From owner-freebsd-pf@FreeBSD.ORG  Tue Nov  9 13:13:21 2004
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E488016A4CE
	for <freebsd-pf@freebsd.org>; Tue,  9 Nov 2004 13:13:21 +0000 (GMT)
Received: from pinco.pl (gw-z-futuro.pinco.pl [62.233.197.58])
	by mx1.FreeBSD.org (Postfix) with SMTP id EE85443D45
	for <freebsd-pf@freebsd.org>; Tue,  9 Nov 2004 13:13:18 +0000 (GMT)
	(envelope-from mocart@pinco.pl)
Received: (qmail 41805 invoked by uid 1001); 9 Nov 2004 13:13:34 -0000
Date: Tue, 9 Nov 2004 14:13:34 +0100
From: =?iso-8859-2?Q?=A3ukasz?= Dudek <mocart@pinco.pl>
To: Max Laier <max@love2party.net>
Message-ID: <20041109131334.GA63180@dorbja.pinco.pl>
References: <20041108143059.GA54873@dorbja.pinco.pl>
	<200411081621.46313.max@love2party.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <200411081621.46313.max@love2party.net>
Organization: Nigdy nie =?iso-8859-2?Q?spe=B3nione?= sny.
User-Agent: Mutt/1.5.6i
cc: freebsd-pf@freebsd.org
Subject: Re: pf multipath nat
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical discussion and general questions about packet filter (pf)
	<freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Nov 2004 13:13:22 -0000

Dnia Pon, Lis 08, 2004 o godzinie 04:21:39 +0100, Max Laier napisał(a):
> On Monday 08 November 2004 15:30, Łukasz Dudek wrote:
> > i've tried to configure multipath nat using RELENG_5 box
> > (when it was current and now when it became stable)
> >
> > this are simplified rules schema i've been using


# Macros: define common values, so they can be referenced and changed easily.
ext_if="fxp0"
ext_if2="fxp2"
int_if="fxp1"	# replace with actual internal interface name i.e., dc1
internal_net="192.168.0.1/23"
external_addr="10.53.28.234"
gateway="10.53.28.233"
gateway2="10.10.8.1"

scrub in all

nat on $ext_if from $internal_net to any -> ($ext_if)
nat on $ext_if2 from $internal_net to any -> ($ext_if2)

rdr on $ext_if proto { tcp, udp } from any to $external_addr/32 port 1100 -> 192.168.0.2 port 1100
rdr on $ext_if proto { tcp, udp } from any to $external_addr/32 port 1101 -> 192.168.0.2 port 1101
rdr on $ext_if proto { tcp, udp } from any to $external_addr/32 port 4664 -> 192.168.0.2 port 4664
rdr on $ext_if proto { tcp, udp } from any to $external_addr/32 port 4666 -> 192.168.0.4 port 4666
rdr on $ext_if proto { tcp, udp } from any to $external_addr/32 port 4670 -> 192.168.1.4 port 4670

rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021

no rdr on { lo0, lo1 } from any to any

pass in all
pass out all

block in all

pass  in on $ext_if inet proto tcp from any to $ext_if user proxy keep state
pass  in on $ext_if2 inet proto tcp from any to $ext_if2 user proxy keep state

pass  in  on $ext_if proto tcp from any to $ext_if port 22 keep state
pass  in  on $ext_if proto tcp from any to $ext_if port 25 keep state
pass  in  on $ext_if proto tcp from any to $ext_if port 80 keep state
pass  in  on $ext_if proto tcp from any to $ext_if port 110 keep state
pass  in  on $ext_if proto tcp from any to $ext_if port 443 keep state
pass  in  on $ext_if proto tcp from any to $ext_if port 465 keep state
pass  in  on $ext_if proto tcp from any to $ext_if port 995 keep state

pass  in  on $ext_if proto udp from any to $ext_if port 53 keep state

pass  out on $ext_if proto { tcp, udp, icmp } all keep state
pass  out on $ext_if2 proto { tcp, udp, icmp } all keep state


pass  in  quick on $int_if proto udp from $internal_net to 192.168.0.1 port 53 keep state

pass  in on $int_if proto { tcp, udp, icmp } all keep state
pass  out on $int_if proto { tcp, udp, icmp } all keep state

pass  in  on lo0 proto { tcp, udp, icmp } all keep state
pass  out on lo0 proto { tcp, udp, icmp } all keep state

pass in on $int_if \
       route-to { ( $ext_if $gateway), ( $ext_if2 $gateway2 ) } round-robin \
       from $internal_net to any keep state

pass out on $ext_if2 route-to ($ext_if $gateway) from $ext_if to any
pass out on $ext_if route-to ($ext_if2 $gateway2) from $ext_if2 to any

> 
> 
> Are you *sure* that you had debug.mpsafenet=0 in the end? You know that it is 
> only changeable during the loader and *not* in the live system?
> 

yes i'm sure /boot/loader.conf is a place where i keep such tunables.

Regards,
Lukasz Dudek