Hi everyone,
I'm running an OpenBSD 3.8-stable nat gateway in an environment with multiple
uplinks. pf is configured to load balance outgoing traffic originating from
my internal lan. My pf.conf is attached at the very end.
The only unusual feature in my setup is that all my uplink gateways are
reachable through a single $ext_if. $ext_if is assigned multiple IPs for each
subnet the uplink gateways are on.
Some unwarranted ascii art:
===============
| |
$int_if ----| OBSD NAT GW |----$ext_if
192168.50.1/24 | | 192.168.2.2/24, gateway 192.168.2.1
=============== 192.168.3.2/24, gateway2 192.168.3.1
Default route is through 192.168.2.1. gateway2 is used only by pf.
Please note that I've used 192.168.x.x IPs to protect the innocent.
The setup works perfectly for connections originating from the internal lan.
But I'm unable to load balance connections that originate from the nat gateway
itself. This hurts bad because I'm unable to make ftp-proxy load balance its
connections, and it always ends up using the default gateway (192.168.2.1).
If the default gateway (192.168.2.1) uplink fails, then ftp-proxy stops
working. Changing kernel's default route to gateway2 gets it going again.
1. Can someone please help me load balancing ftp-proxy connections?
2. For connections that originate from the nat box itself, how can I override
the kernels default route and choose gateway2 as the chosen gateway?
I need this for testing availability of the uplinks. I've tried pf rules
along the lines of:
pass out $ext_if route-to gateway2 ... user foo
but that did not get me very far.
Can someone please help?
My pf.conf is below:
--------------------------------------------------------
lan_net = "192.168.50.0/24"
lo_if = "lo0"
int_if = "rl0"
# ext_if is assigned multiple IPs 192.168.2.2/24, 192.168.3.2/24
ext_if = "rl1"
# External gateways
table <ext_gws> persist { 192.168.2.1 192.168.3.1 }
# hygiene
scrub in on $ext_if fragment reassemble
scrub out on $ext_if random-id
# allow everything over loop back
set skip on $lo_if
# nat outgoing connections on all external IPs
nat on $ext_if from $lan_net to any -> ($ext_if)
# FTP part 1
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
# default block
block return all
# pass all outgoing packets on internal interface
pass out on $int_if from any to $lan_net
# pass in quick any packets destined for the gateway itself
pass in quick on $int_if from $lan_net to $int_if
# load balance all outgoing traffic from internal network
pass in on $int_if route-to ($ext_if <ext_gws>) round-robin \
from $lan_net to any keep state
# load balance outgoing tcp traffic from internal network
pass in on $int_if route-to ($ext_if <ext_gws>) round-robin \
proto tcp from $lan_net to any flags S/SA modulate state
# FTP part 2
pass in on $ext_if proto tcp from port ftp-data to ($ext_if) \
user proxy flags S/SA keep state
# general "pass out" rules for external interfaces
pass out on $ext_if from any to any keep state
pass out on $ext_if proto tcp from any to any flags S/SA modulate state
--------------------------------------------------------
- Raja
