route-to rule.

Stephane Raimbault segr at hotmail.com
Tue Jan 25 08:56:20 PST 2005 

Okay, I gave this a try and this is what I saw.

lan traffic was being load balanced over the wan interfaces
binat traffic seemed to be working over one of the wan interfaces as 
intended.
however tun0 (vpn traffic) was not working from the internal_lan.

I could ping across the tun0 from the pf box, but the lan couldn't get 
across it.

So I need to try to figure that part out, also lan traffic does not have to 
be load balanced across the 2 wan interfaces, but I'm guessing I just need 
ot specify that in the balance part?  I removed the binat lines but this is 
what I have in my pf.conf now:

set state-policy if-bound

lan = rl0
ext_if1 = rl1
ext_if2 = rl2
gw1 = <IF1 GW IP>
gw2 = <IF2 GW IP>

1 = "(" $ext_if1 $gw1 ")"
2 = "(" $ext_if2 $gw2 ")"

internal_net="10.1.0.0/24"

nat on $ext_if1 from $internal_net to any -> ($ext_if1)
nat on $ext_if2 from $internal_net to any -> ($ext_if2)

#local
pass in quick on $lan inet from $lan:network to $lan keep state
pass out quick on $lan inet from $lan to $lan:network keep state

#wans
pass in on  $ext_if1  tag  $ext_if1 keep state
pass out on $lan reply-to $1 tagged  $ext_if1 keep state

pass in on  $ext_if2 tag $ext_if2 keep state
pass out on $lan reply-to $2 tagged $ext_if2 keep state

# balance
pass in on $lan route-to { $1 $2 } round-robin keep state

#OUT
pass out on $ext_if1 route-to $1 keep state
pass out on $ext_if1 route-to $2 keep state



Any further Suggestions?

Thanks,
Stephane.

>From: "Chris Dionissopoulos" <dionch at freemail.gr>
>Reply-To: Chris Dionissopoulos <dionch at freemail.gr>
>To: <freebsd-pf at freebsd.org>
>Subject: Re: route-to rule.
>Date: Tue, 25 Jan 2005 01:50:38 +0200
>
>Yes. You can do binat on one or both interfaces,
>the same or different source ip address.
>Please test it and send us a feedback.
>
>Chris.
>
>----- Original Message ----- From: "Stephane Raimbault" <segr at hotmail.com>
>To: <freebsd-pf at freebsd.org>
>Cc: <dionch at freemail.gr>
>Sent: Tuesday, January 25, 2005 1:43 AM
>Subject: RE: route-to rule.
>
>
>>Hi, I also have some binat's setup for some servers, however they are only 
>>on one interface... Can I simply add these binat rules to the the 
>>suggested pf.conf file?
>>
>>binat on $ext_if1 from $server1_int to any -> $server1_out
>>binat on $ext_if1 from $server2_int to any -> $server2_out
>>
>>where server?_int = internal IP and server?_out = public IP?
>>
>
>
>____________________________________________________________________
>http://www.freemail.gr - äùñåÜí õðçñåóßá çëåêôñïíéêïý ôá÷õäñïìåßïõ.
>http://www.freemail.gr - free email service for the Greek-speaking.
>_______________________________________________
>freebsd-pf at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"

_________________________________________________________________
Take charge with a pop-up guard built on patented Microsoft® SmartScreen 
Technology  
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines 
  Start enjoying all the benefits of MSN® Premium right now and get the 
first two months FREE*.

More information about the freebsd-pf mailing list