Hello,
I have problem with policy routing. My infrastructure looks like: 2
firewalls with carp failover, Internet obtained from ISP via 3 different
VLANs.
Simple schema looks like:
/-VLAN A - CARP A --\
(WAN)---BGE0---VLAN B - CARP B ---BGE1 (LAN)
\-VLAN C - CARP C --/
I've received 3 VLANs with different addressation:
VLAN A: A.A.A.A/30 with A.A.A.B gw
VLAN B: B.B.B.B/30 with B.B.B.C gw
VLAN C: C.C.C.C/30 with C.C.C.D gw
Default route goes through VLAN A. I'd like to move traffic that came
via VLAN B were returned via VLAN B (and the same to VLAN C), and some
specific hosts from LAN were passed via VLAN C.
My PF rules looks like:
TRANSLATION RULES:
nat on vlanA inet from $LAN to any -> A.A.A.A
nat on vlanB inet all -> B.B.B.B
nat on vlanC inet all -> C.C.C.C
rdr pass on vlanB inet proto tcp from any to B.B.B.B port = 2233 ->
$LANHOST3 port 22
rdr pass on vlanC inet proto tcp from any to C.C.C.C port = 333 ->
$LANHOST4 port 22
rdr pass on vlanA inet proto tcp from any to A.A.A.A port = www ->
$LANHOST1 port 80
FILTER RULES:
pass out all keep state
pass in quick on vlanB reply-to (vlanB vlanB_gw) inet proto tcp from any
to $LANHOST3
pass in quick on vlanC reply-to (vlanC vlanC_gw) inet proto tcp from any
to $LANHOST4
block drop in quick on bge0 all
Traffic that comes through via VLAN B or VLAN C reaches host in local
network but return traffic goes via default route and not via
originating vlan. I have tested solution from PF FAQ and there is same
result. I don't want to load balance connections. Have anyone had
similar problem and solved it ?
--
Best regards,
Paweł Sieradz
