Jordi Espasa Clofent
Tue, 05 Jan 2010 10:02:08 -0800
// FIRST TRY- make the ADSL "redirection" in bge0 (the internal one, traffic from LAN to Internet) - make the queues in bge1/re0/fxp0 (the externals ones, traffic from Internet to LAN)
##################################
# --- (bge0/LAN) ----OpenBSD box ---- (fxp0/adsl1)
# ---- (bge1/adsl2)
# ---- (re0/adsl3)
#
# 1.Macros
# ISP_1
ext_if1="fxp0"
ext_gw1="217.126.43.2"
# ISP_2
ext_if2="bge1"
ext_gw2="192.168.10.1"
# ISP_3
ext_if3="re0"
ext_gw3="192.168.2.1"
# dept. A
workmate_a="192.168.0.121"
workmate_b="192.168.0.51"
workmate_c="192.168.0.124"
workmate_d="192.168.0.49"
dept_a = "{" $workmate_a $workmate_b $workmate_c $workmate_d "}"
#dept. B
workmate_e="192.168.0.79"
wormate_f="192.168.0.78"
dept_b = "{" $workmate_e $workmate_f"}"
# dept. C
workmate_h="192.168.0.39"
workmate_i="192.168.0.43"
workmate_j="192.168.0.48"
dept_c = "{" $workmate_h $workmate_i $workmate_j "}"
# internal gateway
lan_net="192.168.0.0/24"
int_if="bge0"
int_gw="192.168.0.1"
# another macros
cpd="{ xxx }"
callcenter="xxx"
# 2.Tables
# Not used at present
# 3.Options
set skip on lo
set optimization conservative
set limit states 50000
# 4. Scrub traffic
scrub all
# 5. Queueing
altq on $int_if cbq bandwidth 30Mb queue { zona1, zona2, zona3 }
queue zona1 bandwidth 10Mb { centraeta, cpd1, ssh1, nocpd1 }
queue centraleta bandwidth 50% priority 7 cbq(default)
queue cpd1 bandwidth 25% priority 6 cbq(borrow)
queue ssh1 bandwidth 5% priority 3 cbq
queue nocpd1 bandwidth 20% priority 0 cbq
queue zona2 bandwidth 10Mb { cpd2, ssh2, nocpd2 }
queue cpd2 bandwidth 40% priority 7 cbq
queue ssh2 bandwidth 40% priority 3 cbq(borrow)
queue nocpd2 bandwidth 20% priority 0 cbq
queue zona3 bandwidth 10Mb { cpd3, ssh3, nocpd3 }
queue cpd3 bandwidth 60% priority 7 cbq
queue ssh3 bandwidth 25% priority 3 cbq(borrow)
queue nocpd3 bandwidth 15% priority 0 cbq
# 6. Translation
nat on $ext_if1 from $lan_net to any -> ($ext_if1)
nat on $ext_if2 from $lan_net to any -> ($ext_if2)
nat on $ext_if3 from $lan_net to any -> ($ext_if3)
# 7. Filer rules
####### traffic from LAN to INTERNET ########
## from LAN to Internet: INBOUND to bge0 ##
# dept_a using their own ADSL
pass out on $int_if route-to \
($ext_if1 $ext_gw1) \
proto { tcp udp } from $dept_a to any keep state
# dept_b using their own ADSL
pass out on $int_if route-to \
($ext_if2 $ext_gw2) \
proto { tcp udp } from $dept_b to any keep state
# dept_c using their own ADSL
pass out on $int_if route-to \
($ext_if3 $ext_gw3) \
proto { tcp udp } from $dept_c to any keep state
## from LAN to internet: OUTBOUND on bge1/re0/fxp0
pass out on $ext_if1
pass out on $ext_if2
pass out on $ext_if3
###############################
####### traffic from INTERNET to LAN ########
## from Internet to LAN: INBOUND to bge1/re0/fxp0 ##
pass in on $ext_if1
pass in on $ext_if2
pass in on $ext_if3
## from Internet to LAN: OUTBOUND to bge0 ##
### dept_a
pass out quick on $int_if from $callcenter02 \
to $dept_a keep state \
queue centraleta
pass out quick on $int_if proto tcp from $cpd \
to $dept_a port 22 keep state \
queue ssh1
pass out quick on $int_if from $cpd \
to $dept_a keep state \
queue cpd11
pass out on $int_if from any \
to $dept_a keep state \
queue nocpd1
### dept_b
pass out quick on $int_if proto tcp from $cpd \
to $dept_b port 22 keep state \
queue ssh2
pass out quick on $int_if from $cpd \
to $dept_b keep state \
queue cpd2
pass out on $int_if from any \
to $dept_b keep state \
queue nocpd2
### dept_c
pass out quick on $int_if proto tcp from $cpd \
to $dept_c port 22 keep state \
queue ssh3
pass out quick on $int_if from $cpd \
to $dept_a keep state \
queue cpd3
pass out on $int_if from any \
to $dept_c keep state \
queue nocpd3
-----------------------------------------------------------------
It's clean, it's understable... but it doesn't work. Indeed works the
first part: every LAN client uses the correct ADSL out, but queues
doesn't run.
