route-to rule.

Tue Jan 25 09:18:37 PST 2005

Sorry my fault, I didnt notice your 4th interface.
Try this one:
--------------pf.conf-------------
set state-policy if-bound

#MACROS

lan = rl0
ext_if1 = rl1
ext_if2 = rl2
vpn_if = tun0

vpn_net = <define your other-side vpn>
gw1 = <define IP of gateway in $ext_if1>
gw2 = <define IP of gateway in $ext_if2>
vpn_gw = <define IP of other peer>

1 = "(" $ext_if1 $gw1 ")"
2 = "(" $ext_if2 $gw2 ")"
vpn = "(" $vpn_if $vpn_gw ")"

#NAT
nat on $ext_if1 from $internal_net to any -> ($ext_if1)
nat on $ext_if2 from $internal_net to any -> ($ext_if2)

#RULES
#local lan
pass in quick on $lan inet from $lan:network to $lan keep state
pass out quick on $lan inet from $lan to $lan:network keep state

#wan(s) and vpn
pass in on  $ext_if1  tag  $ext_if1 keep state
pass out on $lan reply-to $1 tagged  $ext_if1 keep state

pass in on  $ext_if2 tag $ext_if2 keep state
pass out on $lan reply-to $2 tagged $ext_if2 keep state

pass in on $vpn_if tag $vpn_if keep state
pass out on $lan reply-to $vpn tagged $vpn_if keep state

# balance
pass in on $lan route-to { $1 $2 } round-robin keep state
pass in on $lan route-to { $vpn } from $lan:network to $vpn_net keep state

#OUT
pass out on $ext_if1 route-to $1 keep state
pass out on $ext_if1 route-to $2 keep state
pass out on $vpn_if route-to $vpn keep state
----------------------------

This works?

Chris.

----- Original Message ----- 
From: "Stephane Raimbault" <segr at hotmail.com>
To: <dionch at freemail.gr>; <freebsd-pf at freebsd.org>
Sent: Tuesday, January 25, 2005 6:55 PM
Subject: Re: route-to rule.

> Okay, I gave this a try and this is what I saw.
>
> lan traffic was being load balanced over the wan interfaces
> binat traffic seemed to be working over one of the wan interfaces as 
> intended.
> however tun0 (vpn traffic) was not working from the internal_lan.
>
> I could ping across the tun0 from the pf box, but the lan couldn't get 
> across it.
>
> So I need to try to figure that part out, also lan traffic does not have 
> to be load balanced across the 2 wan interfaces, but I'm guessing I just 
> need ot specify that in the balance part?  I removed the binat lines but 
> this is what I have in my pf.conf now:
>
> set state-policy if-bound
>
> lan = rl0
> ext_if1 = rl1
> ext_if2 = rl2
> gw1 = <IF1 GW IP>
> gw2 = <IF2 GW IP>
>
> 1 = "(" $ext_if1 $gw1 ")"
> 2 = "(" $ext_if2 $gw2 ")"
>
> internal_net="10.1.0.0/24"
>
> nat on $ext_if1 from $internal_net to any -> ($ext_if1)
> nat on $ext_if2 from $internal_net to any -> ($ext_if2)
>
> #local
> pass in quick on $lan inet from $lan:network to $lan keep state
> pass out quick on $lan inet from $lan to $lan:network keep state
>
> #wans
> pass in on  $ext_if1  tag  $ext_if1 keep state
> pass out on $lan reply-to $1 tagged  $ext_if1 keep state
>
> pass in on  $ext_if2 tag $ext_if2 keep state
> pass out on $lan reply-to $2 tagged $ext_if2 keep state
>
> # balance
> pass in on $lan route-to { $1 $2 } round-robin keep state
>
> #OUT
> pass out on $ext_if1 route-to $1 keep state
> pass out on $ext_if1 route-to $2 keep state
>
>
>
> Any further Suggestions?
>

____________________________________________________________________
http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου.
http://www.freemail.gr - free email service for the Greek-speaking.