NetBSD-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: pf question
On Sat, 18 May 2013 13:42:47 +0200
Konrad Neuwirth <konrad%mailathome.or.at@localhost> wrote:
> Hello, 
> 
> we are currently struggling with a pf configuration that we can't
> seem to get working. 
> 
> Basically, the challenge is that we have a NetBSD system acting as a
> router for a largish network. Said system has two upstream nodes
> ('default routes') that apply, depending on the ip address that we
> use. Basically, we have one broadband connection that should be used
> for most every (outgoing) traffic. The exception is that the second
> upstream handles a subnet that we have here, and all traffic to and
> from those addresses should, of course, be going over that second
> link. 
> 
> What we've done is added the broadband as the default route, and then
> had a pf rule to the effect of: 
> 
> pass out route-to ($ext_if_dsl $dsl_gw) proto tcp \
>       from $fixed_ip to any
> 
> But this does not work -- the packets just do not go out over the
> appropriate interface. Connecting to something on one of those IP
> numbers just … has a connection that times out. 
> 
> What am I missing? What do we need to do? 
I haven't tried this yet with NetBSD but this is how I did something
similar when I used OpenBSD. The OpenBSD version I used was 5.0. Bear
in mind that there were substantial changes to PF syntax around OpenBSD
version 4.7, and as far as I know the NetBSD pf syntax corresponds with
the older versions. The "route-to" option is certainly different, but
perhaps you will still find this reply helpful.
My situation differs from yours in that I had just one internal subnet
and two WAN providers, and all I needed to do on the second WAN link
was to connect from a single LAN host to a single remote host for a
scheduled FTP download.
First of all I defined the default gateway in OpenBSD's /etc/mygate as
usual. Then I added the second gateway to /etc/rc.local
# 123.123.456.xxx is remote FTP server which can be accessed only
# through second upstream provider
# 123.456.789.xxx is second WAN gw
#
route add -host 123.123.456.xxx 123.456.789.xxx
In pf.conf I had the following (irrelevant parts snipped):
# network interfaces
if_wan1 = "fxp0"
if_wan2 = "xl0"
if_lan = "xl1"
if_lo = "lo0"
# gateways
gw_wan1 = "xxx.xxx.xxx.113"
gw_wan2 = "123.456.789.xxx"
# networks
net_lan = "192.168.1.0/24"
# hosts
remote_ftp_host = "123.123.456.xxx"
...
# scrubbing
match on $if_wan1 scrub (random-id reassemble tcp max-mss 1440)
match on $if_wan2 scrub (random-id reassemble tcp max-mss 1440)
# nat
match out on $if_wan1 from $net_lan to any \
        nat-to ($if_wan1) port 1024:65535
match out on $if_wan2 from $net_lan to any \
        nat-to ($if_wan2) port 1024:65535 
...
# filtering
pass out
pass in on $if_lan
pass in on $if_lan inet proto tcp from any to $remote_ftp_host \
        port ftp route-to ($if_wan2 $gw_wan2)
-- 
Gerard Lally
Home |
Main Index |
Thread Index |
Old Index