Date: Wed, 22 Dec 2004 14:12:00 -0500 From: "Paul J. Pathiakis" <pathiaki@pathiaki.com> To: freebsd-pf@freebsd.org Subject: Does the outgoing balance example work? Message-ID: <200412221412.00770.pathiaki@pathiaki.com>
next in thread | raw e-mail | index | archive | help
Hi, I'm trying to get pf to load balance outgoing on two outbound lines (cable and dsl). My pf.conf is based on the example from the pf faq at www.openbsd.org. I've changed parameters to match my machine and I still can't get it to load balance outgoing connections on my machine. As soon as I enable the route-to rules for balancing, my web browser stops working and quite a few other utilities stop working. It connects to the site but the response never comes back. Is it possible that nat isn't working correctly? Is it possible that the return addresses aren't getting correctly set? How do I troubleshoot this? The example (below) seems pretty straight forward. I've enabled my pflog (made sure every filter is logging). I can check states with pfctl commands. I just can't see what's wrong. Is there anything that I'm missing (Please note that I changed the "default block all" to pass in all and pass out all. thanks! Paul P. lan_net = "192.168.0.0/24" int_if = "dc0" ext_if1 = "fxp0" ext_if2 = "fxp1" ext_gw1 = "68.146.224.1" ext_gw2 = "142.59.76.1" # nat outgoing connections on each internet interface nat on $ext_if1 from $lan_net to any -> ($ext_if1) nat on $ext_if2 from $lan_net to any -> ($ext_if2) # default deny #block in from any to any #block out from any to any pass in from any to any pass out from any to any # pass all outgoing packets on internal interface pass out on $int_if from any to $lan_net # pass in quick any packets destined for the gateway itself pass in quick on $int_if from $lan_net to $int_if # load balance outgoing tcp traffic from internal network. pass in on $int_if route-to \ { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ proto tcp from $lan_net to any flags S/SA modulate state # load balance outgoing udp and icmp traffic from internal network pass in on $int_if route-to \ { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ proto { udp, icmp } from $lan_net to any keep state # general "pass out" rules for external interfaces pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state pass out on $ext_if1 proto { udp, icmp } from any to any keep state pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state pass out on $ext_if2 proto { udp, icmp } from any to any keep state # route packets from any IPs on $ext_if1 to $ext_gw1 and the same for # $ext_if2 and $ext_gw2 pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200412221412.00770.pathiaki>