From owner-freebsd-pf@FreeBSD.ORG Tue Jan 25 16:56:20 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6BCBF16A4D4 for ; Tue, 25 Jan 2005 16:56:20 +0000 (GMT) Received: from hotmail.com (bay24-f38.bay24.hotmail.com [64.4.18.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E03443D31 for ; Tue, 25 Jan 2005 16:56:20 +0000 (GMT) (envelope-from segr@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 25 Jan 2005 08:56:02 -0800 Message-ID: Received: from 198.53.131.3 by by24fd.bay24.hotmail.msn.com with HTTP; Tue, 25 Jan 2005 16:55:19 GMT X-Originating-IP: [198.53.131.3] X-Originating-Email: [segr@hotmail.com] X-Sender: segr@hotmail.com In-Reply-To: <004701c5026f$825b15c0$0100000a@R3B> From: "Stephane Raimbault" To: dionch@freemail.gr, freebsd-pf@freebsd.org Date: Tue, 25 Jan 2005 09:55:19 -0700 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 25 Jan 2005 16:56:02.0023 (UTC) FILETIME=[C03EFF70:01C502FE] Subject: Re: route-to rule. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jan 2005 16:56:20 -0000 Okay, I gave this a try and this is what I saw. lan traffic was being load balanced over the wan interfaces binat traffic seemed to be working over one of the wan interfaces as intended. however tun0 (vpn traffic) was not working from the internal_lan. I could ping across the tun0 from the pf box, but the lan couldn't get across it. So I need to try to figure that part out, also lan traffic does not have to be load balanced across the 2 wan interfaces, but I'm guessing I just need ot specify that in the balance part? I removed the binat lines but this is what I have in my pf.conf now: set state-policy if-bound lan = rl0 ext_if1 = rl1 ext_if2 = rl2 gw1 = gw2 = 1 = "(" $ext_if1 $gw1 ")" 2 = "(" $ext_if2 $gw2 ")" internal_net="10.1.0.0/24" nat on $ext_if1 from $internal_net to any -> ($ext_if1) nat on $ext_if2 from $internal_net to any -> ($ext_if2) #local pass in quick on $lan inet from $lan:network to $lan keep state pass out quick on $lan inet from $lan to $lan:network keep state #wans pass in on $ext_if1 tag $ext_if1 keep state pass out on $lan reply-to $1 tagged $ext_if1 keep state pass in on $ext_if2 tag $ext_if2 keep state pass out on $lan reply-to $2 tagged $ext_if2 keep state # balance pass in on $lan route-to { $1 $2 } round-robin keep state #OUT pass out on $ext_if1 route-to $1 keep state pass out on $ext_if1 route-to $2 keep state Any further Suggestions? Thanks, Stephane. >From: "Chris Dionissopoulos" >Reply-To: Chris Dionissopoulos >To: >Subject: Re: route-to rule. >Date: Tue, 25 Jan 2005 01:50:38 +0200 > >Yes. You can do binat on one or both interfaces, >the same or different source ip address. >Please test it and send us a feedback. > >Chris. > >----- Original Message ----- From: "Stephane Raimbault" >To: >Cc: >Sent: Tuesday, January 25, 2005 1:43 AM >Subject: RE: route-to rule. > > >>Hi, I also have some binat's setup for some servers, however they are only >>on one interface... Can I simply add these binat rules to the the >>suggested pf.conf file? >> >>binat on $ext_if1 from $server1_int to any -> $server1_out >>binat on $ext_if1 from $server2_int to any -> $server2_out >> >>where server?_int = internal IP and server?_out = public IP? >> > > >____________________________________________________________________ >http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου. >http://www.freemail.gr - free email service for the Greek-speaking. >_______________________________________________ >freebsd-pf@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-pf >To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" _________________________________________________________________ Take charge with a pop-up guard built on patented Microsoft® SmartScreen Technology http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*.