On Mon, Apr 18, 2011 at 6:14 AM, Per von Zweigbergk <[email protected]> wrote: > I have the following set up in a lab: > > [WinXP]----(LAN)[edgefw](WAN1)----(Link1)[mock- ](WAN)----[to my "real" LAN] > [ ](WAN2)----(Link2)[router](LAN)----[Win7] > > > The WinXP box has a chargen server running for testing (I just installed the > Windows XP Simple Internet Services). > > Edgefw and mockrouter are running pfSense 2.0-RC1. > > What this setup is intended to simulate is a Multi-WAN scenario, where > edgefw is the router for a LAN which has two different WAN connections that > are NATed. > > Mockrouter is inserted into the mix simply to simulate the two seperate > Internet connections (Link1 and Link2). Mockrouter's WAN connection to my > real LAN is just a convenience for me so I can still access the web on my > lab machines and not strictly relevant to the lab. > > Edgefw is configured with two WAN connections, and has a default route out > of both of them. The specific part of this setup I'm having difficulty with > is routing reply packets for TCP connections. > > What I have done is that I've made two port forwards on edgefw, from the > WAN1 edge IP and the WAN2 edge IP into the WinXP machine on the TCP chargen > port. > > When WAN1 is the default gateway, if I connect from my Win7 box to edgefw's > WAN1 IP on the chargen port packets in both directions flow through WAN1. > This is to be expected. > > If I instead connect the same way, but with WAN2's IP, the packets going > from Win7 to WinXP flow through WAN2, which is to be expected. However, > packets returning on the same connection will exit on WAN1. Which is > expected, but not desired - WAN1 is the default route after all, and it's > not like the kernel makes routing decisions based on pf's state table. > > To solve this problem, I googled, and I turned up with the following > solution that applies to hand-written pf that I believe would work in my > scenario: > > pass out on $ext_if1 from $ext_if2 route-to ($ext_if2 $ext_gw2) > pass out on $ext_if2 from $ext_if1 route-to ($ext_if1 $ext_gw1) >
You can do that with floating rules. Check your resulting floating rules in /tmp/rules.debug to ensure you have them configured correctly, and enable logging on all your rules so you can determine which rule matched. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
