Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 16 Nov 2004 13:08:22 +0100
From:      =?iso-8859-2?Q?=A3ukasz?= Dudek <mocart@pinco.pl>
To:        Max Laier <max@love2party.net>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: pf multipath nat
Message-ID:  <20041116120822.GC15288@dorbja.pinco.pl>
In-Reply-To: <20041109131334.GA63180@dorbja.pinco.pl>
References:  <20041108143059.GA54873@dorbja.pinco.pl> <200411081621.46313.max@love2party.net> <20041109131334.GA63180@dorbja.pinco.pl>
next in thread | previous in thread | raw e-mail | index | archive | help 
Dnia Wto, Lis 09, 2004 o godzinie 02:13:34 +0100, Łukasz Dudek napisał(a):
> Dnia Pon, Lis 08, 2004 o godzinie 04:21:39 +0100, Max Laier napisał(a):
> > On Monday 08 November 2004 15:30, Łukasz Dudek wrote:
> > > i've tried to configure multipath nat using RELENG_5 box
> > > (when it was current and now when it became stable)
> > >

this is full ruleset
> 
> 
> # Macros: define common values, so they can be referenced and changed easily.
> ext_if="fxp0"
> ext_if2="fxp2"
> int_if="fxp1"	# replace with actual internal interface name i.e., dc1
> internal_net="192.168.0.1/23"
> external_addr="10.53.28.234"
> gateway="10.53.28.233"
> gateway2="10.10.8.1"
> 
> scrub in all
> 
> nat on $ext_if from $internal_net to any -> ($ext_if)
> nat on $ext_if2 from $internal_net to any -> ($ext_if2)
> 
> rdr on $ext_if proto { tcp, udp } from any to $external_addr/32 port 1100 -> 192.168.0.2 port 1100
> rdr on $ext_if proto { tcp, udp } from any to $external_addr/32 port 1101 -> 192.168.0.2 port 1101
> rdr on $ext_if proto { tcp, udp } from any to $external_addr/32 port 4664 -> 192.168.0.2 port 4664
> rdr on $ext_if proto { tcp, udp } from any to $external_addr/32 port 4666 -> 192.168.0.4 port 4666
> rdr on $ext_if proto { tcp, udp } from any to $external_addr/32 port 4670 -> 192.168.1.4 port 4670
> 
> rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
> 
> no rdr on { lo0, lo1 } from any to any
> 
> pass in all
> pass out all
> 
> block in all
> 
> pass  in on $ext_if inet proto tcp from any to $ext_if user proxy keep state
> pass  in on $ext_if2 inet proto tcp from any to $ext_if2 user proxy keep state
> 
> pass  in  on $ext_if proto tcp from any to $ext_if port 22 keep state
> pass  in  on $ext_if proto tcp from any to $ext_if port 25 keep state
> pass  in  on $ext_if proto tcp from any to $ext_if port 80 keep state
> pass  in  on $ext_if proto tcp from any to $ext_if port 110 keep state
> pass  in  on $ext_if proto tcp from any to $ext_if port 443 keep state
> pass  in  on $ext_if proto tcp from any to $ext_if port 465 keep state
> pass  in  on $ext_if proto tcp from any to $ext_if port 995 keep state
> 
> pass  in  on $ext_if proto udp from any to $ext_if port 53 keep state
> 
> pass  out on $ext_if proto { tcp, udp, icmp } all keep state
> pass  out on $ext_if2 proto { tcp, udp, icmp } all keep state
> 
> 
> pass  in  quick on $int_if proto udp from $internal_net to 192.168.0.1 port 53 keep state
> 
> pass  in on $int_if proto { tcp, udp, icmp } all keep state
> pass  out on $int_if proto { tcp, udp, icmp } all keep state
> 
> pass  in  on lo0 proto { tcp, udp, icmp } all keep state
> pass  out on lo0 proto { tcp, udp, icmp } all keep state
> 
> pass in on $int_if \
>        route-to { ( $ext_if $gateway), ( $ext_if2 $gateway2 ) } round-robin \
>        from $internal_net to any keep state
> 
> pass out on $ext_if2 route-to ($ext_if $gateway) from $ext_if to any
> pass out on $ext_if route-to ($ext_if2 $gateway2) from $ext_if2 to any
> 
> > 
> > 
> > Are you *sure* that you had debug.mpsafenet=0 in the end? You know that it is 
> > only changeable during the loader and *not* in the live system?
> > 
> 
> yes i'm sure /boot/loader.conf is a place where i keep such tunables.
> 

can i provide any more information or is there anything anything i can
do to help resolv this issue, have anyone been able to reproduce this 
behaviour, i would really like to utilize second link using freebsd box
moving every service from free to open will be performance lost and
services, network downtime. this box without configuring second link
is 100% stable 

Regards,
Lukasz Dudek

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041116120822.GC15288>