From owner-freebsd-pf@FreeBSD.ORG Fri Mar 21 14:17:37 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 89042106566B for ; Fri, 21 Mar 2008 14:17:37 +0000 (UTC) (envelope-from torsten@cnc-london.net) Received: from mailhost.cnc-london.net (mailhost.cnc-london.net [209.44.113.194]) by mx1.freebsd.org (Postfix) with ESMTP id 199508FC17 for ; Fri, 21 Mar 2008 14:17:36 +0000 (UTC) (envelope-from torsten@cnc-london.net) Received: (qmail 19782 invoked by uid 90); 21 Mar 2008 14:15:32 +0000 Received: from 78.105.9.127 (postmaster@78.105.9.127) by mailhost.cnc-london.net (envelope-from , uid 89) with qmail-scanner-2.01st (clamdscan: 0.91.2/5269. spamassassin: 3.2.3. perlscan: 2.01st. Clear:RC:1(78.105.9.127):. Processed in 0.020787 secs); 21 Mar 2008 14:15:32 -0000 Received: from 78-105-9-127.zone3.bethere.co.uk (HELO torstendev) (postmaster@78.105.9.127) by mailhost.cnc-london.net with SMTP; 21 Mar 2008 14:15:32 +0000 From: "Torsten @ CNC-LONDON" To: References: <00a101c88ae0$67c88100$37598300$@net> <395851.92404.qm@web38209.mail.mud.yahoo.com> In-Reply-To: <395851.92404.qm@web38209.mail.mud.yahoo.com> Date: Fri, 21 Mar 2008 14:17:27 -0000 Message-ID: <00b101c88b5e$4b63fd90$e22bf8b0$@net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AciK/nk2oEFt/ufHRM2PN9nFPFrm/QAX0a2w Content-Language: en-gb Subject: RE: route-to not working X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Mar 2008 14:17:37 -0000 > --- Wesley wrote: > > > Dear people, > > > > I have 2 links on a box, and I don't want to load balance it but, > > only to > > reply requests in the same interface that it comes. > > > > I tried to use the route-to, but it not seems to work. > > > > Could you please, give-me a help? > > > Looking at your config, most of your traffic is blocked since pf (if > i > remember correctly) works on last rule matching except for "quick". > You might want to read the FAQs again at > http://www.openbsd.org/faq/pf/index.html > > It has some good examples with the detailed explanations of each part > of pf configuration. As for reply to external interface, you can use > something like this: > > pass in quick on xl0 reply-to (xl0 $Gateway_IP_xl0) \ > proto tcp from any to any port { 22, 21, 1194 } keep state > > However, I remember reading somewhere that reply-to is broken on > FreeBSD and that I couldn't get reply-to to work properly on my box. > Someone please correct me on this if I'm wrong. > > BTW, route-to is not only used for outbound load balancing. You can > use it to route certain destinations via certain interfaces without > having to mess around with routing table ;) > > Regards, > Tommy > > > It's my configuration: > > > > set skip on lo0 > > scrub on xl0 reassemble tcp no-df random-id > > scrub on xl1 reassemble tcp no-df random-id > > scrub on dc0 reassemble tcp no-df random-id > > nat on xl0 from 172.16.0.0/24 to any -> (xl0) static-port > > rdr on dc0 inet proto tcp to port 80 -> 127.0.0.1 port 3128 > > round-robin > > sticky-address > > antispoof quick for {xl0,dc0,xl1} > > block proto tcp from 172.16.0.0/24 to any port 3128 > > # Internal Traffic > > pass in quick on dc0 from any to any > > pass out quick on dc0 from any to any > > # Outgoing > > pass out on xl0 proto tcp all flags S/SA modulate state > > pass out on xl0 proto { udp, icmp } all keep state > > pass out on xl1 proto tcp all flags S/SA modulate state > > pass out on xl1 proto { udp, icmp } all keep state > > # Pass basic services > > pass in quick on xl1 proto tcp from any to any port { 22, 21, 1194 > } > > keep > > state > > pass in quick on xl0 proto tcp from any to any port { 22, 21, 1194 > } > > keep > > state > > pass in on xl0 proto udp from any to any port 53 > > pass in on xl1 proto udp from any to any port 53 > > # Pass VPN > > pass in quick on xl1 proto udp from any to port 1194 keep state > > pass quick on tun0 > > # Source nat route > > pass out log on xl0 route-to ( xl1 200.232.164.1 ) from xl1 to any > > pass out on xl1 route-to ( xl0 201.83.16.1 ) from xl0 to any > > # Close > > block return-rst in log quick on xl0 inet proto tcp from any to any > > block return-rst in log quick on xl1 inet proto tcp from any to any > > block return-icmp in log quick on xl0 proto udp from any to any > > block return-icmp in log quick on xl1 proto udp from any to any > > block in quick on xl0 all > > block in quick on xl1 all > > > > Best Regards, > > > > Wesley Gentine > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to > "freebsd-pf-unsubscribe@freebsd.org" > > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > Hi Wesley > > Here are the rules I use for that purpose on my server (I'm still in > the > middle of setting it up) > It works best on incoming connection just need to include the > outgoing to > balance and figure ftp. > > I noticed one thing, and that I can't explain myself, if using a > macro for > the external IP instead > of having the actual outside interface ip addresses in the "pass in" > rules > the whole thing blows up and stops working. > > example: > inet proto tcp from any to 192.168.254.10 is