On 18:59, Tue 05 Jan 10, Jordi Espasa Clofent wrote:
> Ok, let's go again. According to Karl (thanks ;)) words I've
> rebuilded my pf.conf for to times in two diferrent approaches.
>
> // FIRST TRY
>
> - make the ADSL "redirection" in bge0 (the internal one, traffic
> from LAN to Internet)
> - make the queues in bge1/re0/fxp0 (the externals ones, traffic from
> Internet to LAN)
>
> # 7. Filer rules
>
> ####### traffic from LAN to INTERNET ########
> ## from LAN to Internet: INBOUND to bge0 ##
> # dept_a using their own ADSL
> pass out on $int_if route-to \
> ($ext_if1 $ext_gw1) \
> proto { tcp udp } from $dept_a to any keep state
Don't you mean: pass in on $int_if ???
This is what I have and it works great:
pass in on $int_if route-to ($ext_if $ext_gw) from <dsl_hosts> to
!<internal_hosts>
My default is CABLE, but I have some ip's I want to route out over the
DSL connection, so I added those ip addresses to the table <dsl_hosts>
For traffic going to services on the DSL line I have:
pass in on $ext_if reply-to ($ext_if $ext_gw) proto tcp
to $ssh_server port $ssh_ports keep state (max-src-conn 10,
max-src-conn-rate 2/
10, overload <ssh_attack> flush)
If you want I can remove sensitive data from my pf.conf and mail it to
you. Just let me know.
>
> # dept_b using their own ADSL
> pass out on $int_if route-to \
> ($ext_if2 $ext_gw2) \
> proto { tcp udp } from $dept_b to any keep state
>
> # dept_c using their own ADSL
> pass out on $int_if route-to \
> ($ext_if3 $ext_gw3) \
> proto { tcp udp } from $dept_c to any keep state
>
> ## from LAN to internet: OUTBOUND on bge1/re0/fxp0
> pass out on $ext_if1
> pass out on $ext_if2
> pass out on $ext_if3
>
> ###############################
>
> ####### traffic from INTERNET to LAN ########
> ## from Internet to LAN: INBOUND to bge1/re0/fxp0 ##
> pass in on $ext_if1
> pass in on $ext_if2
> pass in on $ext_if3
>
> ## from Internet to LAN: OUTBOUND to bge0 ##
>
> ### dept_a
> pass out quick on $int_if from $callcenter02 \
> to $dept_a keep state \
> queue centraleta
>
> pass out quick on $int_if proto tcp from $cpd \
> to $dept_a port 22 keep state \
> queue ssh1
>
> pass out quick on $int_if from $cpd \
> to $dept_a keep state \
> queue cpd11
>
> pass out on $int_if from any \
> to $dept_a keep state \
> queue nocpd1
>
> ### dept_b
> pass out quick on $int_if proto tcp from $cpd \
> to $dept_b port 22 keep state \
> queue ssh2
>
> pass out quick on $int_if from $cpd \
> to $dept_b keep state \
> queue cpd2
>
> pass out on $int_if from any \
> to $dept_b keep state \
> queue nocpd2
>
> ### dept_c
> pass out quick on $int_if proto tcp from $cpd \
> to $dept_c port 22 keep state \
> queue ssh3
>
> pass out quick on $int_if from $cpd \
> to $dept_a keep state \
> queue cpd3
>
> pass out on $int_if from any \
> to $dept_c keep state \
> queue nocpd3
> -----------------------------------------------------------------
>
> It's clean, it's understable... but it doesn't work. Indeed works
> the first part: every LAN client uses the correct ADSL out, but
> queues doesn't run.
>
>
>
>
> // SECOND TRY
>
> - make the ADSL "redirection" and also the queues works in bge0 (the
> internal one, traffic from LAN to Internet)
>
> ##################################
> # --- (bge0/LAN) ----OpenBSD box ---- (fxp0/adsl1)
> # ---- (bge1/adsl2)
> # ---- (re0/adsl3)
> #
> # 1.Macros
> # ISP_1
> ext_if1="fxp0"
> ext_gw1="217.126.43.2"
>
> # ISP_2
> ext_if2="bge1"
> ext_gw2="192.168.10.1"
>
> # ISP_3
> ext_if3="re0"
> ext_gw3="192.168.2.1"
>
> # dept. A
> workmate_a="192.168.0.121"
> workmate_b="192.168.0.51"
> workmate_c="192.168.0.124"
> workmate_d="192.168.0.49"
> dept_a = "{" $workmate_a $workmate_b $workmate_c $workmate_d "}"
>
> #dept. B
> workmate_e="192.168.0.79"
> wormate_f="192.168.0.78"
> dept_b = "{" $workmate_e $workmate_f"}"
>
> # dept. C
> workmate_h="192.168.0.39"
> workmate_i="192.168.0.43"
> workmate_j="192.168.0.48"
> dept_c = "{" $workmate_h $workmate_i $workmate_j "}"
>
> # internal gateway
> lan_net="192.168.0.0/24"
> int_if="bge0"
> int_gw="192.168.0.1"
>
> # another macros
> cpd="{ xxx }"
> callcenter="xxx"
>
