Hi, forgot the subject last time.
I have some trouble to get my Internet connection working with two ISP's. I am fiddling around with that since a week and do not get it to work. I have one DSL Connection with a dynamic IP and one Cable connection with a static IP. I want to configure the Internet connection this way: 1. I want to have everything from the internal LAN going out via the faster DSL line, despite some exceptions 2. the exceptions that need a static IP as source IP, have to go out via the Cable network 3. traffic from the DMZ to the Internet shall leave the Firewall via the static Cable Interface 4. traffic to services in the DMZ will arrive at the static cable IP, shall be redirected into the DMZ replies shall go out via the cable interface The configuration: a) The DSL Modem is configured to make the whole DSL handshaking and is configured to make NAT for us b) The default route of the firewall via the DSL Line, points to the DSL Modem c) Static routes are defined for point 2. in the routing table to have the next hop at 200.200.200.1 d) there are generally two firewalls working together with CARP, but for the tests, the slave was shut down to eleminate possible interferences GateCable:200.200.200.1 GateDSL: 192.168.255.1 |Cable Static IP |DSL Dynamic IP |200.200.200.2 |192.168.255.2 |em0 |em1 ________________________________ | |DMZ 10.0.0.1 | Firewall |------------ |------------------------------|em2 |em3 |Internal LAN |10.1.1.1 | things that work: Point 1. and 2. are working, internal users surf via the DSL line, only specially treated IP's where the special route is defined leave the network via the cable IP address things that not (yet) work: obviously point 3. and 4. to test point 3, I have the following test pf ruleset: # the physical interfaces of the carp devices cable_dev="em0" dsl_dev="em1" dmz_dev="em2" int_dev="em3" pfsync_dev="bge0" ext_if="carp0" dsl_if="carp1" dmz_if="carp2" int_if="carp3" # the DMZ network dmz_net="10.10.10.0/24" # the gateways for the Internet upstreams dsl_gate="192.168.255.1" cable_gate="200.200.200.1" set skip on { lo } set loginterface $dsl_dev set block-policy return scrub in all nat pass on $ext_dev from $dmz_net -> ($cable_if:0) block in log all pass out log all # allow carp and pfsync flow pass quick on $pfsync_dev proto pfsync pass quick on { $cable_dev $dsl_dev $dmz_dev $int_dev } proto carp keep state pass in log on $dmz_dev route-to ( $cable_dev $cable_gate ) from $dmz_net to any keep state this is the tcpdump on the em0(the external cable interface): 08:36:41.464966 200.200.200.2.56669 > 195.37.1.35.80: S [tcp sum ok] 890573453:890573453(0) win 5840 <mss 1460,sackOK,timestamp 3315468867 0,nop,wscale 2> (DF) [tos 0x10] (ttl 64, id 6350, len 60) 08:36:44.464174 200.200.200.2.56669 > 195.37.1.35.80: S [tcp sum ok] 890573453:890573453(0) win 5840 <mss 1460,sackOK,timestamp 3315471867 0,nop,wscale 2> (DF) [tos 0x10] (ttl 64, id 6351, len 60) 08:36:50.461358 200.200.200.2.56669 > 195.37.1.35.80: S [tcp sum ok] 890573453:890573453(0) win 5840 <mss 1460,sackOK,timestamp 3315477867 0,nop,wscale 2> (DF) [tos 0x10] (ttl 64, id 6352, len 60) 08:37:02.455739 200.200.200.2.56669 > 195.37.1.35.80: S [tcp sum ok] 890573453:890573453(0) win 5840 <mss 1460,sackOK,timestamp 3315489867 0,nop,wscale 2> (DF) [tos 0x10] (ttl 64, id 6353, len 60) for me it seems correct, the right interface, the right source (NAT seems to work) and destination address, but I do not see any answers. testing point 4. resulted in more or less the same, I see incoming syn packets on em0, also SYN answers, but thats it, but the connection is not establishing. but I think this might have the same cause as point 3. so any idea why I do not see any replies to the outgoing syn packets? If the information provided is not enough, please let me know, I'd like to provide anything that will help to resolve that issue. kind regards Sebastian _______________________________________________________________________ Viren-Scan für Ihren PC! Jetzt für jeden. Sofort, online und kostenlos. Gleich testen! http://www.pc-sicherheit.web.de/freescan/?mc=022222