Greetings all,
I have been trying to get a clients GW box (FreeBSD-4.8-STABLE) to work as a transparent proxy with his upstream providers cache's.
But so far i'm striking out. I have tried many variations of the rdr line in ipnat.rules and my ipf.rules line to get it working. But something isn't right and I don't know what. So I'm hoping someone can point out my Captain Obvious mistake.
Quick break down of GW box.. 3 interfaces:
rl0: LAN link to a switch - 10.0.1.250/24 and an alias of 10.0.3.250/24 dc0: WAN link #1 to provider A - 66.178.44.108/29 dc1: WAN link #2 to provider B - 200.99.90.211/29
WAN links are sat. feeds with high latency. Default kernel policy is deny all.
IPF ruleset is as follows:
vv# ipfstat -i pass in quick on lo0 from any to any
#I added the following 3 as a catch all just to see if i had a problem in my ruleset, by blocking something i shouldnt.
#but they are not in the actual ruleset.
pass in quick on rl0 proto tcp from any to any keep state pass in quick on rl0 proto udp from any to any keep state pass in quick on rl0 proto icmp from any to any keep state
pass in quick on rl0 proto tcp from any to any port = 22 keep state
pass in quick on rl0 proto tcp from any to any port = 25 keep state
pass in quick on rl0 proto tcp/udp from any to any port = domain keep state
pass in quick on rl0 proto tcp from any to any port = 80 keep state
pass in quick on rl0 proto tcp from any to any port = 110 keep state
pass in quick on rl0 proto tcp from any to any port = 143 keep state
pass in quick on rl0 proto tcp from any to any port = 3128 keep state
pass in quick on rl0 proto icmp from any to any icmp-type unreach
pass in quick on rl0 proto icmp from any to any icmp-type timex
pass in quick on dc0 proto icmp from any to any icmp-type unreach
pass in quick on dc0 proto icmp from any to any icmp-type timex
pass in quick on dc1 proto icmp from any to any icmp-type unreach
pass in quick on dc1 proto icmp from any to any icmp-type timex
pass in quick on dc0 proto tcp from any to any keep state
pass in quick on dc0 proto udp from any to any keep state
pass in quick on dc0 proto icmp from any to any keep state
pass in quick on dc1 proto tcp from any to any keep state
pass in quick on dc1 proto udp from any to any keep state
pass in quick on dc1 proto icmp from any to any keep state
pass in quick on dc0 proto tcp from any to any port = 22 keep state
pass in quick on dc1 proto tcp from any to any port = 22 keep state
Ruleset for WAN links:
pass out quick on dc0 proto tcp from any to any keep state pass out quick on dc0 proto udp from any to any keep state pass out quick on dc0 proto icmp from any to any icmp-type 3 pass out quick on dc0 proto icmp from any to any icmp-type 11
pass out quick on dc1 proto tcp from any to any keep state pass out quick on dc1 proto udp from any to any keep state pass out quick on dc1 proto icmp from any to any icmp-type 3 pass out quick on dc1 proto icmp from any to any icmp-type 11
IPNat rules:
map dc0 10.0.0.0/16 -> 66.178.44.108/32 #map dc1 10.0.0.0/16 -> 200.99.90.211/32 #rdr rl0 0.0.0.0/0 port 3128 -> 66.178.44.105 port 9090 tcp round-robin #rdr rl0 0.0.0.0/0 port 3128 -> 200.99.90.217 port 9877 tcp round-robin #rdr rl0 0.0.0.0/0 port 3128 -> 200.99.90.209 port 9877 tcp round-robin
The rdr's are commented since they obviously don't work. I just dont know why. It may not actually be able to do what I want it to do.
He has 3 upstream cache's 66.178.44.105 is provider A's cache and the 200.99.90.217,209 are provider B's caches.
I simply want all this customers web traffic aimed at rl0's IP, port 3128 which would be the LAN link to be redirected to this upstreams cache's in a round robin fashion. I know it's something simple it always is. The rdr's look ok to me. I've been staring at them so long anything looks like it should work though. Any idea's of what I have borked would be very much appreciated.
Chris Watson M.M. Bestor G. Brown #433 Wichita, KS AIM: BSDUNIX44
