From owner-freebsd-pf@FreeBSD.ORG Tue Oct 20 00:20:23 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ECA421065694 for ; Tue, 20 Oct 2009 00:20:23 +0000 (UTC) (envelope-from leccine@gmail.com) Received: from mail-fx0-f210.google.com (mail-fx0-f210.google.com [209.85.220.210]) by mx1.freebsd.org (Postfix) with ESMTP id 5DDF38FC1B for ; Tue, 20 Oct 2009 00:20:23 +0000 (UTC) Received: by fxm6 with SMTP id 6so5495155fxm.43 for ; Mon, 19 Oct 2009 17:20:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=sFiXvwHCwGE2a9MB6V3Pfq8/vr9C7PtDasSaAAKtxCY=; b=NGn3vmf0cczVeYnfQjBYc/HGWjdCQ8NVzxbkJTMQ7fmJnDhASc/qhZqgxiVGftJAIH yNLhErbn220obviPd/wNJx4gl29paD2YXzirfRZlaL/aJXNm5wz3km4TJvaBUleOMmY3 XufMnP6djq5jKJGHpP0EJBVglzAhq6gH3SZHY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=m8ryCT8cHsD9bsILiVxtDRk5S9mLOrd6W1PVV0Rrz1j7nmCewX8wVz/umnR1tdC6rE RXz+OwTIsxFdmqg0mcV34wtpBDK/rOpngTwLPilSSYnXWNLtlt4r+rMiPBPOiURS6qlo BbeY9haugn/4HNzusH6A3Zf96nZ20pQiSwku8= MIME-Version: 1.0 Received: by 10.204.34.72 with SMTP id k8mr5618591bkd.98.1255998022209; Mon, 19 Oct 2009 17:20:22 -0700 (PDT) In-Reply-To: <36b1f3e60910190848h382cde04l104f2a9f466af3fa@mail.gmail.com> References: <36b1f3e60910190848h382cde04l104f2a9f466af3fa@mail.gmail.com> Date: Tue, 20 Oct 2009 01:20:22 +0100 Message-ID: From: =?UTF-8?Q?Istv=C3=A1n?= To: Jed Gainer Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: PF - load balancing outgoing connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Oct 2009 00:20:24 -0000 what does pflogd say about this? i mean have you tried to enable logging and check it? http://www.openbsd.org/cgi-bin/man.cgi?query=pflogd&sektion=8 Regards, Istvan On Mon, Oct 19, 2009 at 4:48 PM, Jed Gainer wrote: > I wanted to setup a machine as my LAN gateway and have it load balance over > multiple WANs. When I found http://www.openbsd.org/faq/pf/pools.html I > choose FreeBSD as the machines OS. After getting it up and running, and > acting as a gateway just using one WAN via > > *# macros > wan1="nfe0" > lan1="rl0" > > pc1="10.0.0.2" > xb1="10.0.0.3" > > # options > #set block-policy return > #set loginterface $wan1 > set skip on lo0 > > # scrub > scrub in > > # nat/rdr > nat on $wan1 from !($wan1) -> ($wan1:0) static-port > > # uTorrent > rdr on $wan1 proto tcp from any to any port 41016 -> $pc1 > > # Xbox Live > rdr on $wan1 proto {tcp, udp} from any to any port 3074 -> $xb1* > > I decided to try the load balancing and came up with quite a few different > pf.confs that did not work, my LAN just lost all connectivity when I loaded > them. > * > lan1r = "10.0.0.0/24" > lan1 = "rl0" > wan1 = "nfe0" > wan2 = "rl1" > gw1 = "10.0.1.2" > gw2 = "10.0.2.2" > > # nat outgoing connections on each internet interface > nat on $wan1 from $lan1r to any -> ($wan1) #static-port > nat on $wan2 from $lan1r to any -> ($wan2) #static-port > > # default deny > block in from any to any > block out from any to any > > # pass all outgoing packets on internal interface > pass out on $lan1 from any to $lan1r > > # pass in quick any packets destined for the gateway itself > pass in quick on $lan1 from $lan1r to $lan1 > > # load balance outgoing tcp traffic from internal network. > pass in on $lan1 route-to { ($wan1 $gw1), ($wan2 $gw2) } round-robin proto > tcp from $lan1r to any flags S/SA modulate state > > # load balance outgoing udp and icmp traffic from internal network > pass in on $lan1 route-to { ($wan1 $gw1), ($wan2 $gw2) } round-robin proto > { > udp, icmp } from $lan1r to any keep state > > # general "pass out" rules for external interfaces > pass out on $wan1 proto tcp from any to any flags S/SA modulate state > pass out on $wan1 proto { udp, icmp } from any to any keep state > pass out on $wan2 proto tcp from any to any flags S/SA modulate state > pass out on $wan2 proto { udp, icmp } from any to any keep state > > # route packets from any IPs on $ext_if1 to $ext_gw1 and the same for > $ext_if2 and $ext_gw2 > pass out on $wan1 route-to ($wan2 $gw2) from $wan2 to any > pass out on $wan2 route-to ($wan1 $gw1) from $wan1 to any* > > ... and ... > > *lan = rl0 > wan1 = nfe0 > wan2 = rl1 > wan1_gw = 173.183.32.254 > wan2_gw = 10.0.1.2 > > nat on $wan1 from any to any -> ($wan1) > nat on $wan2 from any to any -> ($wan2) > > pass in quick on $lan route-to { ($wan1 $wan1_gw), ($wan2 $wan2_gw) } \ > round-robin inet from ($lan:network) to any flags S/SA keep state* > > Neither of the above worked, or the many other attempts I made. > > No errors are reported when I `pfctl -f /etc/pf.lb.conf` and my LAN looses > internet connectivity. > > Does any one see the problem? I can ping Google fine using either WAN as > default route so it has to be my PF conf. > > I am at the point where I will pay someone to get it working! > -- > ~ Jed Gainer > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- the sun shines for all http://l1xl1x.blogspot.com