3 gateways problem

Robert M mirobercik at yahoo.com
Tue Nov 30 14:07:52 PST 2004 

Hi, 

Thank your for your reply.

I have read the manual before.

I did try adding the following lines to 
the end of my pf.conf file, but this didn't help
though.

---
pass out on $ifDSL1 route-to ($ifDSL2 $gwDSL2) from
$ifDSL2 to any
pass out on $ifDSL1 route-to ($ifDSL3 $gwDSL3) from
$ifDSL3 to any
pass out on $ifDSL2 route-to ($ifDSL1 $gwDSL1) from
$ifDSL1 to any
pass out on $ifDSL2 route-to ($ifDSL3 $gwDSL3) from
$ifLimes to any
pass out on $ifDSL3 route-to ($ifDSL1 $gwDSL1) from
$ifDSL1 to any
pass out on $ifDSL3 route-to ($ifDSL2 $gwDSL2) from
$ifDSL2 to any
----

Maybe I misunderstood the 'meaning' of these rules ?

I'm suspecting a "bug" in pf.conf file :-(

Ps. do you know any website where I can learn
about advanced pf/altq networking ?
I would like to simply limit internet speed
to 256Kbit/s with priq in each queue to every user on
my 2Mbit line. 

Thank you!

Regards,

-- 
Robert

--- Claudiu Dragalia-Paraipan <dr.clau at gmail.com>
wrote:

