From owner-freebsd-pf@FreeBSD.ORG  Tue Jan 25 17:18:37 2005
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6527C16A4CE
	for <freebsd-pf@freebsd.org>; Tue, 25 Jan 2005 17:18:37 +0000 (GMT)
Received: from smtp.freemail.gr (smtp.freemail.gr [213.239.180.35])
	by mx1.FreeBSD.org (Postfix) with ESMTP id AA7C043D48
	for <freebsd-pf@freebsd.org>; Tue, 25 Jan 2005 17:18:36 +0000 (GMT)
	(envelope-from dionch@freemail.gr)
Received: by smtp.freemail.gr (Postfix, from userid 101)
	id 8566DBC1E6; Tue, 25 Jan 2005 19:18:35 +0200 (EET)
Received: from R3B (vdp3061.ath03.dsl.hol.gr [62.38.162.62])by
	smtp.freemail.gr (Postfix) with ESMTP id DF2ECBC103;Tue, 25 Jan 2005 19:18:33
	+0200 (EET)
Message-ID: <004a01c50301$b82c2a80$0100000a@R3B>
From: "Chris Dionissopoulos" <dionch@freemail.gr>
To: "Stephane Raimbault" <segr@hotmail.com>, <freebsd-pf@freebsd.org>
References: <BAY24-F38C8FDEE43A67B6F627863CC860@phx.gbl>
Date: Tue, 25 Jan 2005 19:17:13 +0200
MIME-Version: 1.0
Content-Type: text/plain;format=flowed;charset="iso-8859-7";
	reply-type=response
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Subject: Re: route-to rule.
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Chris Dionissopoulos <dionch@freemail.gr>
List-Id: Technical discussion and general questions about packet filter (pf)
	<freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jan 2005 17:18:37 -0000

Sorry my fault, I didnt notice your 4th interface.
Try this one:
--------------pf.conf-------------
set state-policy if-bound

#MACROS

lan = rl0
ext_if1 = rl1
ext_if2 = rl2
vpn_if = tun0

vpn_net = <define your other-side vpn>
gw1 = <define IP of gateway in $ext_if1>
gw2 = <define IP of gateway in $ext_if2>
vpn_gw = <define IP of other peer>

1 = "(" $ext_if1 $gw1 ")"
2 = "(" $ext_if2 $gw2 ")"
vpn = "(" $vpn_if $vpn_gw ")"

#NAT
nat on $ext_if1 from $internal_net to any -> ($ext_if1)
nat on $ext_if2 from $internal_net to any -> ($ext_if2)

#RULES
#local lan
pass in quick on $lan inet from $lan:network to $lan keep state
pass out quick on $lan inet from $lan to $lan:network keep state

#wan(s) and vpn
pass in on  $ext_if1  tag  $ext_if1 keep state
pass out on $lan reply-to $1 tagged  $ext_if1 keep state

pass in on  $ext_if2 tag $ext_if2 keep state
pass out on $lan reply-to $2 tagged $ext_if2 keep state

pass in on $vpn_if tag $vpn_if keep state
pass out on $lan reply-to $vpn tagged $vpn_if keep state

# balance
pass in on $lan route-to { $1 $2 } round-robin keep state
pass in on $lan route-to { $vpn } from $lan:network to $vpn_net keep state

#OUT
pass out on $ext_if1 route-to $1 keep state
pass out on $ext_if1 route-to $2 keep state
pass out on $vpn_if route-to $vpn keep state
----------------------------


This works?

Chris.

----- Original Message ----- 
From: "Stephane Raimbault" <segr@hotmail.com>
To: <dionch@freemail.gr>; <freebsd-pf@freebsd.org>
Sent: Tuesday, January 25, 2005 6:55 PM
Subject: Re: route-to rule.


> Okay, I gave this a try and this is what I saw.
>
> lan traffic was being load balanced over the wan interfaces
> binat traffic seemed to be working over one of the wan interfaces as 
> intended.
> however tun0 (vpn traffic) was not working from the internal_lan.
>
> I could ping across the tun0 from the pf box, but the lan couldn't get 
> across it.
>
> So I need to try to figure that part out, also lan traffic does not have 
> to be load balanced across the 2 wan interfaces, but I'm guessing I just 
> need ot specify that in the balance part?  I removed the binat lines but 
> this is what I have in my pf.conf now:
>
> set state-policy if-bound
>
> lan = rl0
> ext_if1 = rl1
> ext_if2 = rl2
> gw1 = <IF1 GW IP>
> gw2 = <IF2 GW IP>
>
> 1 = "(" $ext_if1 $gw1 ")"
> 2 = "(" $ext_if2 $gw2 ")"
>
> internal_net="10.1.0.0/24"
>
> nat on $ext_if1 from $internal_net to any -> ($ext_if1)
> nat on $ext_if2 from $internal_net to any -> ($ext_if2)
>
> #local
> pass in quick on $lan inet from $lan:network to $lan keep state
> pass out quick on $lan inet from $lan to $lan:network keep state
>
> #wans
> pass in on  $ext_if1  tag  $ext_if1 keep state
> pass out on $lan reply-to $1 tagged  $ext_if1 keep state
>
> pass in on  $ext_if2 tag $ext_if2 keep state
> pass out on $lan reply-to $2 tagged $ext_if2 keep state
>
> # balance
> pass in on $lan route-to { $1 $2 } round-robin keep state
>
> #OUT
> pass out on $ext_if1 route-to $1 keep state
> pass out on $ext_if1 route-to $2 keep state
>
>
>
> Any further Suggestions?
>


____________________________________________________________________
http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου.
http://www.freemail.gr - free email service for the Greek-speaking.