route-to rule.

Stephane Raimbault segr at hotmail.com
Tue Jan 25 10:18:09 PST 2005 

Well this is odd.. I gave this a try... and the tun interface wasn't able to 
pass traffic between the 2 lan's

10.0.0.0/26 is the remote lan, and 10.1.0.0/24 is the local lan.

and dns stopped working for the local lan... I have a caching dns server 
configured on the pf box, and even that couldn't resolve anything despite 
still having good network connections to the 2 wan's

Any idea what's missing?

Thanks,
sTephane.

>From: "Chris Dionissopoulos" <dionch at freemail.gr>
>Reply-To: "Chris Dionissopoulos" <dionch at freemail.gr>
>To: "Stephane Raimbault" <segr at hotmail.com>, <freebsd-pf at freebsd.org>
>Subject: Re: route-to rule.
>Date: Tue, 25 Jan 2005 19:17:13 +0200
>
>Sorry my fault, I didnt notice your 4th interface.
>Try this one:
>--------------pf.conf-------------
>set state-policy if-bound
>
>#MACROS
>
>lan = rl0
>ext_if1 = rl1
>ext_if2 = rl2
>vpn_if = tun0
>
>vpn_net = <define your other-side vpn>
>gw1 = <define IP of gateway in $ext_if1>
>gw2 = <define IP of gateway in $ext_if2>
>vpn_gw = <define IP of other peer>
>
>1 = "(" $ext_if1 $gw1 ")"
>2 = "(" $ext_if2 $gw2 ")"
>vpn = "(" $vpn_if $vpn_gw ")"
>
>#NAT
>nat on $ext_if1 from $internal_net to any -> ($ext_if1)
>nat on $ext_if2 from $internal_net to any -> ($ext_if2)
>
>#RULES
>#local lan
>pass in quick on $lan inet from $lan:network to $lan keep state
>pass out quick on $lan inet from $lan to $lan:network keep state
>
>#wan(s) and vpn
>pass in on  $ext_if1  tag  $ext_if1 keep state
>pass out on $lan reply-to $1 tagged  $ext_if1 keep state
>
>pass in on  $ext_if2 tag $ext_if2 keep state
>pass out on $lan reply-to $2 tagged $ext_if2 keep state
>
>pass in on $vpn_if tag $vpn_if keep state
>pass out on $lan reply-to $vpn tagged $vpn_if keep state
>
># balance
>pass in on $lan route-to { $1 $2 } round-robin keep state
>pass in on $lan route-to { $vpn } from $lan:network to $vpn_net keep state
>
>#OUT
>pass out on $ext_if1 route-to $1 keep state
>pass out on $ext_if1 route-to $2 keep state
>pass out on $vpn_if route-to $vpn keep state
>----------------------------
>
>
>This works?
>
>Chris.
>
>----- Original Message ----- From: "Stephane Raimbault" <segr at hotmail.com>
>To: <dionch at freemail.gr>; <freebsd-pf at freebsd.org>
>Sent: Tuesday, January 25, 2005 6:55 PM
>Subject: Re: route-to rule.
>
>
>>Okay, I gave this a try and this is what I saw.
>>
>>lan traffic was being load balanced over the wan interfaces
>>binat traffic seemed to be working over one of the wan interfaces as 
>>intended.
>>however tun0 (vpn traffic) was not working from the internal_lan.
>>
>>I could ping across the tun0 from the pf box, but the lan couldn't get 
>>across it.
>>
>>So I need to try to figure that part out, also lan traffic does not have 
>>to be load balanced across the 2 wan interfaces, but I'm guessing I just 
>>need ot specify that in the balance part?  I removed the binat lines but 
>>this is what I have in my pf.conf now:
>>
>>set state-policy if-bound
>>
>>lan = rl0
>>ext_if1 = rl1
>>ext_if2 = rl2
>>gw1 = <IF1 GW IP>
>>gw2 = <IF2 GW IP>
>>
>>1 = "(" $ext_if1 $gw1 ")"
>>2 = "(" $ext_if2 $gw2 ")"
>>
>>internal_net="10.1.0.0/24"
>>
>>nat on $ext_if1 from $internal_net to any -> ($ext_if1)
>>nat on $ext_if2 from $internal_net to any -> ($ext_if2)
>>
>>#local
>>pass in quick on $lan inet from $lan:network to $lan keep state
>>pass out quick on $lan inet from $lan to $lan:network keep state
>>
>>#wans
>>pass in on  $ext_if1  tag  $ext_if1 keep state
>>pass out on $lan reply-to $1 tagged  $ext_if1 keep state
>>
>>pass in on  $ext_if2 tag $ext_if2 keep state
>>pass out on $lan reply-to $2 tagged $ext_if2 keep state
>>
>># balance
>>pass in on $lan route-to { $1 $2 } round-robin keep state
>>
>>#OUT
>>pass out on $ext_if1 route-to $1 keep state
>>pass out on $ext_if1 route-to $2 keep state
>>
>>
>>
>>Any further Suggestions?
>>
>
>
>____________________________________________________________________
>http://www.freemail.gr - äùñåÜí õðçñåóßá çëåêôñïíéêïý ôá÷õäñïìåßïõ.
>http://www.freemail.gr - free email service for the Greek-speaking.

_________________________________________________________________
Powerful Parental Controls Let your child discover the best the Internet has 
to offer. 
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines 
  Start enjoying all the benefits of MSN® Premium right now and get the 
first two months FREE*.

More information about the freebsd-pf mailing list