two ISP connections, three nics, and a NAT

Tomas Quintero tomasq at gmail.com
Thu May 12 11:32:19 PDT 2005


On 5/12/05, Alex Zbyslaw <xfb52 at dial.pipex.com> wrote:
> Tomas Quintero wrote:
> 
> >PF is wonderful for this. I manage a router with 3 DSL Circuits and
> >have PF setup to round-robin between them. The configuration is fairly
> >simple, and I can provide my pf.conf if you'd like for some
> >clarification on how to go about doing it.
> >
> >
> I'd be interested to see how it's done.  I don't have any experience of PF (just IPFW) and seeing good, working examples always helps in understanding new stuff.  If you would forward me a copy, I'd be grateful, and it's the kind of resource it's nice to run across when searching archives, if you're prepared to post it to the list.
> 
> Best,
> 
> --Alex
> 
> 

I got two emails back for it, including Alex's, so I'll go ahead and
post the config for the list. The setup is for a Game/LAN center, so
we're pretty lenient on what goes out, which is why I haven't setup an
inclusive firewall block list. Anyways here is the config. There are
currently two of the three circuits going through it, however it would
be as simple as adding the third iface name to th the ext_ifs macro to
enable it.

If there are any questions on any part of the setup, feel free to ask.

### MACROS AND TABLES ###
# interfaces
ext_ifc1="rl0"
ext_ifc2="xl0"
ext_ifs="{" $ext_ifc1 $ext_ifc2 "}"
int_if="rl2"

# single ips
ext_c1ip="(" $ext_ifc1 ")"
ext_c2ip="(" $ext_ifc2 ")"
ext_ips="{" $ext_ifc1 $ext_ifc2 "}"
ext_firstips="(" $ext_ifc1:0 $ext_ifc2:0 ")"
int_ip="(" $int_if ")"

# networks
int_net="(" $int_if:network ")"

### OPTIONS ###
# rule: about 1000 states per 1MB of ram, and we have 1GB of ram
set limit states 500000
# normal timeouts for everything, aggressive would mitigate ddos
attacks, however could timeout valid connections too soon
set optimization normal
# silently drop all packets matching a block rule
set block-policy drop
# we don't want to do any filtering on lo0, nothing gets here except
what we explicitly put there
#set skip will be commented until implemented
#set skip on lo0

### TRAFFIC NORMALIZATION ###
# might break games, commented out now
#scrub in all no-df random-id fragment reassemble

### QUEUEING ###

### TRANSLATION ###
# nat all outbound with all our ips
nat on $ext_ifs inet from $int_net to any -> $ext_ips round-robin sticky-address
# make any ftp stuff use our ftp proxy
rdr on $int_if inet proto tcp from $int_net to any port ftp ->
127.0.0.1 port 8021

### PACKET FILTERING ###
# default policy
block in log all
pass out all modulate state

# allow internal traffic to flow freely
pass in quick on $int_if inet from $int_net to any modulate state

# allow ssh inbound
pass in quick on $ext_ifs inet proto tcp from any to $ext_ips port ssh
flags S/FSRPA modulate state



-- 
-Tomas Quintero


More information about the freebsd-questions mailing list