load balancing and bridging ath0 with re0

Reinhold freebsd at violetlan.net
Mon Apr 28 08:32:06 UTC 2008 

Hi

I'm having a bit of problem with getting my wlan to access the lan. I have
created a bridge and its working in that both wlan and lan can access the
internet perfectly well but they can't see each other. When I disable pf
then they can access each other. The problem is that I'm doing
load-balancing so when I disable pf my internet stops working.

Here is my ifconfig
rl0 -> wan1
rl1 -> wan2
re0 -> lan
ath0 -> wlan

ath0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0
mtu 2290
        ether 00:0b:6b:0b:62:c8
        media: IEEE 802.11 Wireless Ethernet autoselect <hostap>
(autoselect <hostap>)
        status: associated
        ssid something channel 2 (2417 Mhz 11g) bssid 00:0b:6b:0b:62:c8
        authmode WPA privacy MIXED deftxkey 2 TKIP 2:128-bit TKIP 3:128-bit
        txpower 31.5 scanvalid 60 bgscan bgscanintvl 300 bgscanidle 250
        roam:rssi11g 7 roam:rate11g 5 protmode CTS burst dtimperiod 1
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 00:04:a7:09:81:80
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 00:04:a7:09:81:7f
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
re0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0
mtu 1500
        options=98<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:04:a7:05:88:c0
        media: Ethernet autoselect (1000baseTX <full-duplex>)
        status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu
1500
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33204
pfsync0: flags=0<> metric 0 mtu 1460
        syncpeer: 224.0.0.240 maxupd: 128
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0xb
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 92:52:90:af:3f:07
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: re0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
        member: ath0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0
mtu 1485
        inet 111.222.333.444 --> 112.221.331.441 netmask 0xffffffff
ng1: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0
mtu 1485
        inet 22.333.444.555 --> 121.212.313.414 netmask 0xffffffff


and here is my pf rules
# pass on unfiltered interfaces
#
pass quick on $unfiltered

#  default deny
# silently drop TCP non-SYN packets, the remaining ruleset only deals with
# TCP SYNs, which always create state when passed. the ruleset basically
# deals with 'connections', not packets, beyond this point.
#
block return-rst quick proto tcp all flags /S
block return-rst quick proto tcp all flags A/A

# block and log everything by default
#
block             log
block return-rst  log inet proto tcp
block return-icmp log inet proto udp

# silently drop broadcasts (ADSL noise)
#
block in quick on $ext_if1 inet from any to 255.255.255.255
block in quick on $ext_if2 inet from any to 255.255.255.255

# bruteforce
#
block quick from <bruteforce> to any

# block some known-bad ports without logging
#
block return-rst  in quick on $ext_if1 proto tcp from any to any port {
111, 445, 1080, 6000, 6667 }
block return-icmp in quick on $ext_if1 proto udp from any to any port {
137, 138, 139, 1434 }
block return-rst  in quick on $ext_if2 proto tcp from any to any port {
111, 445, 1080, 6000, 6667 }
block return-icmp in quick on $ext_if2 proto udp from any to any port {
137, 138, 139, 1434 }

# block and log incoming packets from reserved address space and invalid
# addresses, they are either spoofed or misconfigured, we can't reply to
# them anyway (hence, no return-rst).
#
block in log quick on $ext_if1 inet from $unroutable to any
block in log quick on $ext_if2 inet from $unroutable to any

# block and log outgoing packets that don't have my address as source,
they are
# either spoofed or something is misconfigured (NAT disabled, for instance),
# we want to be nice and not send out garbage.
#
block out log quick on $ext_if1 inet from !(ng0) to any
block out log quick on $ext_if2 inet from !(ng1) to any

# OUT GOING ROUTING
#
# HTTS OVER WAN1
pass in quick on $int_if  route-to { ( $ext_if1 $ext_gw1 ) } proto tcp
from $lan_net  to any port = 443 keep state

# SSH OVER WAN1
pass in quick on $int_if  route-to { ( $ext_if1 $ext_gw1 ) } proto tcp
from $lan_net to any port = 4424 keep state
pass in quick on $int_if  route-to { ( $ext_if1 $ext_gw1 ) } proto tcp
from $lan_net to any port = 22 keep state

# BLA OVER WAN1 for user1
pass in quick on $int_if  route-to { ( $ext_if1 $ext_gw1 ) } proto tcp
from $lan_net to some-ip-address keep state

#
# LOAD BALANCING
#
#  pass all outgoing packets on internal interface
pass out log on $int_if from any to $lan_net
#  pass in quick any packets destined for the gateway itself
pass in quick on $int_if from $lan_net to $int_if
#  load balance outgoing tcp traffic from internal network.
pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) }
round-robin proto tcp from $lan_net to any keep state
#  load balance outgoing udp and icmp traffic from internal network
pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) }
round-robin proto { udp, icmp } from $lan_net to any keep state

#  general "pass out" rules for external interfaces
pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if1 proto { udp, icmp } from any to any keep state
pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if2 proto { udp, icmp } from any to any keep state

#  route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
#  $ext_if2 and $ext_gw2
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any

I also can't see why or where its blocking with tcpdump.

Any help will be appreciated.

Regards
Reinhold

More information about the freebsd-pf mailing list