Re: Routing question with 2 external lines.

[Stuart Henderson]

On 2009-12-06, Alastair Johnson att...@googlemail.com wrote:
 rdr pass on $ext_if1   proto tcp from $supplierIP to $CARP_ip_line1 port 443
 - 10.0.0.50 port 443
 rdr pass on $ext_if2   proto tcp from $supplierIP to $CARP_ip_line2 port 443
 - 10.0.0.50 port 443

This works like 'pass quick' without reply-to. Remove 'pass' and you'll
get the other rules into play..

 I have tried separating the pass rule and adding a reply-to but that doesnt
 seem to work either:

 pass in on $ext_if1 reply-to ($ext_if1 $isp_gw_ip_1) proto tcp from
 $supplierIP to $CARP_ip_line1 port 443 keep state
 pass in on $ext_if2 reply-to ($ext_if2 $isp_gw_ip_2) proto tcp from
 $supplierIP to $CARP_ip_line2 port 443 keep state

These need to use the translated, not external, addresses.

If you still have problems use 'pass in log' and check with tcpdump
on pflog0 that the packets actually match the rules.

route-to/reply-to were broken for a while, I *think* they were ok in
4.6 but not certain. They do definitely work in -current.

Routing question with 2 external lines.

[Alastair Johnson]

We have 2 internet lines with 2 different and equally unreliable Internet
providers.

We have 2 PF firewalls running 4.6 RELEASE arranged in a failover
configuration
using CARP/pfsync. Each firewall is therefore connected to each router and
to our
internal network as well as a crossover cable between them for the pfsync.

I would like one of our internal servers to be reachable by certain remote
people.
Given the unreliability of each line I would like a remote person to be able
to
target the CARP address of either external connection and RDR traffic
through to
the internal server.

Sounds simple and it half works. It only works for whichever line the
firewall's
default route is pointing towards. Traffic always returns along the default
route even if it originates from down the other external line, even if I use

reply-to and even if I keep-state and even if I set policy if-bound

Is this by design? do I ask the conceptually impossible? it doesnt seem
unreasonable - not everyone has high quality lines.

I have the following:

rdr pass on $ext_if1   proto tcp from $supplierIP to $CARP_ip_line1 port 443
- 10.0.0.50 port 443
rdr pass on $ext_if2   proto tcp from $supplierIP to $CARP_ip_line2 port 443
- 10.0.0.50 port 443

The problem is that replies only get back down the line that is set as
default
gateway. if the default gateway is down line 1 then an incoming packet
coming
down line 2 will sucessfully get in to the fw, pass the fw, go to the
internal
server, come back to the fw but then try to go out down line 1.

I have tried separating the pass rule and adding a reply-to but that doesnt
seem to work either:

pass in on $ext_if1 reply-to ($ext_if1 $isp_gw_ip_1) proto tcp from
$supplierIP to $CARP_ip_line1 port 443 keep state
pass in on $ext_if2 reply-to ($ext_if2 $isp_gw_ip_2) proto tcp from
$supplierIP to $CARP_ip_line2 port 443 keep state

I still cant get traffic to return down the interface it arrived on unless
its the same as the default route.

I have to set a default route because I NAT for internal workstations doing
general web browsing.

Happy to send a dmesg is it would be useful.

Many thanks,

Alastair Johnson