Hello all,
I put together a router/firewall with OpenBSD 3.3 a while back and it works
like a dream. Pf was surprisingly easy to learn, and I'm definitely sold.
The network I manage is going to change at the end of the month, and I'm
having a hard time wrapping my head around how my pf.conf should reflect
this. I've spent quite a bit of time researching this, but I want to make
sure this will work the first or second time around - this change will
affect ~150 people, and I *really* want to have as little downtime as
possible.
I'm trying to get a functional pf.conf written on the router as-is (3.3) and
then upgrade to 3.5.
We'll be installing an SDSL line in addition to the ADSL line we have, so
the network will look like this:
ADSL via a.a.a.a <------\
|
[tl0]
OpenBSD Box [vr0] --> LAN via b.b.b.b
[tl1]
|
SDSL via c.c.c.c <------/
The "a.a.a.a" is just a generic standin for the IPs that have been
statically assigned to each interface. I've been referring to the ADSL
connection as the "top" interface and the SDSL as the "bottom" interface.
The goal is to split the traffic between these connections based on the
destination port; essential traffic - DNS, web, email, IM, ssh, telnet, etc.
- will be routed through the top, and everything else will be routed through
the bottom.
What is the best way to do this? I know I need two NAT rules, like this:
nat on $i_top from $i_int/24 to any -> $i_top
nat on $i_bottom from $i_int/24 to any -> $i_bottom
But I'm not clear on how port redirection should work. Should I set the
router's default route to the top or bottom external interface? Should I use
route-to or reply-to? I've been trying to implement a successful test case
here, but nothing seems to work. A rule like:
pass in quick on $i_internal \
reply-to ($if_top $if_top_gw)\
proto tcp from any to any port 80
don't seem to do anything, even as the last rule in a set of passes. Will
this work on 3.5, but not on 3.3?
Has anyone implemented something similar to this? I've read all of the PF
manual, but the sections on splitting connections over multiple interfaces
deal mostly with round-robin and the like, and don't mention scenarios like
mine. Searching for tutorials, how-tos, and FAQs found plenty that really
only dealt with single external interfaces. Any help you guys could throw me
would be *much* appreciated.
Thanks a million!
-Coda
