gwes ohxer: What is the recommended pf.conf to get symmetrical routing for incoming and outgoing connections using a dual-homed gateway and internal hosts with static IPs on both WANs? I'm assuming "route-to" and "reply-to" are the correct tools to use. I've looked at the FAQ, googled for dual & multihomed machines, and haven't found a clear answer yet. I know there's a multihome section in the FAQ, but it only handles pools of nat-ed machines, and the last couple of lines are not obvious.
Hi, I use policy based routing with PF. I have one local_if and three external_if. two of they have own gateway, and one don't have. Here is my pf.conf, but it havn't comment, but if read carefully - all is done. have a nice day with PF=) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $ # # See pf.conf(5) for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. ext_if_a = "xl0" ext_gw_a = "195.26.xxx.xxx" ext_if_b = "fxp1" ext_gw_b = "188.230.xxx.xxx" ext_if_c = "fxp2" ext_gw_c = "172.20.252.33" int_if = "fxp0" table <firewall> const { self } table <khaer> { 192.168.16.0/24 } table <admin> { 192.168.16.1, 192.168.16.4, 192.168.16.6, 192.168.16.100 } table <www> { 192.168.16.2 } table <1c> { 192.168.16.3 } table <zvit> { 192.168.16.4 } table <mail> { 192.168.16.5 } table <ad> { 192.168.16.7 } table <fourblock> { 192.168.16.188 } table <milestone> { 192.168.16.200 } #table <officeserv> { } table <dns> { 194.44.xxx.xxx, 217.12.xxx.xxx } table <kl-bank> { 192.168.16.184, 192.168.16.185, 192.168.16.201, \ 192.168.16.207, 192.168.16.210, 192.168.16.218, \ 192.168.16.221, 192.168.16.241 } table <ipsec> { 192.168.15.0/24 } table <private> { 0.0.0.0/8, 10.0.0.0/8, 14.0.0.0/8, \ 127.0.0.0/8, 128.0.0.0/16, 169.254.0.0/16, \ 172.16.0.0/12, 191.255.0.0/16, 192.0.2.0/24, \ 192.168.0.0/16, 240.0.0.0/4, 255.255.255.0/24 } table <bruteforce> persist table <advertisement> file "/etc/advertisement" set skip on { lo0, enc0 } set loginterface $ext_if_b set timeout { frag 20, tcp.established 3600 } set block-policy drop antispoof quick for { fxp1, fxp2, xl0 } match in all scrub (no-df) #anchor "ftp-proxy/*" #queuening #altq on fxp0 cbq bandwidth 400Kb queue { q_std_a, q_mail_a, q_www_a } #queue q_std_a bandwidth 10% priority 1 cbq (default) #queue q_mail_a bandwidth 70% priority 5 cbq (borrow) #queue q_www_a bandwidth 20% priority 3 cbq (borrow) #altq on fxp1 cbq bandwidth 4Mb queue { q_std_b, q_admin, q_kl-bank, q_www_b } #queue q_std_b bandwidth 5% priority 1 cbq(default) #queue q_admin bandwidth 40% priority 4 cbq(borrow) #queue q_kl-bank bandwidth 15% priority 7 cbq(borrow) #queue q_www_b bandwidth 40% priority 2 cbq(borrow) #nat match out on $ext_if_a inet proto tcp from <khaer> to !<khaer> nat-to $ext_if_a match out on $ext_if_b inet from <khaer> to !<khaer> nat-to $ext_if_b match out on $ext_if_b inet from <ipsec> to !<ipsec> nat-to $ext_if_b match out on $ext_if_c inet proto { tcp, udp } from <admin> to any nat-to $ext_if_c #rdr match in on $ext_if_a inet proto tcp from any to $ext_if_a port { smtp, smtps, 444, 51111 } tag MAIL_A rdr-to <mail> match in on $ext_if_b inet proto tcp from any to $ext_if_b port 444 tag EXT_B rdr-to <mail> match in on $ext_if_b inet proto tcp from any to $ext_if_b port 666 tag EXT_B rdr-to <1c> port rdp match in on $ext_if_b inet proto tcp from any to $ext_if_b port 50666 tag EXT_B rdr-to <zvit> port rdp #match in on $ext_if_b inet proto udp from any to $ext_if_b port 27015 tag EXT_B rdr-to <milestome> match in on $ext_if_b inet proto tcp from any to $ext_if_b port 55111 tag EXT_B rdr-to <milestone> match in on $ext_if_b inet proto tcp from any to $ext_if_b port 11111 tag EXT_B rdr-to <milestone> port rdp match in on $ext_if_b inet proto tcp from any to $ext_if_b port 55222 tag EXT_B rdr-to 192.168.16.26 port ssh match in on $ext_if_b inet proto tcp from any to $ext_if_b port 55333 tag EXT_B rdr-to 192.168.16.26 port 80 #match in on $int_if inet proto tcp from <1c> to any port www rdr-to 127.0.0.1 port 3128 #match in on $ext_if_b inet proto tcp from any to $ext_if_b port 8080 tag EXT_B rdr-to 192.168.16.100 port 80 #match in on $ext_if_b inet proto tcp from any to $ext_if_b