Hello List ! I jus want to share my experience with OpenBSD configuring two ISP, load balance and Incoming Connections , maybe it can help.
Problem: 1. Two (2) ISP connections for internet access from my LAN to the Internet 2. Remote access to a server in my DMZ from Internet Solution to Problem 1: http://www.openbsd.org/faq/faq6.html#Multipath Install OpenBSD 5.0 and configure the network cards Modify /etc/sysctl.conf, here i will show you the basic things, not all the lines ... maybe you get bored ! net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets net.inet.ip.multipath=1 # 1=Enable IP multipath routing PF http://www.openbsd.org/faq/pf/pools.html#outgoing Adjust /etc/pf.conf * * *# Macros* * * *#ISP A* *ext_if="vr0"* *#ISP B* *ext_if2="vr1"* *#LAN * *int_if="vr2"* * * *#DMZ * *int_if2="vr3"* * * *#ISP A IP* *ext_ip="10.10.10.1"* * * *#ISP B IP* *ext_ip2="11.11.11.1"* * * *#Gateways* *Ext_gw1="10.10.10.2"* * * *Ext_gw2="11.11.11.2"* * * *Unxs="12.12.12.1"* * * * * * * *#TABLES* * * * #Authorized incoming IP table <Noc> file "/home/pf/Noc" * *set skip on { lo0 }* * * *#FTP Proxy Rules* * * *anchor "ftp-proxy/*"* * * *pass in quick on $int_if inet proto tcp to port 21 divert-to 127.0.0.1 port 8021* * * *#NAT* * * *match out on $ext_if2 inet from any to any nat-to $ext_ip2* *match out on $ext_if inet from any to any nat-to $ext_ip* * * * * *# * *block in all* *block out all* * * *# Port redirection to DMZ , here as example i will use SSH * *match in on $ext_if proto tcp from <Noc> to $ext_ip port 22 rdr-to $Unxs port 22* *match in on $ext_if2 proto tcp from <Noc> to $ext_ip2 port 22 rdr-to $Unxs port 22* * * *#Outgoing traffic with load Balance* * * *pass in on $int_if from any route-to { ($ext_if $Ext_gw1), ($ext_if2 $Ext_gw2) }round-robin* * * *# HTTPS packets* *pass in on $int_if proto tcp from any to port https route-to ($ext_if $Ext_gw1) keep state* * * * * * * *pass out on $ext_if from $ext_if2 route-to ($ext_if2 $Ext_gw2) keep state * *pass out on $ext_if2 from $ext_if route-to ($ext_if $Ext_gw1) keep state * With this simple steps everything works perfect ! Taken from FAQ " It's worth noting that if an interface used by a multipath route goes down (i.e., loses carrier), the kernel will still try to forward packets using the route that points to that interface. This traffic will of course be blackholed and end up going nowhere. It's highly recommended to use ifstated(8)<http://www.openbsd.org/cgi-bin/man.cgi?query=ifstated&sektion=8> to check for unavailable interfaces and adjust the routing table accordingly. " Problem 2 * * *I need to give access to a internal server from Internet using SSH protocol.* * * *Ok, here is the thing , if a connection is coming from internet to my ISP A ip the PF redirects the packet to the server in my DMZ * * * *match in on $ext_if proto tcp from <Noc> to $ext_ip port 22 rdr-to $Unxs port 22* * * *or* *if a connection is coming from internet to my ISP B ip the PF redirects the packet to the server in my DMZ * * * * * Now i need the pass in and the pass out rules to these connections , my first mistake was just to simple make it like: pass in on $ext_if proto tcp from <Noc> to $Unxs port 22 keep state pass in on $ext_if2 proto tcp from <Noc> to $Unxs port 22 keep state pass out on $int_if2 proto tcp from <Noc> to $Unxs port 22 keep state * * *And as you may thing , my incoming connection did not work ...* * * * * * * *The final solution was just to change the filter rules to:* * * * * *# * * * * pass in on $ext_if proto tcp from <Noc> to $Unxs port 22 reply-to ($ext_if $Ext_gw1) keep state pass in on $ext_if2 proto tcp from <Noc> to $Unxs port 22 reply-to ($ext_if2 $Ext_gw2) keep state pass out on $int_if2 proto tcp from <Noc> to $Unxs port 22 keep state * * * *I hope this can help !* * * *Thanks !* * * * * * * -- Cordialmente, 00110111 00111011
