Hi,
Your problem is coming from here (from the pf.conf man page) :
/route-to/
The /route-to/ option routes the packet to the specified interface
with an optional address for the next hop. *When a /route-to/ rule
creates state, only packets that pass in the same direction as the
filter rule specifies will be routed in this way. Packets passing
in the opposite direction (replies) are not affected and are routed
normally.
*
Sebastian Reitenbach a écrit :
Hi Arnaud,
Arnaud Feix <[EMAIL PROTECTED]> wrote:
In the NAT section what are : $ext dev and $cable if
I tried to make the rules a bit more readable, but I forgot one. the cable
devicewas former called ext_dev. where I onle had one ISP. I exchanged the rule
base below, now it is correct.
Sebastian Reitenbach a écrit :
Hi,
forgot the subject last time.
I have some trouble to get my Internet connection working with two ISP's.
I am fiddling around with that since a week and do not get it to work.
I have one DSL Connection with a dynamic IP and one Cable connection with
a static IP. I want to configure the Internet connection this way:
1. I want to have everything from the internal LAN going out via the faster DSL
line, despite some exceptions
2. the exceptions that need a static IP as source IP, have to go out via the
Cable network
3. traffic from the DMZ to the Internet shall leave the Firewall via the static
Cable Interface
4. traffic to services in the DMZ will arrive at the static cable IP, shall be
redirected into the DMZ
replies shall go out via the cable interface
The configuration:
a) The DSL Modem is configured to make the whole DSL handshaking and is
configured to make NAT for us
b) The default route of the firewall via the DSL Line, points to the DSL Modem
c) Static routes are defined for point 2. in the routing table to have the next
hop at 200.200.200.1
d) there are generally two firewalls working together with CARP, but for the tests, the slave was
shut down to eleminate possible interferences
GateCable:200.200.200.1 GateDSL: 192.168.255.1
|Cable Static IP |DSL Dynamic IP
|200.200.200.2 |192.168.255.2
|em0 |em1
GateCable:200.200.200.1 GateDSL: 192.168.255.1
|Cable Static IP |DSL Dynamic IP
|200.200.200.2 |192.168.255.2
|em0 |em1
________________________________
| |DMZ 10.0.0.1
| Firewall |------------
|------------------------------|em2
|em3
|Internal LAN=20
|10.1.1.1=20
|
things that work:
Point 1. and 2. are working, internal users surf via the DSL line, only specially treated
IP's where the special route is defined leave the network via the cable IP address
things that not (yet) work:
obviously point 3. and 4.
to test point 3, I have the following test pf ruleset:
# the physical interfaces of the carp devices
cable_dev="em0"
dsl_dev="em1"
dmz_dev="em2"
int_dev="em3"
pfsync_dev="bge0"
cable_if="carp0"
dsl_if="carp1"
dmz_if="carp2"
int_if="carp3"
# the DMZ network
dmz_net="10.10.10.0/24"
# the gateways for the Internet upstreams
dsl_gate="192.168.255.1"
cable_gate="200.200.200.1"
set skip on { lo }
set loginterface $dsl_dev
set block-policy return
scrub in all
# the NAT rule for the hosts in the DMZ, default rule at the firewall goes out
via the $dsl_dev
nat pass on $cable_dev from $dmz_net -> ($cable_if:0)
block in log all
pass out log all
# allow carp and pfsync flow
pass quick on $pfsync_dev proto pfsync
pass quick on { $cable_dev $dsl_dev $dmz_dev $int_dev } proto carp keep state
pass in log on $dmz dev route-to ( $cable_dev $cable_gate ) from $dmz_net to
any keep state
this is the tcpdump on the em0(the external cable interface):
08:36:41.464966 200.200.200.2.56669 > 195.37.1.35.80: S [tcp sum ok]
890573453:890573453(0) win 5840 <mss 1460,sackOK,timestamp 3315468867 0,nop,wscale
2> (DF) [tos 0x10] (ttl 64, id 6350, len 60)
08:36:44.464174 200.200.200.2.56669 > 195.37.1.35.80: S [tcp sum ok]
890573453:890573453(0) win 5840 <mss 1460,sackOK,timestamp 3315471867 0,nop,wscale
2> (DF) [tos 0x10] (ttl 64, id 6351, len 60)
08:36:50.461358 200.200.200.2.56669 > 195.37.1.35.80: S [tcp sum ok]
890573453:890573453(0) win 5840 <mss 1460,sackOK,timestamp 3315477867 0,nop,wscale
2> (DF) [tos 0x10] (ttl 64, id 6352, len 60)
08:37:02.455739 200.200.200.2.56669 > 195.37.1.35.80: S [tcp sum ok]
890573453:890573453(0) win 5840 <mss 1460,sackOK,timestamp 3315489867 0,nop,wscale
2> (DF) [tos 0x10] (ttl 64, id 6353, len 60)
for me it seems correct, the right interface, the right source (NAT seems to
work) and destination address, but I do
not see any answers.
testing point 4. resulted in more or less the same, I see incoming syn packets
on em0, also SYN answers, but
thats it, but the connection is not establishing. but I think this might have the same cause as point 3.
so any idea why I do not see any replies to the outgoing syn packets?
If the information provided is not enough, please let me know, I'd like to provide anything that will help
to resolve that issue.
_____________________________________________________________________
Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
http://smartsurfer.web.de/?mc=100071&distributionid=000000000066
