brindging ath0 with re0 working, kinda, almost

Reinhold freebsd at violetlan.net
Fri Apr 25 18:05:11 UTC 2008 

On Fri, April 25, 2008 14:57, Reinhold wrote:
> On Fri, April 25, 2008 12:30, Ivan Voras wrote:

>> I don't have any more suggestions, except the obvious: is there a
>> firewall somewhere in there, and are the routing tables ok?
>>
>>
>>
> yeah I have pf running, it needs to be on because its doing the load
> balancing on the two wan connections.
>
> Here is the netstat output for the routing table
>
>
> Internet:
> Destination        Gateway            Flags    Refs      Use  Netif Expire
>  default            121.212.313.414     UGS         0   162114    ng1
> 127.0.0.1          127.0.0.1          UH          0      635    lo0
> 192.168.1.0/24     link#12            UC          0        0 bridge
> 192.168.1.1        d6.f4.fc.7c.95.38  UHLW        1        2    lo0
> 192.168.1.5        0.11.9.3b.f7.f0    UHLW        1    63563 bridge    848
>  <snip>
> loads of local ips <end snip>
> 192.168.1.199      0.f.ea.66.8.7d     UHLW        1    15958 bridge    869
>  112.221.331.441     111.222.333.444       UH          0        0    ng0
> 121.212.313.414     22.333.444.555     UH          1        0    ng1
>

So, I disabled pf and then it started working but the internet stopped
working, hehe. This is not fair at all.

here is the load-balancing part of pf
# pass on unfiltered interfaces
#
pass quick on $unfiltered

#  default deny
# silently drop TCP non-SYN packets, the remaining ruleset only deals with
# TCP SYNs, which always create state when passed. the ruleset basically
# deals with 'connections', not packets, beyond this point.
#
block return-rst quick proto tcp all flags /S
block return-rst quick proto tcp all flags A/A

# block and log everything by default
#
block             log
block return-rst  log inet proto tcp
block return-icmp log inet proto udp

# silently drop broadcasts (ADSL noise)
#
block in quick on $ext_if1 inet from any to 255.255.255.255
block in quick on $ext_if2 inet from any to 255.255.255.255

# bruteforce
#
block quick from <bruteforce> to any

# block some known-bad ports without logging
#
block return-rst  in quick on $ext_if1 proto tcp from any to any port {
111, 445, 1080, 6000, 6667 }
block return-icmp in quick on $ext_if1 proto udp from any to any port {
137, 138, 139, 1434 }
block return-rst  in quick on $ext_if2 proto tcp from any to any port {
111, 445, 1080, 6000, 6667 }
block return-icmp in quick on $ext_if2 proto udp from any to any port {
137, 138, 139, 1434 }

# block and log incoming packets from reserved address space and invalid
# addresses, they are either spoofed or misconfigured, we can't reply to
# them anyway (hence, no return-rst).
#
block in log quick on $ext_if1 inet from $unroutable to any
block in log quick on $ext_if2 inet from $unroutable to any

# block and log outgoing packets that don't have my address as source,
they are
# either spoofed or something is misconfigured (NAT disabled, for instance),
# we want to be nice and not send out garbage.
#
block out log quick on $ext_if1 inet from !(ng0) to any
block out log quick on $ext_if2 inet from !(ng1) to any

# OUT GOING ROUTING
#
# HTTS OVER WAN1
pass in quick on $int_if  route-to { ( $ext_if1 $ext_gw1 ) } proto tcp
from $lan_net  to any port = 443 keep state

# SSH OVER WAN1
pass in quick on $int_if  route-to { ( $ext_if1 $ext_gw1 ) } proto tcp
from $lan_net to any port = 4424 keep state
pass in quick on $int_if  route-to { ( $ext_if1 $ext_gw1 ) } proto tcp
from $lan_net to any port = 22 keep state

# BLA OVER WAN1 for user1
pass in quick on $int_if  route-to { ( $ext_if1 $ext_gw1 ) } proto tcp
from $lan_net to some-ip-address keep state

#
# LOAD BALANCING
#
#  pass all outgoing packets on internal interface
pass out log on $int_if from any to $lan_net
#  pass in quick any packets destined for the gateway itself
pass in quick on $int_if from $lan_net to $int_if
#  load balance outgoing tcp traffic from internal network.
pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) }
round-robin proto tcp from $lan_net to any keep state
#  load balance outgoing udp and icmp traffic from internal network
pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) }
round-robin proto { udp, icmp } from $lan_net to any keep state

#  general "pass out" rules for external interfaces
pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if1 proto { udp, icmp } from any to any keep state
pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if2 proto { udp, icmp } from any to any keep state

#  route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
#  $ext_if2 and $ext_gw2
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any

I need them :S like I said if pf is disabled then the internet stops working.

Regards
Reinhold

More information about the freebsd-questions mailing list