From owner-freebsd-pf@FreeBSD.ORG Mon Oct 19 16:15:57 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D04761065670 for ; Mon, 19 Oct 2009 16:15:57 +0000 (UTC) (envelope-from jedgainer@gmail.com) Received: from mail-yw0-f178.google.com (mail-yw0-f178.google.com [209.85.211.178]) by mx1.freebsd.org (Postfix) with ESMTP id 8D4E08FC1B for ; Mon, 19 Oct 2009 16:15:57 +0000 (UTC) Received: by ywh8 with SMTP id 8so4012446ywh.3 for ; Mon, 19 Oct 2009 09:15:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=WeNkU3VZVF0OvrdAgKJ9skdRp6LV5Z/oxTqlPMK1asM=; b=o783qRFphYPqVrW+OWcqxpuewgypJwVaAsk/O08sJReJXtjSFEj1UyES7rZ2zFgmak IgUNe+b+FSrlLxupxyxR5gXhslJ8rQJjws0GbyygcEijCjo5HoqPsKrx3hPlQzk0nZpg Wafo8BpAOscaMtC5a4GrAqBY2nWy+KQVTsugE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=hRBdtTZppYQl433ka9YxqQ4qwidFro3RZqeAnI+of0Apn4w08b9wKJPty8subiqzgQ vz26lFjpgOpv33SwhFvYruleNStusIvtXcxqhcLK0IfNNBIoetcYQLQquaGuGuAC5ozQ K9CjzJtKO4eH9U6/4agSgXJ2Ch+djWWBh6HOM= MIME-Version: 1.0 Received: by 10.150.20.4 with SMTP id 4mr8393615ybt.37.1255967283087; Mon, 19 Oct 2009 08:48:03 -0700 (PDT) Date: Mon, 19 Oct 2009 08:48:03 -0700 Message-ID: <36b1f3e60910190848h382cde04l104f2a9f466af3fa@mail.gmail.com> From: Jed Gainer To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: PF - load balancing outgoing connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Oct 2009 16:15:57 -0000 I wanted to setup a machine as my LAN gateway and have it load balance over multiple WANs. When I found http://www.openbsd.org/faq/pf/pools.html I choose FreeBSD as the machines OS. After getting it up and running, and acting as a gateway just using one WAN via *# macros wan1="nfe0" lan1="rl0" pc1="10.0.0.2" xb1="10.0.0.3" # options #set block-policy return #set loginterface $wan1 set skip on lo0 # scrub scrub in # nat/rdr nat on $wan1 from !($wan1) -> ($wan1:0) static-port # uTorrent rdr on $wan1 proto tcp from any to any port 41016 -> $pc1 # Xbox Live rdr on $wan1 proto {tcp, udp} from any to any port 3074 -> $xb1* I decided to try the load balancing and came up with quite a few different pf.confs that did not work, my LAN just lost all connectivity when I loaded them. * lan1r = "10.0.0.0/24" lan1 = "rl0" wan1 = "nfe0" wan2 = "rl1" gw1 = "10.0.1.2" gw2 = "10.0.2.2" # nat outgoing connections on each internet interface nat on $wan1 from $lan1r to any -> ($wan1) #static-port nat on $wan2 from $lan1r to any -> ($wan2) #static-port # default deny block in from any to any block out from any to any # pass all outgoing packets on internal interface pass out on $lan1 from any to $lan1r # pass in quick any packets destined for the gateway itself pass in quick on $lan1 from $lan1r to $lan1 # load balance outgoing tcp traffic from internal network. pass in on $lan1 route-to { ($wan1 $gw1), ($wan2 $gw2) } round-robin proto tcp from $lan1r to any flags S/SA modulate state # load balance outgoing udp and icmp traffic from internal network pass in on $lan1 route-to { ($wan1 $gw1), ($wan2 $gw2) } round-robin proto { udp, icmp } from $lan1r to any keep state # general "pass out" rules for external interfaces pass out on $wan1 proto tcp from any to any flags S/SA modulate state pass out on $wan1 proto { udp, icmp } from any to any keep state pass out on $wan2 proto tcp from any to any flags S/SA modulate state pass out on $wan2 proto { udp, icmp } from any to any keep state # route packets from any IPs on $ext_if1 to $ext_gw1 and the same for $ext_if2 and $ext_gw2 pass out on $wan1 route-to ($wan2 $gw2) from $wan2 to any pass out on $wan2 route-to ($wan1 $gw1) from $wan1 to any* ... and ... *lan = rl0 wan1 = nfe0 wan2 = rl1 wan1_gw = 173.183.32.254 wan2_gw = 10.0.1.2 nat on $wan1 from any to any -> ($wan1) nat on $wan2 from any to any -> ($wan2) pass in quick on $lan route-to { ($wan1 $wan1_gw), ($wan2 $wan2_gw) } \ round-robin inet from ($lan:network) to any flags S/SA keep state* Neither of the above worked, or the many other attempts I made. No errors are reported when I `pfctl -f /etc/pf.lb.conf` and my LAN looses internet connectivity. Does any one see the problem? I can ping Google fine using either WAN as default route so it has to be my PF conf. I am at the point where I will pay someone to get it working! -- ~ Jed Gainer