Hello all,
Running amd64 4.8-stable firewall with NAT load-balancing outgoing
connections to 2 ISPs.
My issue is that sometimes ftp works and sometimes doesn't on the load
balancing setup. If I use the uplinks individually, then ftp works
without a hitch. Other types of traffic work fine AFAICT on the load
balancing setup.
One ftp-proxy instance is run off rc.conf.local without any flags.
Followed the FAQ on multiple routes !/sbin/route add -mpath default ...
on the corresponding hostname.if files
Have net.inet.ip.multipath=1 on my sysctl.conf
I've been looking into the -T option for ftp-proxy but I still need a
clue-by-four on this one.
Any help on this topic would be much appreciated.
Cheers,
paolo
*My current pf.conf trimmed down to isolate:
lan_if = "re0"
ext1_if = "sk0"
ext2_if = "sk1"
ext1_gw = "192.168.0.1"
ext2_gw = "192.168.1.1" #of course not the real IPs
set skip on lo
anchor "ftp-proxy/*"
pass in quick log on $lan_if inet proto tcp to port ftp rdr-to 127.0.0.1
port 8021
# NAT
match out on $ext1_if from $lan_if:network nat-to ($ext1_if)
match out on $ext2_if from $lan_if:network nat-to ($ext2_if)
# Block rules
block log
# PASS OUT RULES
pass out log on $lan_if inet to $lan_if:network
pass out log on $ext1_if inet
pass out log on $ext2_if inet
pass out log on $ext1_if inet from $ext2_if route-to ( $ext2_if
ext2_gw )
pass out log on $ext2_if inet from $ext1_if route-to ( $ext1_if
$ext1_gw )
# Antispoof
antispoof log for $lan_if inet
# LAN Redirects
pass in quick log on $lan_if inet from $lan_if:network to $lan_if
pass in log on $lan_if inet from $lan_if:network route-to { ( $ext1_if
$ext1_gw ), ( $ext2_if $ext2_gw ) } round-robin
pass in log on $lan_if inet proto tcp from $lan_if:network to port https
route-to ( $ext2_if $ext2_gw )
# ICMP
pass log inet proto icmp all icmp-type { echoreq, unreach }
