Re: pf/routing config for two external interfaces

Thu, 07 Jul 2016 04:20:52 -0700 

On 28/06/2016 4:38 a.m., Bobby Johnson wrote:
I've setup a few OpenBSD machines to do failover with 2 internet interfaces. I didn't use multipath, pf will pass traffic without it. I did find it necessary to specify a reply-to for each of my pass in rules for services on the 2nd interface. For example I would need these 2 rules to pass traffic in on both interfaces, ext_if has the default route and is egress. 

pass in on egress inet proto tcp from any to $server port 80

pass in on $ex2_if inet proto tcp from any to $server port 80 reply-to 
( $ex2_if $ex2_gw )



I have revised my pf.conf rules and made changes along the lines 
suggested above.

ie. ...reply-to ($ext_if2 $ext_gw2)

(NB: I have also replaced all instances of "egress" with $ext_if1 in 
preparation for switch-over.)



Incoming traffic now works but I'm concerned this is a little clumsy to 
have to duplicate each pass rule and add a reply-to field to each one. 
Is this the best practice ?
If I want to use multi-path routes or switch my default route to 
"ext_if2" do I need to add a similar reply-to suffix for the existing 
egress/$ext_if1 rules ?



Regarding using multiple outgoing routes; I've tried adding the 
following rules -


-------------------------- /etc/pf.conf ---------------------------
...
# Balance two external interfaces
pass in on $int_if from $int_if:network reply-to \
   { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin

pass out on $ext_if1 from $ext_if2 reply-to ($ext_if2 $ext_gw2)
pass out on $ext_if2 from $ext_if1 reply-to ($ext_if1 $ext_gw1)
...
--------------------------------------------------------------------------


 - Are these necessary ? They don't seem to affect outgoing packets by 
themselves.

I also made the following multi-path changes to my system.

# route add -mpath default 192.168.1.1
# route add -mpath default 172.16.8.1
# sysctl net.inet.ip.multipath=1


This does direct outgoing packets via both interfaces but it looks like 
I now get problems with incoming packets not matching the pass 
in/reply-to rules and only passing the ext_if2 interface.
Sorry, this is hard to describe and is more complex than I was hoping, 
but could anyone who has experience with a similar setup please take a 
look and suggest something. Thanks


J























					Reply via email to