Re: Problems with Carp, Multi-WAN and pf syntax.

Thu, 11 Mar 2010 06:51:22 -0800 

Marcus M|lb|sch schrieb:
How do I configure a pf in a way that traffic that comes in one one CARP-Interface goes out to the same CARP-Interface? The syntax in -current has changed from the FAQ (which assumes OpenBSD-4.6). 


   After some help from a friendly soul, and reducinge my pf.conf to 
the bare minimum it still does not work as intended. Either I have hit a 
bug, or still have a wrong conf.


NICS are configured so:

# /etc/hostname.bge0
inet 192.168.3.1 255.255.255.0 192.168.3.255

# /etc/hostname.em0 (WAN-1)
inet <wan1-ip> 255.255.255.248 <wan1-brd>
!route add -mpath default <wan1-gw>

# /etc/hostname.em1 (WAN-2)
inet <wan2-ip> 255.255.255.248 <wan2-brd>
!route add -mpath default <wan-2gw>

sysctl is configured for multipath and forwarding:

# /etc/syctl.conf
net.inet.ip.forwarding=1
net.inet.ip.multipath=1

pf.conf looks like this:

# /etc/pf.conf

# Macros
if_wan1         = "em0"
if_wan2         = "em1"
if_wan          = "{" $if_wan1 $if_wan2 "}"
if_dmz          = "bge0"
gw_wan1         = <wan1-gw>
gw_wan2         = <wan2-gw>

# Allow ICMP
pass    in log  quick   on $if_wan inet proto icmp from any to any

# Redirect WWW traffic

pass    in log  quick   on $if_wan inet proto tcp from any to any 
          rdr-to <some-servers> round-robin


#  NAT for outgoing connections on each internet interface
pass    out log    on $if_wan1    from any   to any nat-to ($if_wan1)
pass    out log    on $if_wan2    from any   to any nat-to ($if_wan2)


#  route packets from any IPs on $if_wan1 to $gw_wan2 and the same for 
$if_versa and $gw_versa
pass    out log quick   on $if_wan1     from $if_wan2 
route-to ($if_wan2 $gw_wan2)
pass    out log quick   on $if_wan2     from $if_wan1 
  route-to ($if_wan1 $gw_wan1)



At first everything seems to be fine:


Accessing the www-servers from outside per the wan2 interface works as 
intended: The traffic goes in through the wan2 interface, gets 
redirected to the www-servers via round robin (if one of them goes down 
that doesn't matter, as is the whole idea), and gets back through wan2.



However. If I access the www-servers from outside via wan-1 ip, 50% of 
the time the traffic tries to go back through the wan-2 interface, and 
that is something I don't understand.


Same for ICMP.

Any help?

Marcus M|lb|sch























					Reply via email to