// SECOND TRY- make the ADSL "redirection" and also the queues works in bge0 (the internal one, traffic from LAN to Internet)
##################################
# --- (bge0/LAN) ----OpenBSD box ---- (fxp0/adsl1)
# ---- (bge1/adsl2)
# ---- (re0/adsl3)
#
# 1.Macros
# ISP_1
ext_if1="fxp0"
ext_gw1="217.126.43.2"
# ISP_2
ext_if2="bge1"
ext_gw2="192.168.10.1"
# ISP_3
ext_if3="re0"
ext_gw3="192.168.2.1"
# dept. A
workmate_a="192.168.0.121"
workmate_b="192.168.0.51"
workmate_c="192.168.0.124"
workmate_d="192.168.0.49"
dept_a = "{" $workmate_a $workmate_b $workmate_c $workmate_d "}"
#dept. B
workmate_e="192.168.0.79"
wormate_f="192.168.0.78"
dept_b = "{" $workmate_e $workmate_f"}"
# dept. C
workmate_h="192.168.0.39"
workmate_i="192.168.0.43"
workmate_j="192.168.0.48"
dept_c = "{" $workmate_h $workmate_i $workmate_j "}"
# internal gateway
lan_net="192.168.0.0/24"
int_if="bge0"
int_gw="192.168.0.1"
# another macros
cpd="{ xxx }"
callcenter="xxx"
# 2.Tables
# Not used at present
# 3.Options
set skip on lo
set optimization conservative
set limit states 50000
# 4. Scrub traffic
scrub all
# 5. Queueing
altq on $int_if cbq bandwidth 30Mb queue { zona1, zona2, zona3 }
queue zona1 bandwidth 10Mb { centraeta, cpd1, ssh1, nocpd1 }
queue centraleta bandwidth 50% priority 7 cbq(default)
queue cpd1 bandwidth 25% priority 6 cbq(borrow)
queue ssh1 bandwidth 5% priority 3 cbq
queue nocpd1 bandwidth 20% priority 0 cbq
queue zona2 bandwidth 10Mb { cpd2, ssh2, nocpd2 }
queue cpd2 bandwidth 40% priority 7 cbq
queue ssh2 bandwidth 40% priority 3 cbq(borrow)
queue nocpd2 bandwidth 20% priority 0 cbq
queue zona3 bandwidth 10Mb { cpd3, ssh3, nocpd3 }
queue cpd3 bandwidth 60% priority 7 cbq
queue ssh3 bandwidth 25% priority 3 cbq(borrow)
queue nocpd3 bandwidth 15% priority 0 cbq
# 6. Translation
nat on $ext_if1 from $lan_net to any -> ($ext_if1)
nat on $ext_if2 from $lan_net to any -> ($ext_if2)
nat on $ext_if3 from $lan_net to any -> ($ext_if3)
# 7. Filer rules
## from LAN to Internet: INBOUND to bge0 ##
# dept_a using their own ADSL
pass out on $int_if route-to \
($ext_if1 $ext_gw1) \
proto { tcp udp } from $dept_a to any keep state
# dept_b using their own ADSL
pass out on $int_if route-to \
($ext_if2 $ext_gw2) \
proto { tcp udp } from $dept_b to any keep state
# dept_c using their own ADSL
pass out on $int_if route-to \
($ext_if3 $ext_gw3) \
proto { tcp udp } from $dept_c to any keep state
## from LAN to internet: OUTBOUND on bge1/re0/fxp0
pass out on $ext_if1
pass out on $ext_if2
pass out on $ext_if3
###############################
####### traffic from INTERNET to LAN ########
## from Internet to LAN: INBOUND to bge1/re0/fxp0 ##
pass in on $ext_if1
pass in on $ext_if2
pass in on $ext_if3
## from Internet to LAN: OUTBOUND to bge0 ##
### dept_a
pass in on $int_if route-to \
($ext_if1 $ext_gw1) \
proto udp from $dept_a to $callcenter02 \
keep state \
queue centraleta
pass in quick on $int_if route-to \
($ext_if1 $ext_gw1) \
proto tcp from $dept_a to $cpd \
port 22 keep state \
queue ssh1
pass in quick on $int_if route-to \
($ext_if1 $ext_gw1) \
proto tcp from $dept_a to $cpd \
keep state \
queue cpd1
pass in quick on $int_if route-to \
($ext_if1 $ext_gw1) \
proto tcp from $dept_a to $cpd \
keep state \
queue nopcd1
### dept_b
pass in quick on $int_if route-to \
($ext_if2 $ext_gw2) \
proto tcp from $dept_b to $cpd \
port 22 keep state \
queue ssh2
pass in quick on $int_if route-to \
($ext_if2 $ext_gw2) \
proto tcp from $dept_b to $cpd \
keep state \
queue cpd2
pass in quick on $int_if route-to \
($ext_if2 $ext_gw2) \
proto tcp from $dept_b to $cpd \
keep state \
queue nopcd2
### dept_c
pass in quick on $int_if route-to \
($ext_if3 $ext_gw3) \
proto tcp from $dept_c to $cpd \
port 22 keep state \
queue ssh3
pass in quick on $int_if route-to \
($ext_if3 $ext_gw3) \
proto tcp from $dept_c to $cpd \
keep state \
queue cpd3
pass in quick on $int_if route-to \
($ext_if3 $ext_gw3) \
proto tcp from $dept_c to $cpd \
keep state \
queue nopcd3
-----------------------------------------------------
I sound clear also... but simple doesn't work.
I've convinced that my last goal (uses a ADSL depends on LAN IP's client
and uses also the queue) is possible but is seems hard right now.
Thanks in advance. --I must not fear. Fear is the mind-killer. Fear is the little-death that brings total obliteration. I will face my fear. I will permit it to pass over me and through me. And when it has gone past I will turn the inner eye to see its path. Where the fear has gone there will be nothing. Only I will remain.
Bene Gesserit Litany Against Fear.