multiple external links working .. (Solved)
Yes it was exactly this & thanks Soner Tari & Stuart Henderson for Helping me
(newbie) in so detail that now finally i have succeeded in making multiple
external connection & serving them as one.
lush it feels so good ..
Thank you.
I owe you one.
p.s is it possible to have a 3rd internet connection join this ? :)
*:$., 88,.$:*(((*$ Stingray *:$., 88,.$:*((*$
- Original Message
From: <[EMAIL PROTECTED]>
To: S t i n g r a y <[EMAIL PROTECTED]>
Cc: openbsd
Sent: Wednesday, January 24, 2007 12:53:40 AM
Subject: Re: multiple external links not working ..
Hi, I'm using two external interfaces myself, and I believe I had the
same problem you describe in your message. I bet when you do:
netstat -rnf inet | grep default
you will see that your (ext_if2 ext_gw2) comes on top. Thus, my theory
is that the kernel is preferring your second external interface due to
your routing table (i.e. the order of your default routes).
Since I don't know how to handle this in pf.conf for connections
originating from my firewall, such as an http proxy running on the
firewall, just as in your case too (otherwise route-to and reply-to work
fine), I change my routing table in rc files.
Specifically, I rearrange the order of my default routes to have my
first external interface/gateway on top:
route add default -ifp ext_if1 -mpath ext_gw1
route add default -ifp ext_if2 -mpath ext_gw2
Accordingly, I removed the similar shell commands in hostname.if(5)
files.
Hope this helps,
On Tue, 2007-01-23 at 08:36 -0800, S t i n g r a y wrote:
> Well thanks to everyone who help me coming close to using multiple external
> links for internet.
> but its still not working, my scenario is that i have 2 ISP's connection now
> the main internet connection is the powerful one which i only want to use
> for specific protocols which i have defined in a macro called ports now
> rest is supposed to goto to my 2nd internet connection which is a weak &
> cheap connection basically there to allow p2p applications access.
> Main internet is ext_if1 (xl0)
> slow internet is ext_if2 (xl2)
> LAN is int_if (xl1)
> now the problem is that when ever i apply my pf.conf file all the traffic
> goes to 2nd slow internet connection.
>
> my pf.conf file
> lan_net = "10.0.0.0/16"
> int_if = "xl1"
> ext_if1 = "xl0"
> ext_if2 = "xl2"
> ext_gw1 = "192.168.0.1"
> ext_gw2 = "203.81.235.1"
> chadd = "10.0.0.1"
> ports = " 22 25 53 80 110 119 123 143 443 465 554 900 995 1755 1863"
> table persist file "/etc/allowedclients"
>
> nat on $ext_if1 inet proto {tcp, udp } from to any port \
> { $ports } -> ($ext_if1)
> nat on $ext_if2 inet proto {tcp, udp } from to any \
> -> ($ext_if2)
>
> rdr on $int_if proto tcp from to any port 80 -> $chadd port
> 8080
>
> pass out log on $int_if from any to $lan_net
>
> pass in log quick on $int_if from $lan_net to $int_if
> pass in log on $int_if route-to { ($ext_if2 $ext_gw2) } from \
> $lan_net to any flags S/SA keep state
> pass in log on $int_if route-to { ($ext_if1 $ext_gw1) } inet proto tcp from \
> $lan_net to any port {$ports} flags S/SA keep state
>
> pass out log on $ext_if2 proto tcp from any to any flags S/SA modulate state
> pass out log on $ext_if2 proto { udp, icmp } from any to any keep state
> pass out log on $ext_if1 proto tcp from any to any flags S/SA modulate state
> pass out log on $ext_if1 proto { udp, icmp } from any to any keep state
>
> pass out log on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
> pass out log on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
>
> this is what happens
>
> bash-3.1# tcpdump -nettipflog0
> tcpdump: WARNING: pflog0: no IPv4 address assigned
> tcpdump: listening on pflog0, link-type PFLOG
