I have a SOHO firewall in production which has been connected to the
net via an ADSL line. We have a new fibre connection which will replace
the ADSL connection once I get the system switched over. I am having
trouble with the pf configuration during the transition period.
What I would like to achieve is that connections come in on either
external interface and are routed appropriately to the internal network,
where I'm running a mail and web server etc. Outgoing connections should
also be handled via either interface, but this is less important.
Complicating the situation is that this is a remote setup and I need to
modify the configuration without losing connectivity to the server in
the meantime. (It's a long drive if I need to go on-site to correct any
mistakes.) I've been making changes on the fly and rebooting (which
restores defaults) if anything goes wrong.
I have attached my pf.conf where I have attempted to update the
config to handle this situation but I can't get it working correctly.
The LAN is connected on em0. The original ADSL connection is on em1 and
the new fibre link is on em2
The original installation has /etc/mygate containing 172.16.8.1 (adsl
modem)
I'm not sure that I need to modify the routing to handle inbound
connections on both interfaces but have attempted to do the following
via the shell:
# pfctl -f /etc/pf.conf.new
# route add -mpath default 192.168.1.1
# route add -mpath default 172.16.8.1
# sysctl net.inet.ip.multipath=1
I suspect I have issues with the "egress" keyword but I'm not sure how
to correctly/safely activate my configuration without losing
connectivity on one or both interfaces. Generally I can reach services
on the firewall machine itself but cannot access the internal network
services from outside. (Changing the default route usually brings
connections via the associated link, down.)
I don't actually *need* load-balancing or equal cost multipath
routing. I just want a configuration where I have two external
interfaces which both carry traffic and packets flow over the right
interface (so this looks pretty much like the same thing.)
Could someone please cast an eye over what I'm doing and point me in
the right direction. Thanks. Much appreciated.
=========/etc/pf.conf.new===================
# macros
int_if="em0"
ext_if1="em1"
ext_if2="em2"
ext_gw1="172.16.8.1"
ext_gw2="192.168.1.1"
lan_net="192.168.7.0/24"
tcp_services="{ 22, 113 }"
udp_services="{ 161 }"
mail_services="{ 587, 993, 995 }"
web_services="{ 80, 443 }"
icmp_types="echoreq"
web_server = "192.168.7.77"
mail_server = "192.168.7.77"
# options
set block-policy return
set loginterface egress
set skip on lo
# match rules
match in all scrub (no-df random-id max-mss 1440)
#match out on egress inet from $int_if:network to any nat-to (egress:0)
match out on $ext_if1 from $int_if:network nat-to ($ext_if1)
match out on $ext_if2 from $int_if:network nat-to ($ext_if2)
# filter rules
block in log
pass out quick
# Balance two external interfaces
pass in on $int_if from $int_if:network reply-to \
{ ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin
pass out on $ext_if1 from $ext_if2 reply-to ($ext_if2 $ext_gw2)
pass out on $ext_if2 from $ext_if1 reply-to ($ext_if1 $ext_gw1)
# Allow access to services running on the firewall
pass in on egress inet proto tcp from any to (egress) port \
$tcp_services flags S/SA keep state \
(max-src-conn-rate 5/300)
pass in on egress inet proto udp from any to (egress) port $udp_services
# Redirect traffic to the interior servers
pass in on egress inet proto tcp from any to (egress) port \
$web_services rdr-to $web_server synproxy state \
(max-src-conn-rate 100/10)
pass in on egress inet proto tcp from any to (egress) port \
$mail_services rdr-to $mail_server
# Forward SNMP on alternative port through to internal server
pass in on egress inet proto udp to (egress) port 162 \
rdr-to $web_server port 161
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if
pass in log on $ext_if2
