I have a SOHO firewall in production which has been connected to the net via an ADSL line. We have a new fibre connection which will replace the ADSL connection once I get the system switched over. I am having trouble with the pf configuration during the transition period.
What I would like to achieve is that connections come in on either external interface and are routed appropriately to the internal network, where I'm running a mail and web server etc. Outgoing connections should also be handled via either interface, but this is less important. Complicating the situation is that this is a remote setup and I need to modify the configuration without losing connectivity to the server in the meantime. (It's a long drive if I need to go on-site to correct any mistakes.) I've been making changes on the fly and rebooting (which restores defaults) if anything goes wrong. I have attached my pf.conf where I have attempted to update the config to handle this situation but I can't get it working correctly. The LAN is connected on em0. The original ADSL connection is on em1 and the new fibre link is on em2 The original installation has /etc/mygate containing 172.16.8.1 (adsl modem) I'm not sure that I need to modify the routing to handle inbound connections on both interfaces but have attempted to do the following via the shell: # pfctl -f /etc/pf.conf.new # route add -mpath default 192.168.1.1 # route add -mpath default 172.16.8.1 # sysctl net.inet.ip.multipath=1 I suspect I have issues with the "egress" keyword but I'm not sure how to correctly/safely activate my configuration without losing connectivity on one or both interfaces. Generally I can reach services on the firewall machine itself but cannot access the internal network services from outside. (Changing the default route usually brings connections via the associated link, down.) I don't actually *need* load-balancing or equal cost multipath routing. I just want a configuration where I have two external interfaces which both carry traffic and packets flow over the right interface (so this looks pretty much like the same thing.) Could someone please cast an eye over what I'm doing and point me in the right direction. Thanks. Much appreciated. =========/etc/pf.conf.new=================== # macros int_if="em0" ext_if1="em1" ext_if2="em2" ext_gw1="172.16.8.1" ext_gw2="192.168.1.1" lan_net="192.168.7.0/24" tcp_services="{ 22, 113 }" udp_services="{ 161 }" mail_services="{ 587, 993, 995 }" web_services="{ 80, 443 }" icmp_types="echoreq" web_server = "192.168.7.77" mail_server = "192.168.7.77" # options set block-policy return set loginterface egress set skip on lo # match rules match in all scrub (no-df random-id max-mss 1440) #match out on egress inet from $int_if:network to any nat-to (egress:0) match out on $ext_if1 from $int_if:network nat-to ($ext_if1) match out on $ext_if2 from $int_if:network nat-to ($ext_if2) # filter rules block in log pass out quick # Balance two external interfaces pass in on $int_if from $int_if:network reply-to \ { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin pass out on $ext_if1 from $ext_if2 reply-to ($ext_if2 $ext_gw2) pass out on $ext_if2 from $ext_if1 reply-to ($ext_if1 $ext_gw1) # Allow access to services running on the firewall pass in on egress inet proto tcp from any to (egress) port \ $tcp_services flags S/SA keep state \ (max-src-conn-rate 5/300) pass in on egress inet proto udp from any to (egress) port $udp_services # Redirect traffic to the interior servers pass in on egress inet proto tcp from any to (egress) port \ $web_services rdr-to $web_server synproxy state \ (max-src-conn-rate 100/10) pass in on egress inet proto tcp from any to (egress) port \ $mail_services rdr-to $mail_server # Forward SNMP on alternative port through to internal server pass in on egress inet proto udp to (egress) port 162 \ rdr-to $web_server port 161 pass in inet proto icmp all icmp-type $icmp_types pass in on $int_if pass in log on $ext_if2