> # 2.Tables
> # Not used at present
> # 3.Options
> set skip on lo
> set optimization conservative
> set limit states 50000
>
> # 4. Scrub traffic
> scrub all
>
> # 5. Queueing
> altq on $int_if cbq bandwidth 30Mb queue { zona1, zona2, zona3 }
>
> queue zona1 bandwidth 10Mb { centraeta, cpd1, ssh1, nocpd1 }
> queue centraleta bandwidth 50% priority 7 cbq(default)
> queue cpd1 bandwidth 25% priority 6 cbq(borrow)
> queue ssh1 bandwidth 5% priority 3 cbq
> queue nocpd1 bandwidth 20% priority 0 cbq
>
> queue zona2 bandwidth 10Mb { cpd2, ssh2, nocpd2 }
> queue cpd2 bandwidth 40% priority 7 cbq
> queue ssh2 bandwidth 40% priority 3 cbq(borrow)
> queue nocpd2 bandwidth 20% priority 0 cbq
>
> queue zona3 bandwidth 10Mb { cpd3, ssh3, nocpd3 }
> queue cpd3 bandwidth 60% priority 7 cbq
> queue ssh3 bandwidth 25% priority 3 cbq(borrow)
> queue nocpd3 bandwidth 15% priority 0 cbq
>
> # 6. Translation
> nat on $ext_if1 from $lan_net to any -> ($ext_if1)
> nat on $ext_if2 from $lan_net to any -> ($ext_if2)
> nat on $ext_if3 from $lan_net to any -> ($ext_if3)
>
> # 7. Filer rules
>
> ## from LAN to Internet: INBOUND to bge0 ##
> # dept_a using their own ADSL
> pass out on $int_if route-to \
> ($ext_if1 $ext_gw1) \
> proto { tcp udp } from $dept_a to any keep state
>
> # dept_b using their own ADSL
> pass out on $int_if route-to \
> ($ext_if2 $ext_gw2) \
> proto { tcp udp } from $dept_b to any keep state
>
> # dept_c using their own ADSL
> pass out on $int_if route-to \
> ($ext_if3 $ext_gw3) \
> proto { tcp udp } from $dept_c to any keep state
>
> ## from LAN to internet: OUTBOUND on bge1/re0/fxp0
> pass out on $ext_if1
> pass out on $ext_if2
> pass out on $ext_if3
>
> ###############################
>
> ####### traffic from INTERNET to LAN ########
> ## from Internet to LAN: INBOUND to bge1/re0/fxp0 ##
> pass in on $ext_if1
> pass in on $ext_if2
> pass in on $ext_if3
>
> ## from Internet to LAN: OUTBOUND to bge0 ##
>
> ### dept_a
> pass in on $int_if route-to \
> ($ext_if1 $ext_gw1) \
> proto udp from $dept_a to $callcenter02 \
> keep state \
> queue centraleta
>
> pass in quick on $int_if route-to \
> ($ext_if1 $ext_gw1) \
> proto tcp from $dept_a to $cpd \
> port 22 keep state \
> queue ssh1
>
> pass in quick on $int_if route-to \
> ($ext_if1 $ext_gw1) \
> proto tcp from $dept_a to $cpd \
> keep state \
> queue cpd1
>
> pass in quick on $int_if route-to \
> ($ext_if1 $ext_gw1) \
> proto tcp from $dept_a to $cpd \
> keep state \
> queue nopcd1
>
> ### dept_b
> pass in quick on $int_if route-to \
> ($ext_if2 $ext_gw2) \
> proto tcp from $dept_b to $cpd \
> port 22 keep state \
> queue ssh2
>
> pass in quick on $int_if route-to \
> ($ext_if2 $ext_gw2) \
> proto tcp from $dept_b to $cpd \
> keep state \
> queue cpd2
>
> pass in quick on $int_if route-to \
> ($ext_if2 $ext_gw2) \
> proto tcp from $dept_b to $cpd \
> keep state \
> queue nopcd2
>
> ### dept_c
> pass in quick on $int_if route-to \
> ($ext_if3 $ext_gw3) \
> proto tcp from $dept_c to $cpd \
> port 22 keep state \
> queue ssh3
>
> pass in quick on $int_if route-to \
> ($ext_if3 $ext_gw3) \
> proto tcp from $dept_c to $cpd \
> keep state \
> queue cpd3
>
> pass in quick on $int_if route-to \
> ($ext_if3 $ext_gw3) \
> proto tcp from $dept_c to $cpd \
> keep state \
> queue nopcd3
> -----------------------------------------------------
>
>
> I sound clear also... but simple doesn't work.
>
> I've convinced that my last goal (uses a ADSL depends on LAN IP's
> client and uses also the queue) is possible but is seems hard right
> now.
>
> Thanks in advance.
>
> --
> I must not fear. Fear is the mind-killer. Fear is the little-death
> that brings total obliteration. I will face my fear. I will permit
> it to pass over me and through me. And when it has gone past I will
> turn the inner eye to see its path. Where the fear has gone there
> will be nothing. Only I will remain.
>
> Bene Gesserit Litany Against Fear.
--
Michiel van Baak
mich...@vanbaak.eu
http://michiel.vanbaak.eu
GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD
"Why is it drug addicts and computer aficionados are both called users?"
