Jose Mejia wrote:
> Hi all here we go again with that matter :
>
> We've a firewall with 4 interfaces (2 outside to two differents routers and
> ISPs,1 inside and 1 DMZ),the machine is running a Squid web proxy too, we
> wanna make balancing on outgoing connections only for the web traffic, we
> have get to do that, and now the packets are going out on ext_if and ext_if2
> but they're all coming back in ext_if, then wich are arising from traffic on
> ext_if2 are rejected, maybe a NAT problem or is related to stateful
> tables.....any idea?
>
> This is the pf.conf :
>
> #Interfaces
> ext_if="em1"
> int_if="em0"
> ext_if2="em2"
> dmz_if="rl0"
> ext_gw="192.168.3.1"
> ext_gw2="192.168.0.1"
> loop="lo0"
>
> #networks
> ext_net="192.168.3.0/24"
> int_net="192.168.1.0/24"
> dmz_net="192.168.2.0/24"
>
> #some hosts
> dmz_host="192.168.2.2" #this is the mail server and fax (for internal
> net) server
>
> private = "{127.0.0.0/8 192.168.1.0/24 172.16.0.0/12 10.0.0.0/8}"
>
> capaos= "{4099, 5090, 4661, 4662, 4665, 4672, 1214, 1863, 5190, 6891:6900,
> 4500,\ 59, 1080, 6660:6669, 113, 6699, 6257, 5000, 5001, 2234}"
>
> #options
> set block-policy drop
> set loginterface $ext_if
> set optimization normal
> #set skip on $loop
>
> #normalizations
> scrub in on $ext_if all
> scrub in on $ext_if2 all
>
> #nat / rd
> nat on $ext_if from !($ext_if) to any -> ($ext_if) #changed to that rules
> to make the routing
> nat on $ext_if2 from !($ext_if2) to any -> ($ext_if2)
>
>
> rdr on $int_if inet proto tcp from any to any port www -> 192.168.1.1 port
> 8080 # squid rdr on $ext_if inet proto tcp from any to $ext_if port smtp ->
> $dmz_host port smtp rdr on $int_if inet proto tcp from any to $dmz_host port
> smtp -> $dmz_host port smtp rdr on $int_if inet proto tcp from any to
> $dmz_host port pop3 -> $dmz_host port pop3 rdr on $int_if inet proto tcp
> from any to $dmz_host port ssh -> $dmz_host port ssh rdr on $int_if inet
> proto tcp from any to $dmz_host port 4559 -> $dmz_host port 4559 #hylafax
>
> #rules
> block in log all
> block in quick inet6 all
> block out quick inet6 all
>
> #flags anti so escaner
> block in log quick proto tcp all flags SF/SFRA block in log quick proto tcp
> all flags SFUP/SFRAU block in log quick proto tcp all flags FPU/SFRAUP block
> in log quick proto tcp all flags /SFRA block in log quick proto tcp all
> flags F/SFRA block in log quick proto tcp all flags U/SFRAU block in log
> quick proto tcp all flags P
>
> #antispoof quick for {$int_if, $ext_if } #block return in log on $ext_if
> proto {udp, tcp}all
>
>
> #output load balancing tcp
>
> pass out on $ext_if from any to any modulate state #I put first that rule so
> the second match the web traffic
>
> pass out log on $ext_if route-to \
> { ($ext_if $ext_gw), ($ext_if2 $ext_gw2) } round-robin \
> proto tcp from any to any port www keep state
>
>
> pass in on $int_if all keep state
> pass out log on $int_if inet proto udp from $dmz_host to 192.168.1.8 port 53
>
> #NFS Memnoch (this is a NFS connection from DMZ to LAN I know is very
> insecure but is only for now) pass out log on $int_if inet proto {tcp udp}to
> 192.168.1.48 port 111 pass out log on $int_if inet proto {tcp udp}to
> 192.168.1.48 port 2049
>
> pass in log on $dmz_if all keep state #still not refined
> pass out log on $dmz_if all keep state
>
> pass out log on $ext_if2 from any to any modulate state # ext_if2 outgoing
> rule
>
> #route packets from any IPs on $ext_if to $ext_gw and $ext_if2 to $ext_gw2
> ##that's referenced in the FAQ.....necessary?....neither works..
> #pass out on $ext_if route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
> modulate state #pass out on $ext_if2 route-to ($ext_if $ext_gw) from $ext_if
> to any modulate state
>
>
> block in log quick on $ext_if inet from any to {255.255.255.255,
> 213.172.59.151} block return-rst in log quick on $ext_if proto tcp from any
> to any port \ {111, 1080, 6000, 6667, 139, 4662}
>
> block in log quick on $ext_if2 inet from any to {255.255.255.255,
> 213.172.59.151} block return-rst in log quick on $ext_if2 proto tcp from any
> to any port \ {111, 1080, 6000, 6667, 139, 4662}
>
> #block return-rst in log quick on $int_if proto tcp from any to any port \
> #{111,1080, 6000, 6667, 139, 4662}
>
>
> #Bloqueo puertos
> block out log quick on $ext_if proto tcp from any to any port $capaos block
> out log quick on $ext_if2 proto tcp from any to any port $capaos #some
> port-blocking
>
> #proxy
> pass in on $int_if inet proto tcp from any to 192.168.1.1 port 8080 keep
> state
>
> #ssh
> pass in log on $int_if inet proto tcp from any to 192.168.1.1 port ssh keep
> state pass in log on $int_if inet proto tcp from any to 192.168.2.2 port ssh
> keep state #pass in log on $dmz_if inet proto tcp from $int_net to $dmz_host
> port ssh keep state
>
> lo0 pass quick on lo0 all
>
> ----------------------------------------------------
>
> Remember we want to balance the web outgoing traffic, generated by the Squid
> proxy in the same machine....
>
> Thks in advance and greetings
>
> Jose M;
>
>
>
Thats because the route back is control on the other end unless you set
it in the routing updates via ospf or something like direct source
routing which makes it return to the interface from which it came...
the IP packets as they leave look at their source IP in the header...
I bet they are all groomed to point to ext_if and not ext_if2.. you need
to tell tcp at the pf level that you want direct source routing so the
packets load balance on the way back too... that is why the packets
return to if not if2 they were rewritten that way... otherwise they will
default to hop to hop routing which is sub net based you want IP based
source routing on the packets so the packets leaving if2 have if2 as
there route back source address and thus you will solve your problems