> 1169566778.398818 rule 18/(match) pass out on xl2: 203.81.235.185.5698 >
> 8.7.232.215.80: [|tcp] (DF)
> 1169566778.553623 rule 18/(match) pass out on xl2: 203.81.235.185.13550 >
> 66.249.91.83.80: [|tcp] (DF)
> 1169566779.005110 rule 18/(match) pass out on xl2: 203.81.235.185.16245 >
> 209.0.144.87.80: [|tcp] (DF)
> 1169566779.102642 rule 1/(match) pass in on xl1: 10.0.2.41.1601 >
> 10.0.0.1.8080: [|tcp] (DF)
> 1169566779.105302 rule 18/(match) pass out on xl2: 203.81.235.185.5672 >
> 216.143.70.77.80: [|tcp]
> 1169566779.167718 rule 1/(match) pass in on xl1: 10.0.1.24.2402 >
> 10.0.0.1.8080: [|tcp] (DF)
> 1169566779.170640 rule 18/(match) pass out on xl2: 203.81.235.185.11598 >
> 64.40.101.40.80: [|tcp] (DF)
> 1169566779.457058 rule 2/(match) pass in on xl1: 10.0.2.7.2328 >
> 125.23.47.31.3460: [|tcp] (DF)
> 1169566779.457112 rule 21/(match) pass out on xl0: 10.0.2.7.2328 >
> 125.23.47.31.3460: [|tcp] (DF)
> 1169566779.615288 rule 18/(match) pass out on xl2: 203.81.235.185.33595 >
> 209.0.144.88.80: [|tcp] (DF)
> 1169566779.700708 rule 18/(match) pass out on xl2: 203.81.235.185.42575 >
> 72.14.209.85.80: [|tcp] (DF)
> 1169566779.994302 rule 1/(match) pass in on xl1: 10.0.2.8.4265 >
> 10.0
Re: multiple external links working .. (Solved)
Would you mind sharing your final config as sample for others who might need in the future? Thanks! - Original Message - From: "S t i n g r a y" <[EMAIL PROTECTED]> To: "Open BSD" Sent: Thursday, January 25, 2007 12:51 PM Subject: multiple external links working .. (Solved) Yes it was exactly this & thanks Soner Tari & Stuart Henderson for Helping me (newbie) in so detail that now finally i have succeeded in making multiple external connection & serving them as one. lush it feels so good .. Thank you. I owe you one. p.s is it possible to have a 3rd internet connection join this ? :) *:$., 88,.$:*(((*$ Stingray *:$., 88,.$:*((*$ - Original Message From: <[EMAIL PROTECTED]> To: S t i n g r a y <[EMAIL PROTECTED]> Cc: openbsd Sent: Wednesday, January 24, 2007 12:53:40 AM Subject: Re: multiple external links not working .. Hi, I'm using two external interfaces myself, and I believe I had the same problem you describe in your message. I bet when you do: netstat -rnf inet | grep default you will see that your (ext_if2 ext_gw2) comes on top. Thus, my theory is that the kernel is preferring your second external interface due to your routing table (i.e. the order of your default routes). Since I don't know how to handle this in pf.conf for connections originating from my firewall, such as an http proxy running on the firewall, just as in your case too (otherwise route-to and reply-to work fine), I change my routing table in rc files. Specifically, I rearrange the order of my default routes to have my first external interface/gateway on top: route add default -ifp ext_if1 -mpath ext_gw1 route add default -ifp ext_if2 -mpath ext_gw2 Accordingly, I removed the similar shell commands in hostname.if(5) files. Hope this helps, On Tue, 2007-01-23 at 08:36 -0800, S t i n g r a y wrote: > Well thanks to everyone who help me coming close to using multiple external links for internet. > but its still not working, my scenario is that i have 2 ISP's connection now the main internet connection is the powerful one which i only want to use for specific protocols which i have defined in a macro called ports now rest is supposed to goto to my 2nd internet connection which is a weak & cheap connection basically there to allow p2p applications access. > Main internet is ext_if1 (xl0) > slow internet is ext_if2 (xl2)
Re: multiple external links working .. (Solved)
my final config file that works along with couple of commands you need to put
in script file & execute after each reboot.
