1) We have a frame relay line that connects our WAN to our central office.
2) All internal IP address on this WAN (192.168.x.x) do not pass through the firewall. They are split off by a router before they hit our firewall.
3) We have a new full T1 line that we want to service our central office, since it has much higher bandwidth requirements than all our branch offices.
4) We want all new outgoing traffic from our central office to go over the T1 line, and everything else will stay on the frame relay.
So this is basically a very screwed up kind of load balancing.
My problem is, when I turn on our firewall rules, I can see out just fine. However, incoming packets are getting trapped somewhere. After using tcpdump to watch the interfaces, this is what i see happening.
Packet comes in on xl0 (external interface 1)
Packet gets NAT'd and forwarded to xl2 (internal interface)
The internal server responds to the packet (ping for instance) and sends the reply
Packet goes out xl2
Packet never makes it to xl0 or xl1 (the other ext.if)
Admittedly, I'm a complete n00b when it comes to OpenBSD and PF. Is there a setting i'm missing somewhere, is there a route i need to add? I'm completely in the dark as to what is happening and how the packets are being bounced from interface to interface. It seems like xl2 is not forwarding to xl0, and I have no idea how to make it do that.
Here's a sample of a pf.conf I made for testing, it is a wide open setup as I was just trying to make the internal servers visible to the outside world
#################################################################### xl0 from any to X.X.X.X/32 -> 192.168.10.17/32
block in log from any to any block out log from any to any
pass in quick on xl0 all pass in quick on xl1 all
pass out on xl2 from any to any keep state
pass in quick on xl2 from 192.168.0.0/16 to xl2
pass in on xl2 route-to (xl0 Y.Y.Y.Y) from 192.168.0.0/16 to any modulate state
pass out on xl0 proto tcp from any to any flags S/SA modulate state
pass out on xl0 proto {udp,icmp} from any to any keep state
pass out on xl1 proto tcp from any to any flags S/SA modulate state
pass out on xl1 proto {udp,icmp} from any to any keep statepass out on xl0 route-to (xl1 Z.Z.Z.Z) from xl1 to any pass out on xl1 route-to (xl0 Y.Y.Y.Y) from xl0 to any ####################################################################
As you can see, it is essentially based on the PF FAQ's load balancing example.
Any tips for a complete n00b?