port { 6001, 6002 } tag EXT_B rdr-to 192.168.16.100 #block block in quick on $ext_if_a from <bruteforce> block in quick on $int_if from any to <advertisement> block quick proto tcp flags /S block quick proto tcp flags A/A block in quick on { $ext_if_a, $ext_if_b } from <private> to any block out quick on { $ext_if_a, $ext_if_b } from any to <private> block log all #in pass in on $ext_if_a inet proto tcp from any to $ext_if_a port 5522 reply-to ($ext_if_a $ext_gw_a) pass in on $ext_if_b inet proto udp from any to $ext_if_b port domain reply-to ($ext_if_b $ext_gw_b) pass in on $ext_if_a inet proto udp from any to $ext_if_a port domain reply-to ($ext_if_a $ext_gw_a) pass in on $ext_if_b inet proto tcp from any to $ext_if_b port { ftp, smtp, 5522, >49151 } reply-to ($ext_if_b $ext_gw_b) #(max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush) pass in on $ext_if_b inet proto tcp from 212.58.160.36 to $ext_if_b port https reply-to ($ext_if_b $ext_gw_b) pass in on $ext_if_b inet proto tcp from any to $ext_if_b port www synproxy state reply-to ($ext_if_b $ext_gw_b) pass in quick on $int_if inet proto udp from <khaer> to <firewall> port bootps pass in quick on $int_if inet proto { udp, tcp } from { <khaer>, <ipsec> } to $int_if port domain #pass in quick on $int_if inet proto tcp from any to 127.0.0.1 port 3128 pass in quick on $int_if inet proto tcp from { <khaer>, <ipsec> } to $int_if port { ftp, smtp, www, pop3, 3128, 5522, >49151 } pass in on $int_if inet proto tcp from <mail> to any port { www, smtp, https, smtps } route-to ($ext_if_a $ext_gw_a) pass in on $int_if inet proto { tcp, udp } from <kl-bank> to any port !=25 route-to ($ext_if_b $ext_gw_b) pass in on $int_if inet proto tcp from <fourblock> to any port !=80 route-to ($ext_if_b $ext_gw_b) pass in on $int_if from <admin> to any route-to ($ext_if_b $ext_gw_b) pass in on $int_if from <ipsec> to any route-to ($ext_if_b $ext_gw_b) pass in on $int_if inet proto { tcp, udp } from { <1c>, <www>, <ad>, <milestone> } to any port { domain, www, https } route-to ($ext_if_b $ext_gw_b) pass in on $int_if inet proto { tcp, udp } from <admin> to fxp2:network route-to $ext_if_c pass in on $ext_if_a inet proto tcp from any to <mail> port { smtp, smtps, 444 } synproxy state reply-to ($ext_if_a $ext_gw_a) pass in on $ext_if_b inet proto tcp from any to <mail> port 444 synproxy state reply-to ($ext_if_b $ext_gw_b) pass in on $ext_if_b inet proto tcp from any to <1c> port 666 synproxy state reply-to ($ext_if_b $ext_gw_b) pass in on $ext_if_b inet proto tcp from any to <zvit> port 50666 synproxy state reply-to ($ext_if_b $ext_gw_b) #pass in on $ext_if_b inet proto udp from any to <milestone> port 27015 reply-to ($ext_if_b $ext_gw_b) pass in on $ext_if_b inet proto tcp from any to <milestone> port 55111 reply-to ($ext_if_b $ext_gw_b) pass in on $ext_if_b inet proto tcp from any to <milestone> port 11111 reply-to ($ext_if_b $ext_gw_b) #pass in on $ext_if_b inet proto tcp from any to 192.168.16.100 port { 6001, 6002, 8080 } reply-to ($ext_if_b $ext_gw_b) pass in quick reply-to ($ext_if_a $ext_gw_a) tagged MAIL_A pass in quick reply-to ($ext_if_b $ext_gw_b) tagged EXT_B #out pass out quick on $int_if inet proto udp from <firewall> to <khaer> port bootpc pass out inet from $ext_if_a route-to ($ext_if_a $ext_gw_a) pass out inet from $ext_if_b route-to ($ext_if_b $ext_gw_b) pass out on $int_if inet proto tcp from any to <mail> port { smtp, smtps, 444 } #pass out on $int_if inet proto tcp from any to <www> port ftp user proxy pass out on $int_if inet proto tcp from any to { <1c>, <zvit>, <milestone> } port rdp #pass out on $int_if inet proto udp from any to <milestone> port 27015 pass out on $int_if inet proto tcp from any to <milestone> port 55111 pass out on $int_if inet proto tcp from any to 192.168.16.26 port { ssh, http } pass out on $int_if from any to 192.168.15.0/24 #pass out on $int_if inet proto tcp from any to 192.168.16.100 port { 80, 6001, 6002 } pass out on { $ext_if_a, $ext_if_b, $ext_if_c } pass out on $int_if inet proto icmp pass out on $int_if inet proto tcp from $int_if to { 192.168.16.6, 192.168.16.16 } port { ssh, mysql }