Dual-feed: PF setup troubles

Nils Vogels nivo+sender+38c70d at yuckfou.org
Sun Aug 14 13:31:26 GMT 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Hi there!

I've got two internet connections with two different ISP's and would
like to use one for my own use, while the other serves various
services from various servers inside my network and directly on the
firewall.

Both two connections end up at one firewall. The firewall has one
default route to ISP1, and I would like to have PF find out if the
packet needs to travel to ISP1 or ISP2, based on the IP address
information of the request.

Right now, I'm trying things like this, but for some reason the don't
work:

[ I have taken DNS as an example here, but there are various TCP and
UDP based services that seem to have this problem. ]

ISP1 = "xl0"
ISP2 = "ed0"
LAN = "rl0"

ipv4_isp1 = "1.1.1.1/32"      # My interface IP to ISP1
ipv4_isp2 = "2.2.2.2/32"      # My interface IP to ISP2
ipv4_gw_isp2 = "2.2.2.1"     # ISP2's gateway IP
ipv4_lan_range = "172.16.0.0/16"  # My local network

# Set up NAT for my connections
nat on $ISP1 from $ipv4_lan_range to any -> $ipv4_isp1
nat on $ISP2 from $ipv4_lan_range to any -> $ipv4_isp2

# Handle incoming traffic for my DNS server
pass in quick log on $ISP2 reply-to ($ISP2 $ipv4_gw_isp2) proto udp
from any port > 1023 to $ipv4_isp2 port 53 keep state

# Handle outgoing traffic, originated locally
pass out quick log on $ISP2 route-to ($ISP2 $ipv4_gw_isp2) proto udp
from $ipv4_isp2 to any port 53 keep state

Looking into the logs, I see the incoming connection coming in and
being accepted, however, I do not see the outgoing originating packets
being logged.

When I run tcpdump to troubleshoot, I see packets with source IP
$ipv4_isp2 travelling over interface $ISP1, and thus, I get no reply.
I must be running into some anti-spoofing lists at ISP1.

I have my nameserver bound to the interface IP adress $ipv4_isp2.

Except from my setup being somewhat unusual, could someone maybe point
out what I am doing wrong here ?
Thanks a bunch!

Nils.

- --
Simple guidelines to happiness:
Work like you don't need the money,
love like your heart has never been broken and
dance like no one can see you.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: GnuPT 2.6.2.1 by EQUIPMENTE.DE
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
 
iD8DBQFC/0efMzNX/a06Wq0RAg6+AJ4wG+kl1NNv3zMZ4ZNdO/bayWG0hwCfYQXh
LstDGe+xFPJ3bHUvuGSdGjE=
=49OP
-----END PGP SIGNATURE-----

More information about the freebsd-pf mailing list