From owner-freebsd-pf@FreeBSD.ORG Tue Nov 30 22:07:52 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 015DE16A4CE for ; Tue, 30 Nov 2004 22:07:52 +0000 (GMT) Received: from web52202.mail.yahoo.com (web52202.mail.yahoo.com [206.190.39.84]) by mx1.FreeBSD.org (Postfix) with SMTP id 7DB5043D45 for ; Tue, 30 Nov 2004 22:07:51 +0000 (GMT) (envelope-from mirobercik@yahoo.com) Received: (qmail 75200 invoked by uid 60001); 30 Nov 2004 22:07:51 -0000 Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=YNExfg2rAEo/CyGlLV4wlswMN6l/NTkssL1TdMEUUYP3HrdjwyFFM/PdlSFYSNfEx6rBqG0ZLXRezL8Jtk16wnM2VkjDGN9pkPifHDDbKLR1Uhjkr4nvxq5exUSP3/+D0Bk48bUy7Q4LeN9yBJuMwOQbJ9mcMu+xJCA8Yxr+Lyw= ; Message-ID: <20041130220750.75198.qmail@web52202.mail.yahoo.com> Received: from [80.55.58.238] by web52202.mail.yahoo.com via HTTP; Tue, 30 Nov 2004 14:07:50 PST Date: Tue, 30 Nov 2004 14:07:50 -0800 (PST) From: Robert M To: Claudiu Dragalia-Paraipan In-Reply-To: <41ACC3AE.4020309@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-pf@freebsd.org Subject: Re: 3 gateways problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Nov 2004 22:07:52 -0000 Hi, Thank your for your reply. I have read the manual before. I did try adding the following lines to the end of my pf.conf file, but this didn't help though. --- pass out on $ifDSL1 route-to ($ifDSL2 $gwDSL2) from $ifDSL2 to any pass out on $ifDSL1 route-to ($ifDSL3 $gwDSL3) from $ifDSL3 to any pass out on $ifDSL2 route-to ($ifDSL1 $gwDSL1) from $ifDSL1 to any pass out on $ifDSL2 route-to ($ifDSL3 $gwDSL3) from $ifLimes to any pass out on $ifDSL3 route-to ($ifDSL1 $gwDSL1) from $ifDSL1 to any pass out on $ifDSL3 route-to ($ifDSL2 $gwDSL2) from $ifDSL2 to any ---- Maybe I misunderstood the 'meaning' of these rules ? I'm suspecting a "bug" in pf.conf file :-( Ps. do you know any website where I can learn about advanced pf/altq networking ? I would like to simply limit internet speed to 256Kbit/s with priq in each queue to every user on my 2Mbit line. Thank you! Regards, -- Robert --- Claudiu Dragalia-Paraipan wrote: > Hi, > > maybe this helps you. It is a part of the PF FAQ > that you can find at > http://www.openbsd.org/faq/pf/ > > ---------- http://cvs.openbsd.org/faq/pf/pools.html > ... > To ensure that packets with a source address > belonging to $ext_if1 are > always routed to $ext_gw1 (and similarly for > $ext_if2 and $ext_gw2), the > following two lines should be included in the > ruleset: > > pass out on $ext_if1 route-to ($ext_if2 > $ext_gw2) from $ext_if2 \ > to any > pass out on $ext_if2 route-to ($ext_if1 > $ext_gw1) from $ext_if1 \ > to any > > Finally, NAT can also be used on each outgoing > interface: > > nat on $ext_if1 from $lan_net to any -> > ($ext_if1) > nat on $ext_if2 from $lan_net to any -> > ($ext_if2) > ... > ---------- > > > > > > > Robert M wrote: > > Hello, > > > > I have a problem with source routing via 3 > gateways. > > > > All I need, is to be able to get in to my local > > machine > > via 'rdr' rule. > > > > All connections are routed via firewall box > > with 4 ethernet cards. > > > > I don't want this done via 'binat' ruel as I only > > want to rdr some ports. > > > > When telneting from external host to: > > 83.16.196.130 port 22 -> I want to be redirected > to > > 192.168.1.1 port 22 > > As well as: > > 194.110.229.163 port 22 -> 192.168.1.1 22 > > > > This also can be done by adding a new eg. > 192.168.1.2 > > IP to my local machine, but it requires daemon > binging > > setting changes.. so I'd rather not. > > > > The problem is that 1/2 connections are > estabilished > > properly. > > > > I assume it's a problem with rule: > > pass in quick on $ifInt route-to { ($ifDSL3 > > $gwDSL3),($ifDSL3 $gwDSL3) } from 