Hi all,
I'm a longtime user of pf but this is my first post to the list.
Recently I set up a router running OpenBSD 4.4 that has two external
connections to two ISPs, one cable, one DSL, and with outbound
loadbalancing for my internal network, which works great. I have a DMZ
behind the router, with one server that I want to provide access to
through each ISP. There's another OpenBSD box in the DMZ running relayd
which handles the ssl connection to that server. IIRC, the connection
between the relayd box and the first server is bridged. Also, on the
DSL network, this server has its own external IP, but on the cable
network the IP address is shared between the router and this server. I
have two rdr rules for accessing this server, one from the DSL
connection and one from the cable.
Access to the server from the outside world through the DSL connection
works fine. My puzzle is this--if I'm accessing the server through the
cable address, in some situations it works perfectly and in others it
doesn't. I have several remote locations that I want to give address to
this server through the cable IP address, most of which have Internet
access through the same ISPs, either cable or DSL. If I try accessing
the site through one of them, it works fine through the DSL address but
not through the cable address; if I try telneting into the port I have
listening, it just sits there, and times out eventually. However, it
seems that to the rest of the world, both work fine! With tcpdump I
can see the incoming traffic matching the rdr rule whether it works or
not, but it's as if the return traffic is being blocked if you're trying
to access it through one of the same ISPs. Actually, it works for me
from home and I have the same DSL provider, but I have a feeling the ISP
has their business & residential services on different networks or
somesuch. I don't know if it's my pf rules, something with my relayd or
apache config (though I suspect not since I've tried passing it though
directly rather than routing through relayd) or something at the ISP
level or what, but I thought I'd put it out there to see if anyone on
this list had any clue what could be going on. Below are some pertinent
bits from my pf.conf. I don't want to post the whole thing because it's
pretty long, but if you need more info say the word.
Many thanks for your input!
c.
# the rdr rule for the cable connection to the server; I have it on 9090
because it seems my ISP is blocking
# access on 443.
rdr pass log on $ext_if2 proto tcp from any to $koha_ext2_addr port 9090 \
-> $sslbox_dmz_addr port 8080
# rules to redirect to ssl box from DSL connection; these work just fine.
rdr pass on $ext_if1 proto tcp from any to $koha_ext_addr port \
443 -> $sslbox_dmz_addr port 8080
rdr pass log on $ext_if2 proto tcp from any to $koha_ext2_addr port \
443 -> $sslbox_dmz_addr port 8080
rdr pass on $int_if proto tcp from any to $koha_dmz_addr port \
443 -> $sslbox_dmz_addr port 8080
rdr pass on $int_if proto tcp from any to $koha_ext2_addr port \
443 -> $sslbox_dmz_addr port 8080
# load-balancing on outgoing connection from internal network:
pass in on $int_if route-to \
{ ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
proto tcp from $int_network to any flags S/SA modulate state
pass in on $int_if route-to \
{ ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
proto { udp, icmp } from $int_network to any keep state
# pass rules for loadbalancing to ensure traffic goes out the way it
came: (was to any)
pass out quick on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to
any keep state
pass out quick on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to
any keep state
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Cindy Murdock
IT Services Director
Meadville Public Library | CCFLS
http://meadvillelibrary.org | http://ccfls.org
