Re: RDR rules based on outcoming traffic type?

Jordi Espasa Clofent Tue, 23 Dec 2008 07:01:35 -0800

Ok. Marcin point me out to http://openbsd.org/faq/pf/pools.html and makeme aware that I mean route-to instead rdr.


The present ruleset is:



# 1.Macros
ext_if1="em0"
ext_gw1="xxx.xxx.xxx"
ext_if2="em1"
ext_gw2="xxx.xxx.xxx"
ext_if3="em2"
ext_gw3="xxx.xxx.xxx"
lan_net="192.168.0.0/24"
int_if="em3"

# 2.Tables
# Not used at present

# 3.Options
set skip on lo

# 4. Scrub traffic
scrub all

# 5. Queueing
# Not used at present

# 6. Translation
nat on $ext_if1 from $lan_net to any -> ($ext_if1)
nat on $ext_if2 from $lan_net to any -> ($ext_if2)
nat on $ext_if3 from $lan_net to any -> ($ext_if3)

# 7. Filer rules
#  pass all outgoing packets on internal interface
pass out on $int_if from any to $lan_net

#  pass in quick any packets destined for the gateway itself
pass in quick on $int_if from $lan_net to $int_if

# use concrete DSL uplink for SSH traffic
pass in on $int_if route-to \
    ($ext_if1 $ext_gw1) \
    proto tcp from $lan_net to any port 22 flags S/SA modulate state

# use concrete DSL uplink for VoIP traffic
pass in quick on $int_if route-to \
    ($ext_if2 $ext_gw2) \
    proto tcp from $lan_net to any port 5060 flags S/SA modulate state

pass in quick on $int_if route-to \
    ($ext_if2 $ext_gw2) \
    proto udp from $lan_net to any port 10000:2000

# use concrete DSL uplink for www traffic
pass in on $int_if route-to \
    ($ext_if3 $ext_gw3) \
    proto tcp from $lan_net to any port 80 flags S/SA modulate state

#  load balance outgoing tcp traffic from internal network.
pass in on $int_if route-to \
    { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
    proto tcp from $lan_net to any flags S/SA modulate state

#  load balance outgoing udp and icmp traffic from internal network
pass in on $int_if route-to \
    { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
    proto { udp, icmp } from $lan_net to any keep state

#  general "pass out" rules for external interfaces
pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if1 proto { udp, icmp } from any to any keep state
pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if2 proto { udp, icmp } from any to any keep state
pass out on $ext_if3 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if3 proto { udp, icmp } from any to any keep state

It seems correct:

$ pfctl -nvf pf.test > before
$ pfctl -o basic -nvf pf.test > after
$ diff before after

¿Can I apply queues on it?

--
Thanks,
Jordi Espasa Clofent

Re: RDR rules based on outcoming traffic type?

Reply via email to