problem load balancing incoming connections

Wed, 17 Nov 2004 14:52:48 -0800 

Dear all,

I am trying to debug a PF configuration which I intend to use on a 
firewall with two external connections and one internal web server, and I 
would appreciate if anyone could help.

Basically, I want all incoming connections to port 80 to be redirected to 
the internal webserver, as well as load balance outbound traffic through 
the external connections (one cable and one dsl connection). This second 
part seems to be working already.  

Here is my LAB setup: 
                                                  |
                    -----                        |
                    |   |    rl0       -------   |
             sis0   | O | -------------|cable|-- |
Webserver --------- | B |              -------   |       INTERNET
                    | S |              -------   |
                    | D | -------------|adsl |-- |
                    |   |    tun0      -------   |
                    -----                         |

I followed the Daniel Hartmeier's recommendations from a message in the 
archives (http://www.benzedrine.cx/pf/msg03214.html), and used reply-to to 
make sure that replies to incomming connections leave out from the same 
external connection they came in. Since that message is dated from 10 Sep 
2003, and my OBSD firewall is running a 3.5-STABLE version dated from 9 
Jul 2004, I am assuming the problem has nothing to do with system or PF 
version.

Both connections get IP address from their ISP, dynamically. They also get 
a default-route and resolv.conf info the same way. 

I first start the dsl connection and after that the route table shows 
like:

Internet:
Destination        Gateway            Flags     Refs     Use    Mtu  Interface
default            200.164.195.8      UGS         1        2   1492   tun0
127/8              127.0.0.1          UGRS        0        0  33224   lo0
127.0.0.1          127.0.0.1          UH          6       49  33224   lo0
192.168.1/24       link#1             UC          1        0      -   sis0
192.168.1.10       0:e0:7d:fe:cd:d3   UHLc        0       13      -   sis0
200.164.195.8      201.9.165.99       UH          1        0   1492   tun0
224/4              127.0.0.1          URS         0        0  33224   lo0

Then I start the cable connection and the route table shows like:

Internet:
Destination        Gateway            Flags     Refs     Use    Mtu  Interface
default            200.177.74.1       UGS         0        0      -   rl0
127/8              127.0.0.1          UGRS        0        0  33224   lo0
127.0.0.1          127.0.0.1          UH          2        2  33224   lo0
192.168.1/24       link#1             UC          0        0      -   sis0
200.164.195.8      201.9.164.98       UH          0        0   1492   tun0
200.177.74/24      link#3             UC          1        0      -   rl0
200.177.74.1       0:5:9a:d2:34:54    UHLc        1        0      -   rl0
200.177.74.63      127.0.0.1          UGHS        0        0  33224   lo0
224/4              127.0.0.1          URS         0        0  33224   lo0

Only then, I start PF. What happens is that all traffic coming from the
dsl connection is somehow lost. It seems to me that the firewall is trying
to send everything out through the default route, and is ignoring my
reply-to pass rules. However all traffic coming from the cable connection
(which is started last and becomes de default route) passes through ok.

As I said, any comments, suggestions, hints, pointers will be much 
appreciated.

Regards,

ebl

Here is my pf.conf:

ext_if1="rl0"
gw_if1="200.177.74.1"
gw_if2="200.164.195.8"
ext_if2="tun0"
int_if="sis0"
lan_net=$int_if:network

intweb = "192.168.1.10"

# scrub

scrub in all

# nat/rdr

nat on $ext_if1 from $int_if:network to any -> ($ext_if1)
nat on $ext_if2 from $int_if:network to any -> ($ext_if2)

# internal web server

rdr on {$ext_if1,$ext_if2} proto tcp from any to any port 80 -> $intweb

# filter rules

# default deny

block in log from any to any
block out log from any to any

# pass all outgoing packets on internal interface

pass out log on $int_if from any to $lan_net

#

pass in on $int_if from $lan_net to any keep state

# pass in quick any packets destined for the gateway itself

pass in log quick on $int_if from $lan_net to $int_if

#  load balance outgoing tcp traffic from internal network.

pass in on $int_if route-to \
    { ($ext_if1 $gw_if1), ($ext_if2 $gw_if2) } round-robin \
    proto tcp from $lan_net to any flags S/SA modulate state

#  load balance outgoing udp and icmp traffic from internal network

pass in on $int_if route-to \
    { ($ext_if1 $gw_if1), ($ext_if2 $gw_if2) } round-robin \
    proto { udp, icmp } from $lan_net to any keep state

# incoming traffic should come out from the same interface

pass in log on $ext_if1 reply-to ($ext_if1 $gw_if1) from any to any keep state
pass in log on $ext_if2 reply-to ($ext_if2 $gw_if2) from any to any keep state

#  general "pass out" rules for external interfaces
pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if1 proto { udp, icmp } from any to any keep state
pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if2 proto { udp, icmp } from any to any keep state

#  route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
#  $ext_if2 and $ext_gw2
pass out on $ext_if1 route-to ($ext_if2 $gw_if2) from $ext_if2 to any
pass out on $ext_if2 route-to ($ext_if1 $gw_if1) from $ext_if1 to any

Reply via email to