192.168.1.1 to ! > > $netLocal keep state > > > > where system doesn't know, which gateway should be > > used > > for return packet. > > > > Below is my pf.conf (sorry it's messy a little). > > > > OS: FreeBSD fw 5.2-CURRENT FreeBSD 5.2-CURRENT #4: > Fri > > Jul 16 16:17:52 UTC 2004 > > root@fw:/usr/obj/usr/src/sys/TUNED i386 > > > > Thank you! > > > > Regards, > > Robert > > > > ------- pf.conf ----- > > # vars > > ifInt="rl0" > > ifDSL1="rl1" > > ifDSL2="rl2" > > ifDSL3="rl3" > > > > exLocal="192.168.0.3" > > exDSL3="194.110.229.164" > > robertLocal="192.168.0.4" > > robertDSL3="194.110.229.165" > > develDSL3="194.110.229.163" > > fwDSL3="194.110.229.162" > > > > ## networds > > netDSL1="83.16.196.120/29" # dsl1 > > gwDSL1="83.16.196.121" # gw > > > > netDSL2="83.16.196.128/29" # dsl2 > > gwDSL2="83.16.196.129" # gw > > > > netPSN="192.168.0.0/24" # Private Service > > Network ( > > > > netDMZ="192.168.1.0/24" # Demilitarized > Zone > > (hostDevel) > > hostDevel="192.168.1.1" # devel > > netLocal="192.168.0.0/16" # psn+dmz > > > > netDSL3="194.110.229.160/27" # DSL3 > > gwDSL3="194.110.229.161" # gw > > > > ## altq > > altq on $ifDSL1 priq bandwidth 250Kb queue { > q1pri, > > q1ssh, q1def } > > queue q1pri priority 7 > > queue q1ssh priority 5 > > queue q1def priority 1 priq(default) > > > > altq on $ifDSL2 priq bandwidth 250Kb queue { > q2pri, > > q2ssh, q2def } > > queue q2pri priority 7 > > queue q2ssh priority 5 > > queue q2def priority 1 priq(default) > > altq on $ifDSL3 priq bandwidth 2000Kb queue { > q3pri, > > q3ssh, q3def } > > queue q3pri priority 7 > > queue q3ssh priority 5 > > queue q3def priority 1 priq(default) > > > > > > ## nat 1:n (output) > > nat on $ifDSL1 from $netLocal to ! $netLocal -> > > 83.16.196.122 # dsl1 > > nat on $ifDSL2 from $hostDevel to ! $netLocal -> > > 83.16.196.130 # dsl2 > > nat on $ifDSL2 from $netLocal to ! $netLocal -> > > 83.16.196.130 > > nat on $ifDSL3 from $netLocal to ! $netLocal -> > > 194.110.229.162 # DSL3 > > nat on $ifDSL3 from 192.168.1.1 to ! $netLocal -> > > $develDSL3 # devel(DSL3) > > > > ## nat 1:1 (input) > > # devel > > rdr on $ifDSL1 proto tcp from any to > > 83.16.196.123 port { 21, 22, 25, 80, 110, 443, > 465, > > 993, 995, 19000:19500 } -> 192. > > 168.1.1 > > rdr on $ifDSL2 proto tcp from any to > > 83.16.196.130 port { 21, 22, 25, 80, 110, 443, > 465, > > 993, 995, 19000:19500 } -> 192. > > 168.1.1 > > rdr on $ifDSL3 proto tcp from any to > > 194.110.229.163 port { 21, 22, 25, 80, 110, 443, > 465, > > 993, 995, 19000:19500 } -> 19 > > 2.168.1.1 > > > > rdr on $ifDSL2 proto tcp from any to > > 83.16.196.131 port { 25 } -> 192.168.1.1 port 2030 > > rdr on $ifInt proto tcp from $netLocal to > > 83.16.196.130 port { 21, 22, 25, 80, 110, 443, > 137, > > 138, 139, 465, 993, 995, 2401 } > > -> 192.168.1.1 > > > > rdr on $ifDSL1 proto tcp from any to 83.16.196.122 > > port { 443 } -> 192.168.0.3 port 22 > > rdr on $ifDSL2 proto tcp from any to 83.16.196.130 > > port { 6100, 6101, 6102 } -> 192.168.0.3 > > > > rdr on $ifDSL1 proto tcp from any to 83.16.196.122 > > port { 5900 } -> 192.168.0.4 > > > > rdr on $ifDSL1 proto tcp from any to 83.16.196.122 > > port { 5901 } -> 192.168.0.6 port 5900 > > rdr on $ifDSL2 proto tcp from any to 83.16.196.130 > > port { 5901 } -> 192.168.0.6 port 5900 > > rdr on $ifDSL1 proto tcp from any to 83.16.196.122 > > port { 5801 } -> 192.168.0.6 > > rdr on $ifDSL1 proto udp from any to 83.16.196.122 > > port { 5801 } -> 192.168.0.6 > > rdr on $ifDSL1 proto tcp from any to 83.16.196.122 > === message truncated === > ATTACHMENT part 2 application/pgp-signature name=signature.asc __________________________________ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail