Date: Tue, 20 Oct 2009 01:20:22 +0100 From: =?UTF-8?Q?Istv=C3=A1n?= <leccine@gmail.com> To: Jed Gainer <jedgainer@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: PF - load balancing outgoing connections Message-ID: <b8592ed80910191720x18cd7e62u667f76e2bd72dc0a@mail.gmail.com> In-Reply-To: <36b1f3e60910190848h382cde04l104f2a9f466af3fa@mail.gmail.com> References: <36b1f3e60910190848h382cde04l104f2a9f466af3fa@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
what does pflogd say about this? i mean have you tried to enable logging and check it? http://www.openbsd.org/cgi-bin/man.cgi?query=pflogd&sektion=8 <http://www.openbsd.org/cgi-bin/man.cgi?query=pflogd&sektion=8>Regards, Istvan On Mon, Oct 19, 2009 at 4:48 PM, Jed Gainer <jedgainer@gmail.com> wrote: > I wanted to setup a machine as my LAN gateway and have it load balance over > multiple WANs. When I found http://www.openbsd.org/faq/pf/pools.html I > choose FreeBSD as the machines OS. After getting it up and running, and > acting as a gateway just using one WAN via > > *# macros > wan1="nfe0" > lan1="rl0" > > pc1="10.0.0.2" > xb1="10.0.0.3" > > # options > #set block-policy return > #set loginterface $wan1 > set skip on lo0 > > # scrub > scrub in > > # nat/rdr > nat on $wan1 from !($wan1) -> ($wan1:0) static-port > > # uTorrent > rdr on $wan1 proto tcp from any to any port 41016 -> $pc1 > > # Xbox Live > rdr on $wan1 proto {tcp, udp} from any to any port 3074 -> $xb1* > > I decided to try the load balancing and came up with quite a few different > pf.confs that did not work, my LAN just lost all connectivity when I loaded > them. > * > lan1r = "10.0.0.0/24" > lan1 = "rl0" > wan1 = "nfe0" > wan2 = "rl1" > gw1 = "10.0.1.2" > gw2 = "10.0.2.2" > > # nat outgoing connections on each internet interface > nat on $wan1 from $lan1r to any -> ($wan1) #static-port > nat on $wan2 from $lan1r to any -> ($wan2) #static-port > > # default deny > block in from any to any > block out from any to any > > # pass all outgoing packets on internal interface > pass out on $lan1 from any to $lan1r > > # pass in quick any packets destined for the gateway itself > pass in quick on $lan1 from $lan1r to $lan1 > > # load balance outgoing tcp traffic from internal network. > pass in on $lan1 route-to { ($wan1 $gw1), ($wan2 $gw2) } round-robin proto > tcp from $lan1r to any flags S/SA modulate state > > # load balance outgoing udp and icmp traffic from internal network > pass in on $lan1 route-to { ($wan1 $gw1), ($wan2 $gw2) } round-robin proto > { > udp, icmp } from $lan1r to any keep state > > # general "pass out" rules for external interfaces > pass out on $wan1 proto tcp from any to any flags S/SA modulate state > pass out on $wan1 proto { udp, icmp } from any to any keep state > pass out on $wan2 proto tcp from any to any flags S/SA modulate state > pass out on $wan2 proto { udp, icmp } from any to any keep state > > # route packets from any IPs on $ext_if1 to $ext_gw1 and the same for > $ext_if2 and $ext_gw2 > pass out on $wan1 route-to ($wan2 $gw2) from $wan2 to any > pass out on $wan2 route-to ($wan1 $gw1) from $wan1 to any* > > ... and ... > > *lan = rl0 > wan1 = nfe0 > wan2 = rl1 > wan1_gw = 173.183.32.254 > wan2_gw = 10.0.1.2 > > nat on $wan1 from any to any -> ($wan1) > nat on $wan2 from any to any -> ($wan2) > > pass in quick on $lan route-to { ($wan1 $wan1_gw), ($wan2 $wan2_gw) } \ > round-robin inet from ($lan:network) to any flags S/SA keep state* > > Neither of the above worked, or the many other attempts I made. > > No errors are reported when I `pfctl -f /etc/pf.lb.conf` and my LAN looses > internet connectivity. > > Does any one see the problem? I can ping Google fine using either WAN as > default route so it has to be my PF conf. > > I am at the point where I will pay someone to get it working! > -- > ~ Jed Gainer > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- the sun shines for all http://l1xl1x.blogspot.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b8592ed80910191720x18cd7e62u667f76e2bd72dc0a>