#
# my routeset script
route delete default -ifp xl2 -mpath 203.81.235.1
route add default -ifp xl0 -mpath 192.168.0.1
netstat -rnf inet | grep default
#
# my pf.conf file
lan_net = "10.0.0.0/16"
int_if = "xl1"
ext_if1 = "xl0"
ext_if2 = "xl2"
ext_gw1 = "192.168.0.1"
ext_gw2 = "203.81.235.1"
chadd = "10.0.0.1"
ports = "22 53 80 110 119 123 143 443 465 554 900 995 1755 1863 1999 2090 2091
2095 3000 3020 2020 3389 5000 5001 5050 5100 5190 6667 11
999 14360"
table persist file "/etc/allowedclients"
nat on $ext_if1 inet proto {tcp, udp } from to any port \
{ $ports } -> ($ext_if1)
nat on $ext_if2 inet proto {tcp, udp } from to any \
-> ($ext_if2)
rdr on $int_if proto tcp from to any port 80 -> $chadd port
8080
pass out on $int_if from any to
pass in quick on $int_if from to $int_if
pass in on $int_if route-to { ($ext_if2 $ext_gw2) } from \
flags S/SA keep state
pass in on $int_if route-to { ($ext_if1 $ext_gw1) } inet proto tcp from \
to any port {$ports} keep state
pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if2 proto { udp, icmp } from any to any keep state
pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if1 proto { udp, icmp } from any to any keep state
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
*:$., 88,.$:*(((*$ Stingray *:$., 88,.$:*((*$
- Original Message
From: Marcos Laufer <[EMAIL PROTECTED]>
To: S t i n g r a y <[EMAIL PROTECTED]>
Cc: misc@openbsd.org
Sent: Friday, January 26, 2007 8:57:04 AM
Subject: Re: multiple external links working .. (Solved)
Would you mind sharing your final config as sample for others
who might need in the future?
Thanks!
- Original Message -----
From: "S t i n g r a y" <[EMAIL PROTECTED]>
To: "Open BSD"
Sent: Thursday, January 25, 2007 12:51 PM
Subject: multiple external links working .. (Solved)
Yes it was exactly this & thanks Soner Tari & Stuart Henderson for Helping
me (newbie) in so detail that now finally i have succeeded in making
multiple external connection & serving them as one.
lush it feels so good ..
Thank you.
I owe you one.
p.s is it possible to have a 3rd internet connection join this ? :)
*:$., 88,.$:*(((*$ Stingray *:$., 88,.$:*((*$
- Original Message
From: <[EMAIL PROTECTED]>
To: S t i n g r a y <[EMAIL PROTECTED]>
Cc: openbsd
Sent: Wednesday, January 24, 2007 12:53:40 AM
Subject: Re: multiple external links not working ..
Hi, I'm using two external interfaces myself, and I believe I had the
same problem you describe in your message. I bet when you do:
netstat -rnf inet | grep default
you will see that your (ext_if2 ext_gw2) comes on top. Thus, my theory
is that the kernel is preferring your second external interface due to
your routing table (i.e. the order of your default routes).
Since I don't know how to handle this in pf.conf for connections
originating from my firewall, such as an http proxy running on the
firewall, just as in your case too (otherwise route-to and reply-to work
fine), I change my routing table in rc files.
Specifically, I rearrange the order of my default routes to have my
first external interface/gateway on top:
route add default -ifp ext_if1 -mpath ext_gw1
route add default -ifp ext_if2 -mpath ext_gw2
Accordingly, I removed the similar shell commands in hostname.if(5)
files.
Hope this helps,
On Tue, 2007-01-23 at 08:36 -0800, S t i n g r a y wrote:
> Well thanks to everyone who help me coming close to using multiple
external links for internet.
> but its still not working, my scenario is that i have 2 ISP's connection
now the main internet connection is the powerful one which i only want to
use for specific protocols which i have defined in a macro called ports
now rest is supposed to goto to my 2nd internet connection which is a weak &
cheap connection basically there to allow p2p applications access.
> Main internet is ext_if1 (xl0)
> slow internet is ext_if2 (xl2)
Everyone is raving about the all-new Yahoo! Mail beta.
http://new.mail.yahoo.com
