Here it is.
em0 - external interface (facing ISP)
em1 - internal interface, layer3, (facing switch running OSPF)
em4 - pfsync interface
pf.conf:
tcpflags = "S/SA"
# macros
ext_if = "em0"
carp_ip = "<removed>"
int_nets = "{ <removed> }"
router = "<removed>"
# reject = black hole
table <reject> file "/etc/pf/reject"
# nat/rdr
match out on em0 from $int_nets to any nat-to $carp_ip
#**********************************************************************
#**********************************************************************
# Rules start here
#**********************************************************************
#**********************************************************************
# anything goes on the loopback interface
pass in quick on lo0 all
pass out quick on lo0 all
# anything goes on em1
pass in quick on em1 all
pass out quick on em1 all
# anything goes on em4
pass in quick on em4 all
pass out quick on em4 all
#######################################################################
# All the IN rules go here.
# allow ssh/smtp/dns to router
pass in quick on $ext_if proto udp from any to $router port 53 keep state
pass in quick on $ext_if proto tcp from any to $router port {25 53} flags
$tcpflags keep state
pass in quick on $ext_if proto tcp from any to $router port 22 flags
$tcpflags keep state (max-src-conn-rate 5/60)
#######################################################################
# all the OUT rules go here.
# allow router out
pass out quick on $ext_if from <ip_removed> to any flags $tcpflags keep
state
# allow nat interface out
pass out quick on $ext_if from $carp_ip to any flags $tcpflags keep state
# block the rest
block out log quick all
block in log quick all
On Tue, Jan 21, 2014 at 11:21 PM, mxb <[email protected]> wrote:
>
> You PF rules are needed too for this.
>
> On 22 jan 2014, at 00:51, Gabriel Kuri <[email protected]> wrote:
>
> > I am running obsd 5.4 as my NAT router. I decided to setup a second obsd
> > box and run carp between the two for the external NATed interface (facing
> > the ISP). After I setup everything and switched pf to NAT using the
> address
> > on the carp interface, I'm seeing about 12Mbps - 13Mbps on the download,
> I
> > have a 60Mbps pipe (down). When I switch pf back to NAT using the address
> > on the physical interface, I get my full 60Mbps. Any ideas as to what I
> > could be doing wrong that would limit performance through the carp
> > interface to around 12Mbps - 13Mbps ?
> >
> > Thanks ...
