pf outbound nat load balancing issue

[gm_sjo]

Hi all,

I have a very basic pf NAT setup for testing on my new firewall. The
firewall has two PPPoE connections which are using multipath default
routes to load balance. Load balancing works for non-NAT traffic, but
NAT traffic is only going out via one link, not both.

I am wondering what the behaviour is of interface groups? How are they
load-balanaced/selected?

I have looked into outgoing load-balancing in the pf faq, but i'm not
sure this applies when you're using multipath default routes?


I have configured both PPPoE interfaces as a group called 'wan'. My
NAT rule is on this interface group name :-

-bash-3.2# cat /etc/pf.conf
scrub out on wan max-mss 1440
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
nat on wan from vlan1010:network to any -> $some_external_nat_ip
rdr pass on vlan1010 proto tcp from any to any port ftp -> 127.0.0.1 port 8021
anchor "ftp-proxy/*"

-bash-3.2# ifconfig wan
pppoe1: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1492
        dev: fxp1 state: session
        sid: 0x6 PADI retries: 0 PADR retries: 0 time: 12:49:11
        sppp: phase network authproto chap authname "xxx.1"
        groups: pppoe wan egress
        inet6 fe80::2e0:18ff:feca:bf15%pppoe1 ->  prefixlen 64 scopeid 0x15
        inet 217.169.2.61 --> 81.187.81.72 netmask 0xffffffff
pppoe2: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1492
        dev: fxp2 state: session
        sid: 0x6 PADI retries: 0 PADR retries: 0 time: 12:49:11
        sppp: phase network authproto chap authname "xxx.2"
        groups: pppoe wan egress
        inet6 fe80::2e0:18ff:feca:bf15%pppoe2 ->  prefixlen 64 scopeid 0x16
        inet 90.155.88.39 --> 81.187.81.72 netmask 0xffffffff

(both links are with the same ISP, with same endpoint IP)

-bash-3.2# route show -inet
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use    Mtu  Interface
default            0.0.0.1            UGS         1   786060      -   pppoe1
default            0.0.0.3            UGS         0   190688      -   pppoe2

-bash-3.2# cat /etc/hostname.pppoe1
inet 0.0.0.0 255.255.255.255 0.0.0.1 pppoedev fxp1 authproto chap
authname 'xxx.1' authkey 'xxx' group wan up
!route add default -mpath -ifp pppoe1 0.0.0.1
-bash-3.2# cat /etc/hostname.pppoe2
inet 0.0.0.0 255.255.255.255 0.0.0.1 pppoedev fxp2 authproto chap
authname 'xxx.2' authkey 'xxx' group wan up
!route add default -mpath -ifp pppoe2 0.0.0.3

(second is 0.0.0.3 because endpoint IP is the same for both links,
this caused a problem when using 0.0.0.1 for both {eg, both routes
werent added} - working fine for non-nat traffic)



Thanks!