Hi all,
I've a OpenBSD box with 4 NICs: 3 with ADSLs connection and the one last
for the LAN.
--- (bge0/LAN) ----OpenBSD box ---- (fxp0/adsl1)
---- (bge1/adsl2)
---- (re0/adsl3)
The actual pf.conf looks like:
##################################
# 1.Macros
# ISP_1
ext_if1="fxp0"
ext_gw1="217.126.43.2"
# ISP_2
ext_if2="bge1"
ext_gw2="192.168.10.1"
# ISP_3
ext_if3="re0"
ext_gw3="192.168.2.1"
# dept. A
workmate_a="192.168.0.121"
workmate_b="192.168.0.51"
workmate_c="192.168.0.124"
workmate_d="192.168.0.49"
dept_a = "{" $workmate_a $workmate_b $workmate_c $workmate_d "}"
#dept. B
workmate_e="192.168.0.79"
wormate_f="192.168.0.78"
dept_b = "{" $workmate_e $workmate_f"}"
# dept. C
workmate_h="192.168.0.39"
workmate_i="192.168.0.43"
workmate_j="192.168.0.48"
dept_c = "{" $workmate_h $workmate_i $workmate_j "}"
# internal gateway
lan_net="192.168.0.0/24"
int_if="bge0"
int_gw="192.168.0.1"
# another macros
cpd="{ xxx }"
callcenter="xxx"
# 2.Tables
# Not used at present
# 3.Options
set skip on lo
set optimization conservative
set limit states 50000
# 4. Scrub traffic
scrub all
# 5. Queueing
altq on $int_if cbq bandwidth 30Mb queue { zona1, zona2, zona3 }
queue zona1 bandwidth 10Mb { centraeta, cpd1, ssh1, nocpd1 }
queue centraleta bandwidth 50% priority 7 cbq(default)
queue cpd1 bandwidth 25% priority 6 cbq(borrow)
queue ssh1 bandwidth 5% priority 3 cbq
queue nocpd1 bandwidth 20% priority 0 cbq
queue zona2 bandwidth 10Mb { cpd2, ssh2, nocpd2 }
queue cpd2 bandwidth 40% priority 7 cbq
queue ssh2 bandwidth 40% priority 3 cbq(borrow)
queue nocpd2 bandwidth 20% priority 0 cbq
queue zona3 bandwidth 10Mb { cpd3, ssh3, nocpd3 }
queue cpd3 bandwidth 60% priority 7 cbq
queue ssh3 bandwidth 25% priority 3 cbq(borrow)
queue nocpd3 bandwidth 15% priority 0 cbq
# 6. Translation
nat on $ext_if1 from $lan_net to any -> ($ext_if1)
nat on $ext_if2 from $lan_net to any -> ($ext_if2)
nat on $ext_if3 from $lan_net to any -> ($ext_if3)
# 7. Filer rules
# pass all outgoing packets on internal interface
pass out on $int_if to $lan_net
### dept_a
pass in quick on $int_if from $dept_a \
to $callcenter02 keep state \
queue centraleta
pass in quick on $int_if proto tcp from $dept_a \
to $cpd port 22 keep state \
queue ssh1
pass in quick on $int_if from $dept_a \
to $cpd keep state \
queue cpd11
pass in on $int_if from $dept_a \
to any keep state \
queue nocpd1
### dept_b
pass in quick on $int_if proto tcp from $dept_b \
to $cpd port 22 keep state \
queue ssh2
pass in quick on $int_if from $dept_b \
to $cpd keep state \
queue cpd2
pass in on $int_if from $dept_b \
to any keep state \
queue nocpd2
### dept_c
pass in quick on $int_if proto tcp from $dept_b \
to $cpd port 22 keep state \
queue ssh2
pass in quick on $int_if from $dept_b \
to $cpd keep state \
queue cpd2
pass in on $int_if from $dept_b \
to any keep state \
queue nocpd2
# general "pass out" rules for external interfaces
pass out on $ext_if1
pass out on $ext_if2
pass out on $ext_if3
# dept_a using their own ADSL to outbound
pass out on $int_if route-to \
($ext_if1 $ext_gw1) \
proto { tcp udp } from $dept_a to any keep state
# dept_b using their own ADSL to outbound
pass out on $int_if route-to \
($ext_if2 $ext_gw2) \
proto { tcp udp } from $dept_b to any keep state
# dept_c using their own ADSL to outbound
pass out on $int_if route-to \
($ext_if3 $ext_gw3) \
proto { tcp udp } from $dept_c to any keep state
# route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
# $ext_if2 and $ext_gw2
pass out on $ext_if1 route-to ($ext_if1 $ext_gw1) from $ext_if1
pass out on $ext_if2 route-to ($ext_if2 $ext_gw2) from $ext_if2
pass out on $ext_if3 route-to ($ext_if3 $ext_gw3) from $ext_if3
As you can see, I've two goals in this business:
1) Control de bandwith in download. It works correctly ;)
2) Use an specific ADSL depending on IP. Doesn't work.
If I check (with a simple service as www.whatismyip.com) a http
connection from dept_a, dept_b or dept_c I see the same IP all the time.
So, the clients always "go out" using the same ADSL (the first one
NIC/connection indeed).
¿Anyone can point me out where the problem is?
--
I must not fear. Fear is the mind-killer. Fear is the little-death that
brings total obliteration. I will face my fear. I will permit it to pass
over me and through me. And when it has gone past I will turn the inner
eye to see its path. Where the fear has gone there will be nothing. Only
I will remain.
Bene Gesserit Litany Against Fear.
