Hello Jorge, > I read again your mail and now i'm lost ! > > You Wrote: > > "How can I force my Extl. FW to reply on exactly the same interface it > > > had been requested on? For example I am running OpenVPN(1194/UDP) > > > between my HomeOffice (Z=Client) and the Intl. FW(=Server). Alike I > > > would appretiate SSH-portforwarding from Internet to the Intl. FW. " > > > SSH port forwarding from internet to Internal server is something like : > > ext_if=vr0 > ext_ip=1.2.3.4 > Spvt= 4.5.6.7 > > match in on $ext_if proto tcp from any to $ext_ip port 22 rdr-to $Spvt > > pass in on $ext_if proto tcp from any to $Spvt port 22 > pass out on $int_if proto tcp from any to $Spvt port 22 > > > > > The above line redirects all traffic coming from any place in internet to > my external IP ( 1.2.3.4) to the server 4.5.6.7 which is located in my > internal lan, in other words the packet comes in on external interface , > goes out on internal interface .. > > These works on OpenBSD 4.8 or newer ! > > Is this what you need ?
no. Obviously I have not explained clearly what my problem is. On my firewall I have TWO different internet connections. It is simple to forward - for instance ssh - from both connections to an internal machine. Now this machine answers and the firewall sends the reply back. How can I force the firewall to send the reply over exactly that interface the request came in? The problem is that the client anywhere on the internet expects the answer from the very address it had contacted. If now the reply comes from another address, it will get lost. Best regards Torsten > On Tue, Jan 10, 2012 at 10:46 AM, Dr.-Ing. Torsten Finke < > torsten.fi...@igh-essen.com> wrote: > > > Hello Jorge, > > > > > If i understood you well, the answer to your question is here ! > > > > > > > > > http://www.openbsd.org/faq/pf/pools.html > > > > > > Under the section Load Balancing outgoing traffic, or take a look at: > > > > > > http://www.openbsd.org/faq/faq6.html#Multipath > > > > > > > > > There are good examples there ! > > > > > > I hope this can help ! > > > > thank you for this. The FAQ on pools has nice examples but none of them > > really > > faces my problem. It discusses load balancing of incoming traffic to > > several > > servers as well as load balancing of outgoing traffic. I cannot figure out > > how > > to dispatch replies to incoming requests over different connections. > > > > The FAQ on multipath has helped me very well to set up multiple default > > routes > > - this works very well. > > > > Best regards > > > > Torsten > > > > > > > > Dear List, > > > > > > > > Here I show my network topology. Maybe it seems quite typical. My > > > > internal network is located behind an Intl/Extl Firewall which is > > > > connected to the Internet(IN) via pppoe/ppp(8). On the other side I run > > > > different systems, for instance a home office network, a mobile laptop, > > > > and several customers. > > > > > > > > > > > > +---+ +---+ > > > > | A | | B | (PC) > > > > +-+-+ +-+-+ > > > > | | +---------+ > > > > --+-----+---| Intl FW |---(DMZ)---+ > > > > (LAN/int) +---------+ | > > > > | > > > > +---------------------------------------+ > > > > | +---+ > > > > | ____ | Z | (PC) > > > > | ( ) +---+ > > > > | +---------+ pppoe/ppp(8) +-----------+ ( ) +----+ | > > > > | | |--------------| DSL-Modem |--( )--| GW |----+- > > > > | | | rl0/tun0 +-----------+ ( ) +----+ > > (HomeOffice) > > > > +--| Extl FW | ( IN ) +----------+ > > > > | | pppoe/ppp(8) +-----------+ ( )--| Customer | > > > > | |--------------| DSL-Modem |--( ) +----------+ > > > > +---------+ rl1/tun1 +-----------+ ( ) +--------+ > > > > OpenBSD 4.8 (____)--| Mobile | > > > > +--------+ > > > > > > > > My question is about the setup of routing and packet filtering on the > > > > External Firewall: > > > > > > > > How can I force my Extl. FW to reply on exactly the same interface it > > > > had been requested on? For example I am running OpenVPN(1194/UDP) > > > > between my HomeOffice (Z=Client) and the Intl. FW(=Server). Alike I > > > > would appretiate SSH-portforwarding from Internet to the Intl. FW. > > > > > > > > I tried using "route-to" and "reply-to", but that did not work - > > > > PF.CONF(5) says this should do, but I could not figure out, how. I did > > > > not not understand how "route-to" and "reply-to" actually work (could > > > > not find any explanation, though I have tried hard to search for). > > > > > > > > Everything else (NAT, outbound load balancing, filtering) works just > > > > fine. > > > > > > > > My routing is: > > > > > > > > default XXX.X.XX.XXX UGSP 2 101853 - 8 tun0 > > > > default XXX.X.XX.XXX UGSP 0 988 - 8 tun1 > > > > > > > > I manage my multipath routes (net.inet.ip.multipath=1) via > > > > - ppp.linkup: > > > > MYADDR: > > > > shell route add -mpath default HISADDR > > > > > > > > - ppp.linkdown > > > > MYADDR: > > > > shell route delete -mpath default HISADDR > > > > > > > > What I tried in pf.conf is: > > > > > > > > pass in on tun0 all keep state reply-to ( tun0 tun0:peer ) > > > > pass in on tun1 all keep state reply-to ( tun1 tun1:peer ) > > > > > > > > Asking PF statistics (pfctl -v -s rules) shows that no packet has been > > > > operated by those "reply-to" rules. > > > > > > > > Since I consider PF a brilliant concept I would really appretiate any > > > > hint that would help. Thanks to all OpenBSD developers for their great > > > > work and thanks for any advice. > > > > > > > > > > > > Best regards > > > > > > > > Torsten > > > > > > > > > > > > -- > > > > > > ------------------------------------------------------------------------ > > > > Torsten Finke > > > > f...@igh-essen.com > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > > > > -- > > > Cordialmente, > > > > > > 00110111 00111011 > > > > > > -- > > ------------------------------------------------------------------------ > > Torsten Finke > > f...@igh-essen.com > > ------------------------------------------------------------------------ > > > > > > > -- > Cordialmente, > > 00110111 00111011 -- ------------------------------------------------------------------------ Torsten Finke f...@igh-essen.com ------------------------------------------------------------------------
