Date: Fri, 25 Apr 2008 19:05:47 +0100 (BST) From: "Reinhold" <freebsd@violetlan.net> To: freebsd-questions@freebsd.org Subject: Re: brindging ath0 with re0 working, kinda, almost Message-ID: <60450.217.41.34.61.1209146747.squirrel@www.violetlan.net> In-Reply-To: <51890.217.41.34.61.1209131852.squirrel@www.violetlan.net> References: <61065.217.41.34.61.1209026488.squirrel@www.violetlan.net> <fupidm$ptd$1@ger.gmane.org> <53948.217.41.34.61.1209032621.squirrel@www.violetlan.net> <58454.217.41.34.61.1209056031.squirrel@www.violetlan.net> <fusfcv$ijl$1@ger.gmane.org> <51890.217.41.34.61.1209131852.squirrel@www.violetlan.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, April 25, 2008 14:57, Reinhold wrote: > On Fri, April 25, 2008 12:30, Ivan Voras wrote: >> I don't have any more suggestions, except the obvious: is there a >> firewall somewhere in there, and are the routing tables ok? >> >> >> > yeah I have pf running, it needs to be on because its doing the load > balancing on the two wan connections. > > Here is the netstat output for the routing table > > > Internet: > Destination Gateway Flags Refs Use Netif Expire > default 121.212.313.414 UGS 0 162114 ng1 > 127.0.0.1 127.0.0.1 UH 0 635 lo0 > 192.168.1.0/24 link#12 UC 0 0 bridge > 192.168.1.1 d6.f4.fc.7c.95.38 UHLW 1 2 lo0 > 192.168.1.5 0.11.9.3b.f7.f0 UHLW 1 63563 bridge 848 > <snip> > loads of local ips <end snip> > 192.168.1.199 0.f.ea.66.8.7d UHLW 1 15958 bridge 869 > 112.221.331.441 111.222.333.444 UH 0 0 ng0 > 121.212.313.414 22.333.444.555 UH 1 0 ng1 > So, I disabled pf and then it started working but the internet stopped working, hehe. This is not fair at all. here is the load-balancing part of pf # pass on unfiltered interfaces # pass quick on $unfiltered # default deny # silently drop TCP non-SYN packets, the remaining ruleset only deals with # TCP SYNs, which always create state when passed. the ruleset basically # deals with 'connections', not packets, beyond this point. # block return-rst quick proto tcp all flags /S block return-rst quick proto tcp all flags A/A # block and log everything by default # block log block return-rst log inet proto tcp block return-icmp log inet proto udp # silently drop broadcasts (ADSL noise) # block in quick on $ext_if1 inet from any to 255.255.255.255 block in quick on $ext_if2 inet from any to 255.255.255.255 # bruteforce # block quick from <bruteforce> to any # block some known-bad ports without logging # block return-rst in quick on $ext_if1 proto tcp from any to any port { 111, 445, 1080, 6000, 6667 } block return-icmp in quick on $ext_if1 proto udp from any to any port { 137, 138, 139, 1434 } block return-rst in quick on $ext_if2 proto tcp from any to any port { 111, 445, 1080, 6000, 6667 } block return-icmp in quick on $ext_if2 proto udp from any to any port { 137, 138, 139, 1434 } # block and log incoming packets from reserved address space and invalid # addresses, they are either spoofed or misconfigured, we can't reply to # them anyway (hence, no return-rst). # block in log quick on $ext_if1 inet from $unroutable to any block in log quick on $ext_if2 inet from $unroutable to any # block and log outgoing packets that don't have my address as source, they are # either spoofed or something is misconfigured (NAT disabled, for instance), # we want to be nice and not send out garbage. # block out log quick on $ext_if1 inet from !(ng0) to any block out log quick on $ext_if2 inet from !(ng1) to any # OUT GOING ROUTING # # HTTS OVER WAN1 pass in quick on $int_if route-to { ( $ext_if1 $ext_gw1 ) } proto tcp from $lan_net to any port = 443 keep state # SSH OVER WAN1 pass in quick on $int_if route-to { ( $ext_if1 $ext_gw1 ) } proto tcp from $lan_net to any port = 4424 keep state pass in quick on $int_if route-to { ( $ext_if1 $ext_gw1 ) } proto tcp from $lan_net to any port = 22 keep state # BLA OVER WAN1 for user1 pass in quick on $int_if route-to { ( $ext_if1 $ext_gw1 ) } proto tcp from $lan_net to some-ip-address keep state # # LOAD BALANCING # # pass all outgoing packets on internal interface pass out log on $int_if from any to $lan_net # pass in quick any packets destined for the gateway itself pass in quick on $int_if from $lan_net to $int_if # load balance outgoing tcp traffic from internal network. pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto tcp from $lan_net to any keep state # load balance outgoing udp and icmp traffic from internal network pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto { udp, icmp } from $lan_net to any keep state # general "pass out" rules for external interfaces pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state pass out on $ext_if1 proto { udp, icmp } from any to any keep state pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state pass out on $ext_if2 proto { udp, icmp } from any to any keep state # route packets from any IPs on $ext_if1 to $ext_gw1 and the same for # $ext_if2 and $ext_gw2 pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any I need them :S like I said if pf is disabled then the internet stops working. Regards Reinhold
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?60450.217.41.34.61.1209146747.squirrel>