Dual-feed: PF setup troubles

Hexren me at hexren.net
Sun Aug 14 19:01:32 GMT 2005 

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
 
> Hi there!

> I've got two internet connections with two different ISP's and would
> like to use one for my own use, while the other serves various
> services from various servers inside my network and directly on the
> firewall.

> Both two connections end up at one firewall. The firewall has one
> default route to ISP1, and I would like to have PF find out if the
> packet needs to travel to ISP1 or ISP2, based on the IP address
> information of the request.

> Right now, I'm trying things like this, but for some reason the don't
> work:

> [ I have taken DNS as an example here, but there are various TCP and
> UDP based services that seem to have this problem. ]

> ISP1 = "xl0"
> ISP2 = "ed0"
> LAN = "rl0"

> ipv4_isp1 = "1.1.1.1/32"      # My interface IP to ISP1
> ipv4_isp2 = "2.2.2.2/32"      # My interface IP to ISP2
> ipv4_gw_isp2 = "2.2.2.1"     # ISP2's gateway IP
> ipv4_lan_range = "172.16.0.0/16"  # My local network

> # Set up NAT for my connections
> nat on $ISP1 from $ipv4_lan_range to any -> $ipv4_isp1
> nat on $ISP2 from $ipv4_lan_range to any -> $ipv4_isp2

> # Handle incoming traffic for my DNS server
> pass in quick log on $ISP2 reply-to ($ISP2 $ipv4_gw_isp2) proto udp
from any port >> 1023 to $ipv4_isp2 port 53 keep state

I am not really sure what you want to do above.

> # Handle outgoing traffic, originated locally
> pass out quick log on $ISP2 route-to ($ISP2 $ipv4_gw_isp2) proto udp
> from $ipv4_isp2 to any port 53 keep state

 # Handle outgoing traffic, originated locally
 pass in quick log on $LAN route-to ($ISP2 $ipv4_gw_isp2) proto udp
 from $ipv4_lan_range to any port 53 keep state

 you need to "route-to" incoming packets on the LAN interface, you
 routed packets that already where on ISP2 interface to ISP2 Interface again.

> Except from my setup being somewhat unusual, could someone maybe point
> out what I am doing wrong here ?
> Thanks a bunch!

> Nils.


---------------------------------------------

This assumes that the DNS server is on another machine than the
gateway itself. AFIK there is no way to route traffic that comes from
the gateway machine itself, using pf. Please correct me if I an wrong.

Hexren

More information about the freebsd-pf mailing list