Date: Thu, 23 Dec 2004 12:28:05 +0100 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Subject: Re: Does the outgoing balance example work? Message-ID: <200412231228.20068.max@love2party.net> In-Reply-To: <200412221420.40575.pathiaki@pathiaki.com> References: <200412221412.00770.pathiaki@pathiaki.com> <200412221420.40575.pathiaki@pathiaki.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart20827099.9cLZ0qOaxj
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On Wednesday 22 December 2004 20:20, Paul J. Pathiakis wrote:
> BTW, I should mention that this is load balancing. According to my logs,
> traffic is going out both interfaces.... it's just not coming back.
Can you provide me (off-list if you prefer) with some tcpdump logs from bot=
h=20
outgoing interfaces? The output of $pfctl -vvsr and $pfctl -vvsn would also=
=20
be interesting.
> P.
>
> On Wednesday 22 December 2004 14:12, Paul J. Pathiakis wrote:
> > Hi,
> >
> > I'm trying to get pf to load balance outgoing on two outbound lines
> > (cable and dsl). My pf.conf is based on the example from the pf faq at
> > www.openbsd.org. I've changed parameters to match my machine and I sti=
ll
> > can't get it to load balance outgoing connections on my machine. As so=
on
> > as I enable the route-to rules for balancing, my web browser stops
> > working and quite a few other utilities stop working. It connects to t=
he
> > site but the response never comes back. Is it possible that nat isn't
> > working correctly? Is it possible that the return addresses aren't
> > getting correctly set? How do I troubleshoot this? The example (below)
> > seems pretty straight forward. I've enabled my pflog (made sure every
> > filter is logging).
> > I can check states with pfctl commands. I just can't see what's wrong.=
=20
> > Is there anything that I'm missing (Please note that I changed the
> > "default block all" to pass in all and pass out all.
> >
> > thanks!
> >
> > Paul P.
> >
> > lan_net =3D "192.168.0.0/24"
> > int_if =3D "dc0"
> > ext_if1 =3D "fxp0"
> > ext_if2 =3D "fxp1"
> > ext_gw1 =3D "68.146.224.1"
> > ext_gw2 =3D "142.59.76.1"
> >
> > # nat outgoing connections on each internet interface
> > nat on $ext_if1 from $lan_net to any -> ($ext_if1)
> > nat on $ext_if2 from $lan_net to any -> ($ext_if2)
> >
> > # default deny
> > #block in from any to any
> > #block out from any to any
> > pass in from any to any
> > pass out from any to any
> >
> > # pass all outgoing packets on internal interface
> > pass out on $int_if from any to $lan_net
> >
> > # pass in quick any packets destined for the gateway itself
> > pass in quick on $int_if from $lan_net to $int_if
> >
> > # load balance outgoing tcp traffic from internal network.
> > pass in on $int_if route-to \
> > { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
> > proto tcp from $lan_net to any flags S/SA modulate state
> > # load balance outgoing udp and icmp traffic from internal network
> > pass in on $int_if route-to \
> > { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
> > proto { udp, icmp } from $lan_net to any keep state
> >
> > # general "pass out" rules for external interfaces
> > pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state
> > pass out on $ext_if1 proto { udp, icmp } from any to any keep state
> > pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state
> > pass out on $ext_if2 proto { udp, icmp } from any to any keep state
> >
> > # route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
> > # $ext_if2 and $ext_gw2
> > pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
> > pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
> >
> > _______________________________________________
> > freebsd-pf@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
>
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
=2D-=20
/"\ Best regards, | mlaier@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
--nextPart20827099.9cLZ0qOaxj
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)
iD8DBQBByqvUXyyEoT62BG0RAldDAJ9ey/56o4OKGss8ei6MApwPN8PgqgCfTzly
Z2fPvoHmWzna/BdPvUoqpn8=
=/pbu
-----END PGP SIGNATURE-----
--nextPart20827099.9cLZ0qOaxj--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200412231228.20068.max>