pf, bridging, transparent proxy, dual gateways?
Kurt Buff
kurt.buff at gmail.com
Fri May 18 15:41:46 UTC 2007
On 5/17/07, Andrew Thompson <thompsa at freebsd.org> wrote:
> On Thu, May 17, 2007 at 05:25:35PM -0700, Kurt Buff wrote:
> > All,
> >
> > Wondering if the following scenario at all rational/feasible:
> >
> > [fw-a]-------
> > |
> > |
> > [switch]---[freebsd]---[router]---[many subnets]
> > |
> > |
> > [fw-b]-------
> >
> > Fw-a fronts our current T1, and that ties our other two offices
> > together with IPSec, and is our main inbound mail feed.
> >
> > Fw-b is soon to be installed, and will front a new T1.
> >
> > The lines are not bonded - they come from different vendors.
> >
> > I'd like to forward all individual user traffic (HTTP/FTP/other) out
> > of the second T1, perhaps with the use of Squid/Frox, leaving our
> > intra-corporate traffic to go in/out the current T1, and also email.
>
> The easiest why is to use the route-to option in pf. When you pass the
> traffic from the internal network you mark which link it should go out.
>
> pass in quick on $int_if route-to ($fw-a_if $fw-a_ip) ... (some criteria)
> pass in quick on $int_if route-to ($fw-b_if $fw-b_ip) ... (other criteria)
>
> If you are also accepting connections in from the internet then you may
> want to look at the reply-to option.
>
>
> regards,
> Andrew
If by 'accepting connections' you mean serving data to the Internet
(web pages, ftp server, etc.) then no - we don't host anything but our
own email, which at the moment is coming in over the original line.
That does bring up an interesting point, though. If we wanted to use
the new line for backup MX, would reply-to work for that?
Thanks,
Kurt
More information about the freebsd-pf
mailing list