From owner-freebsd-questions@FreeBSD.ORG Sun Feb 26 11:54:28 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 466F216A420 for ; Sun, 26 Feb 2006 11:54:28 +0000 (GMT) (envelope-from leon@trusc.net) Received: from cluster1.trusc.net (cluster1.trusc.net [196.25.95.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9F7D443D46 for ; Sun, 26 Feb 2006 11:54:26 +0000 (GMT) (envelope-from leon@trusc.net) Received: from [172.18.0.112] (helo=[172.18.0.112]) by cluster1.trusc.net (Exim 4.51 0 (FreeBSD 5.3)) protocol: esmtp id 1FDKTT-0002IU-M6 for ; Sun, 26 Feb 2006 13:54:09 +0200 Message-ID: <440196E8.3040802@trusc.net> Date: Sun, 26 Feb 2006 13:54:16 +0200 From: Leon Botes Organization: TruscTechnologies User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: -1.3 (-) Subject: solution: pf with multiple external interfaces for incoming and going traffic. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: leon@trusc.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Feb 2006 11:54:28 -0000 I am posting this soultion in the hope that it might help someone else that has been searching for the answer to running multiple external interfaces and wishes to load balance outgoing private lan traffic and also have all these interfaces available for incoming connections to a dmz server. I claim no credit for this since it is a formulation of many posts to various mailing lists. example: ## NAT section #Standard natting for outgoing connections. nat on $ext_if1 from {$private_net, $dmz_srv} to any -> $ext_if1_ip nat on $ext_if2 from {$private_net, $dmz_srv} to any -> $ext_if2_ip nat on $ext_if3 from {$private_net, $dmz_srv} to any -> $ext_if3_ip #These rdr rules send the incoming connections on the ext_if's to the dmz server. rdr on $ext_if1 inet proto tcp from any to $ext_if1_ip port { 25, 80, 110 } -> $dmz_srv rdr on $ext_if2 inet proto tcp from any to $ext_if2_ip port { 25, 80, 110 } -> $dmz_srv rdr on $ext_if3 inet proto tcp from any to $ext_if3_ip port { 25, 80, 110 } -> $dmz_srv This rdr rule sends traffic from the lan destined for services on the ext interfaces to the dmz since the previous rdr rules will have no effect. rdr on $int_if inet proto tcp to {$ext_if1_ip, $ext_if2_ip, $ext_if3_ip } port { 80, 25, 110 } -> $dmz_srv ## RULES section #The following rules ensure that traffic incoming on the various interfaces are routed back out the same interface it arrived on. pass in quick on $ext_if1 reply-to ( $ext_if1 $ext_if1_router ) inet proto tcp from any to $dmz_srv port { 25, 80, 110 } flags S/SA keep state pass in quick on $ext_if2 reply-to ( $ext_if2 $ext_if2_router ) inet proto tcp from any to $dmz_srv port { 25, 80, 110 } flags S/SA keep state pass in quick on $ext_if3 reply-to ( $ext_if3 $ext_if1_router ) inet proto tcp from any to $dmz_srv port { 25, 80, 110 } flags S/SA keep state #Now to load balance the outgoing traffic. The previous sections are not needed if you do not accept incoming connections. pass in on $int_if route-to { ($ext_if1 $ext_if1_router), ($ext_if2 $ext_if2_router), ($ext_if3 $ext_if3_router) } round-robin from $private_net to any keep state # The following ensure that packets originating from the lan are routed out the correct interface. Although i have found my setup works fine without these, the pf guru's recommend it. pass out on $ext_if1 route-to ($ext_if2 $ext_if2_router) from $ext_if2 to any pass out on $ext_if1 route-to ($ext_if3 $ext_if3_router) from $ext_if3 to any pass out on $ext_if2 route-to ($ext_if1 $ext_if1_router) from $ext_if1 to any pass out on $ext_if2 route-to ($ext_if3 $ext_if3_router) from $ext_if3 to any pass out on $ext_if3 route-to ($ext_if1 $ext_if1_router) from $ext_if1 to any pass out on $ext_if3 route-to ($ext_if2 $ext_if2_router) from $ext_if2 to any Be advised that there could be errors as this was typed in a rush and adapted from our own ruleset for the sake of ease of reading. -- Regards Leon Botes