good > inet proto tcp from any to $ ext_if1_IP is bad and not working > Is the space between $ and ext_if1_IP a bad typo or intended? If intended, thats why your rule failed. If you look at the screen log, it will tell what the error is. It should be $ext_if1_IP. Regards, Tommy > here is my config: > > ext_if1="rl0" > ext_if2="rl1" > ext_if1_IP="192.168.1.10" > ext_if2_IP="192.168.254.10" > > ext_gw1="192.168.1.254" > ext_gw2="192.168.254.254" > public_services = "{ 80, 443, 873, 1701 ,1721, 1723 }" > > pass in quick log on $ext_if1 reply-to ($ext_if1 $ext_gw1) \ > inet proto tcp from any to 192.168.1.10 port > $public_services flags S/SA modulate state > > pass in quick log on $ext_if2 reply-to ($ext_if2 $ext_gw2) \ > inet proto tcp from any to 192.168.254.10 port > $public_services flags S/SA modulate state > > pass in quick log on $ext_if1 reply-to ($ext_if1 $ext_gw1) \ > inet proto udp from any to 192.168.1.10 port > $public_services keep state > > pass in quick log on $ext_if2 reply-to ($ext_if2 $ext_gw2) \ > inet proto udp from any to 192.168.254.10 port > $public_services keep state > > > Hi Tommy It was just a typo in the email, what I noticed is that reply-to seems to interfere with route-to Which more or less knocks it out in the config I have below. I'm glad that someone has raised to issue about reply-to because I have searched the internet for day and could not find much Here is my config just for reference Thanks Torsten ############################################################################ ################### ##MACROS ############################################################################ ################### SYN_ONLY="S/FSRA" icmp_types = "echoreq" ext_if1="rl0" ext_if2="rl1" ext_if1_IP="192.168.1.10" ext_if2_IP="192.168.254.10" ext_gw1="192.168.1.254" ext_gw2="192.168.254.254" int_if="rl2" vpn_if="{ ng0, ng1, ng2, ng3, ng4 }" int_net="192.168.100.0/24" public_services = "{ 20, 21, 80, 443, 873, 1701 ,1721, 1723 }" no_balance = "{ !=21, !=37, !=53, !=443, !=80, !=873 }" ############################################################################ ################### ##TABLES AND OPTIONS ############################################################################ ################### # blacklist host table persist file "/usr/local/etc/pf/pf.blacklist" # unrestricted internal hosts table persist file "/usr/local/etc/pf/pf.savehosts" # no loadbalanced PC's table persist file "/usr/local/etc/pf/pc_no_balance" # no loadbalance to Hosts table persist file "/usr/local/etc/pf/hosts_no_balance" ## GLOBAL OPTIONS set block-policy return set loginterface $ext_if1 set loginterface $ext_if2 set loginterface $int_if set optimization normal set skip on lo0 ## TRAFFIC NORMALIZATION scrub in all no-df scrub out all no-df ############################################################################ ################### ## TRANSLATION RULES (NAT) ############################################################################ ################### # NAT for the whole office to the internet nat on $ext_if1 from $int_net to any -> $ext_if1 nat on $ext_if2 from $int_net to any -> $ext_if2 ############################################################################ ################### ## FILTER RULES ############################################################################ ################### # in general block all connections and alow later below block in log all # allow any connection from the server to go out pass out keep state # allow any connections from internal network pass in log quick on lo0 pass in log quick on $int_if pass in log quick on $vpn_if # allow public ports to connect and route back to both routers # pass in log on $ext_if1 reply-to ($ext_if1 $ext_gw1) inet proto tcp from any to 192.168.1.10 port $public_services flags S/SA modulate state # pass in log on $ext_if2 reply-to ($ext_if2 $ext_gw2) inet proto tcp from any to 192.168.254.10 port $public_services flags S/SA modulate state # pass in log on $ext_if1 reply-to ($ext_if1 $ext_gw1) inet proto udp from any to 192.168.1.10 port $public_services keep state # pass in log on $ext_if2 reply-to ($ext_if2 $ext_gw2) inet proto udp from any to 192.168.254.10 port $public_services keep state # blacklist spam networks and so on block log from to any block log from any to # VPN GRE PROTOCALL pass in proto gre all keep state pass out proto gre all keep state # make sure no one spoofes internal addresses antispoof log for { $ext_if1 $ext_if2 } #allow ping request from anywhere but filter it pass in log inet proto icmp all icmp-type $icmp_types keep state #load balance over two routers################################################################# # load balance outgoing tcp traffic from internal network. pass in on $int_if route-to \ { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ proto { tcp } from $int_net to any keep state # load balance outgoing udp and icmp traffic from internal network pass in on $int_if route-to \ { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ proto { udp, icmp } from $int_net to any keep state