> Hi,
> 
> maybe this helps you. It is a part of the PF FAQ
> that you can find at
> http://www.openbsd.org/faq/pf/
> 
> ---------- http://cvs.openbsd.org/faq/pf/pools.html
> ...
> To ensure that packets with a source address
> belonging to $ext_if1 are 
> always routed to $ext_gw1 (and similarly for
> $ext_if2 and $ext_gw2), the 
> following two lines should be included in the
> ruleset:
> 
>      pass out on $ext_if1 route-to ($ext_if2
> $ext_gw2) from $ext_if2 \
>         to any
>      pass out on $ext_if2 route-to ($ext_if1
> $ext_gw1) from $ext_if1 \
>         to any
> 
> Finally, NAT can also be used on each outgoing
> interface:
> 
>      nat on $ext_if1 from $lan_net to any ->
> ($ext_if1)
>      nat on $ext_if2 from $lan_net to any ->
> ($ext_if2)
> ...
> ----------
> 
> 
> 
> 
> 
> 
> Robert M wrote:
> > Hello,
> > 
> > I have a problem with source routing via 3
> gateways.
> > 
> > All I need, is to be able to get in to my local
> > machine
> > via 'rdr' rule.
> > 
> > All connections are routed via firewall box
> > with 4 ethernet cards.
> > 
> > I don't want this done via 'binat' ruel as I only
> > want to rdr some ports.
> > 
> > When telneting from external host to:
> > 83.16.196.130 port 22 -> I want to be redirected
> to
> > 192.168.1.1 port 22
> > As well as:
> > 194.110.229.163 port 22 -> 192.168.1.1 22
> > 
> > This also can be done by adding a new eg.
> 192.168.1.2 
> > IP to my local machine, but it requires daemon
> binging
> > setting changes.. so I'd rather not.
> > 
> > The problem is that 1/2 connections are
> estabilished
> > properly.
> > 
> > I assume it's a problem with rule:
> > pass in quick on $ifInt route-to { ($ifDSL3
> > $gwDSL3),($ifDSL3 $gwDSL3) } from 192.168.1.1 to !
> > $netLocal keep state
> > 
> > where system doesn't know, which gateway should be
> > used
> > for return packet.
> > 
> > Below is my pf.conf (sorry it's messy a little).
> > 
> > OS: FreeBSD fw 5.2-CURRENT FreeBSD 5.2-CURRENT #4:
> Fri
> > Jul 16 16:17:52 UTC 2004    
> > root at fw:/usr/obj/usr/src/sys/TUNED  i386
> > 
> > Thank you!
> > 
> > Regards,
> > Robert
> > 
> > ------- pf.conf -----
> > # vars
> > ifInt="rl0"
> > ifDSL1="rl1"
> > ifDSL2="rl2"
> > ifDSL3="rl3"
> > 
> > exLocal="192.168.0.3"
> > exDSL3="194.110.229.164"
> > robertLocal="192.168.0.4"
> > robertDSL3="194.110.229.165"
> > develDSL3="194.110.229.163"
> > fwDSL3="194.110.229.162"
> > 
> > ## networds
> > netDSL1="83.16.196.120/29"      # dsl1
> > gwDSL1="83.16.196.121"          #   gw
> > 
> > netDSL2="83.16.196.128/29"      # dsl2
> > gwDSL2="83.16.196.129"          #   gw
> > 
> > netPSN="192.168.0.0/24"         # Private Service
> > Network (
> > 
> > netDMZ="192.168.1.0/24"         # Demilitarized
> Zone
> > (hostDevel)
> > hostDevel="192.168.1.1"         #   devel
> > netLocal="192.168.0.0/16"       # psn+dmz
> > 
> > netDSL3="194.110.229.160/27"    # DSL3
> > gwDSL3="194.110.229.161"        # gw
> > 
> > ## altq
> > altq on $ifDSL1 priq bandwidth 250Kb queue {
> q1pri,
> > q1ssh, q1def }
> > queue q1pri priority 7
> > queue q1ssh priority 5
> > queue q1def priority 1 priq(default)
> > 
> > altq on $ifDSL2 priq bandwidth 250Kb queue {
> q2pri,
> > q2ssh, q2def }
> > queue q2pri priority 7
> > queue q2ssh priority 5
> > queue q2def priority 1 priq(default)
> > altq on $ifDSL3 priq bandwidth 2000Kb queue {
> q3pri,
> > q3ssh, q3def }
> > queue q3pri priority 7
> > queue q3ssh priority 5
> > queue q3def priority 1 priq(default)
> > 
> > 
> > ## nat 1:n (output)
> > nat on $ifDSL1 from $netLocal to ! $netLocal ->
> > 83.16.196.122   # dsl1
> > nat on $ifDSL2 from $hostDevel to ! $netLocal ->
> > 83.16.196.130  # dsl2
> > nat on $ifDSL2 from $netLocal to ! $netLocal ->
> > 83.16.196.130
> > nat on $ifDSL3  from $netLocal to ! $netLocal ->
> > 194.110.229.162 # DSL3
> > nat on $ifDSL3 from 192.168.1.1 to ! $netLocal ->
> > $develDSL3    # devel(DSL3)
> > 
> > ## nat 1:1 (input)
> > # devel
> > rdr on $ifDSL1 proto tcp from any       to
> > 83.16.196.123 port { 21, 22, 25, 80, 110, 443,
> 465,
> > 993, 995, 19000:19500 } -> 192.
> > 168.1.1
> > rdr on $ifDSL2 proto tcp from any       to
> > 83.16.196.130 port { 21, 22, 25, 80, 110, 443,
> 465,
> > 993, 995, 19000:19500 } -> 192.
> > 168.1.1
> > rdr on $ifDSL3 proto tcp from any       to
> > 194.110.229.163 port { 21, 22, 25, 80, 110, 443,
> 465,
> > 993, 995, 19000:19500 } -> 19
> > 2.168.1.1
> > 
> > rdr on $ifDSL2 proto tcp from any       to
> > 83.16.196.131 port { 25 } -> 192.168.1.1 port 2030
> > rdr on $ifInt  proto tcp from $netLocal to
> > 83.16.196.130 port { 21, 22, 25, 80, 110, 443,
> 137,
> > 138, 139, 465, 993, 995, 2401 }
> >  -> 192.168.1.1
> > 
> > rdr on $ifDSL1 proto tcp from any to 83.16.196.122
> > port { 443 } -> 192.168.0.3 port 22
> > rdr on $ifDSL2 proto tcp from any to 83.16.196.130
> > port { 6100, 6101, 6102 } -> 192.168.0.3
> > 
> > rdr on $ifDSL1 proto tcp from any to 83.16.196.122
> > port { 5900 } -> 192.168.0.4
> > 
> > rdr on $ifDSL1 proto tcp from any to 83.16.196.122
> > port { 5901 } -> 192.168.0.6 port 5900
> > rdr on $ifDSL2 proto tcp from any to 83.16.196.130
> > port { 5901 } -> 192.168.0.6 port 5900
> > rdr on $ifDSL1 proto tcp from any to 83.16.196.122
> > port { 5801 } -> 192.168.0.6
> > rdr on $ifDSL1 proto udp from any to 83.16.196.122
> > port { 5801 } -> 192.168.0.6
> > rdr on $ifDSL1 proto tcp from any to 83.16.196.122
> 
=== message truncated ===

> ATTACHMENT part 2 application/pgp-signature
name=signature.asc




		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - Helps protect you from nasty viruses. 
http://promotions.yahoo.com/new_mail

More information about the freebsd-pf mailing list