYJYaph+vHR1jqIr3zoO9znU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=XrSopdxcgerVekTFL2i78g5s823ixCB5/zwCpaHTS6u/GGuWWj5OGPNzQHFS/W1LZXDu4pFBRT6ONqWeMB8K7umcN52kZq28r9sSiE0l+jBoEyxl+NPTAxVh+9fd1txHY7Sc4CjwxrOJtmQiEWH1jUlTnbcscx33Qte2JhUjEl0= Received: by 10.114.120.1 with SMTP id s1mr897259wac.1179502903817; Fri, 18 May 2007 08:41:43 -0700 (PDT) Received: by 10.114.76.12 with HTTP; Fri, 18 May 2007 08:41:43 -0700 (PDT) Message-ID: Date: Fri, 18 May 2007 08:41:43 -0700 From: "Kurt Buff" To: "Andrew Thompson" In-Reply-To: <20070518010420.GD64031@heff.fud.org.nz> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20070518010420.GD64031@heff.fud.org.nz> Cc: freebsd-pf@freebsd.org Subject: Re: pf, bridging, transparent proxy, dual gateways? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2007 15:41:46 -0000 On 5/17/07, Andrew Thompson wrote: > On Thu, May 17, 2007 at 05:25:35PM -0700, Kurt Buff wrote: > > All, > > > > Wondering if the following scenario at all rational/feasible: > > > > [fw-a]------- > > | > > | > > [switch]---[freebsd]---[router]---[many subnets] > > | > > | > > [fw-b]------- > > > > Fw-a fronts our current T1, and that ties our other two offices > > together with IPSec, and is our main inbound mail feed. > > > > Fw-b is soon to be installed, and will front a new T1. > > > > The lines are not bonded - they come from different vendors. > > > > I'd like to forward all individual user traffic (HTTP/FTP/other) out > > of the second T1, perhaps with the use of Squid/Frox, leaving our > > intra-corporate traffic to go in/out the current T1, and also email. > > The easiest why is to use the route-to option in pf. When you pass the > traffic from the internal network you mark which link it should go out. > > pass in quick on $int_if route-to ($fw-a_if $fw-a_ip) ... (some criteria) > pass in quick on $int_if route-to ($fw-b_if $fw-b_ip) ... (other criteria) > > If you are also accepting connections in from the internet then you may > want to look at the reply-to option. > > > regards, > Andrew If by 'accepting connections' you mean serving data to the Internet (web pages, ftp server, etc.) then no - we don't host anything but our own email, which at the moment is coming in over the original line. That does bring up an interesting point, though. If we wanted to use the new line for backup MX, would reply-to work for that? Thanks, Kurt