Hi,
I am using PF with two ISP links and doing load balancing.
Everything works fine, I copied the rules from the FAQ, except for one
issue. I am using samba, my problem appears when I have to Log to samba or
with RDR to my XP ip (192.168.3.22). PF is blocking internal traffic from my
PC to my OBSD 3.8 ( I am waiting for my 3.9 copy :-D ) machine ( with samba
server ). If I open the traffic on internal interface with a :
Pass in on $int_if from any to any
Then samba works fine, but there's no load balancing. May be I am
misunderstanding something. Below are my rules. Any help to fix and improve
these rules would be appreciated. I have 2 Dsl links from the same provider
( there is only one provider where I am living ) and they don't want to
speed up my link. I have 2 links of 256 download and 128 upload working at
65% ( thanks to telefonica de argentina :-( )
Thanks
Marcos
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if1="tun0"
ext_gw1="200.51.241.211"
ext_if2="tun1"
ext_gw2="200.51.241.253"
int_if ="rl0"
lan_net="192.168.3.0/24"
gateway_addr="192.168.3.1"
# Options: tune the behavior of pf, default values are given.
set timeout { interval 30, frag 10 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 3600 }
set timeout { tcp.closing 120, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set limit { states 20000, frags 5000 }
set optimization aggressive
scrub in on $ext_if1 all fragment reassemble random-id
scrub in on $ext_if2 all fragment reassemble random-id
altq on { $ext_if1, $ext_if2 } priq bandwidth 100Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)
# nat outgoing connections on each internet interface
nat on $ext_if1 from $lan_net to any -> ($ext_if1) # sticky-address
nat on $ext_if2 from $lan_net to any -> ($ext_if2) # sticky-address
# redirect local FTP
rdr pass on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
# default deny
block in from any to any
block out from any to any
block quick inet6
pass quick on lo all
# spoofing protection on int_if
antispoof quick log for $int_if inet
# allow all outgoing traffic on IntIf
pass out on $int_if from any to $lan_net
# allow all incoming traffic on IntIf
pass in quick on $int_if from $lan_net to $int_if
# load balance tcp
pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) }
round-robin proto tcp from $lan_net to any flags S/SA keep
state
# load balance udp and icmp
pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) }
round-robin proto { udp, icmp } from $lan_net to any keep s
tate
# ping to/from world
pass out log quick on { $ext_if1 $ext_if2 } inet proto icmp all icmp-type 8
code 0 keep state
pass in log quick on { $ext_if1 $ext_if2 } inet proto icmp all icmp-type 8
code 0 keep state
# allow external access to SSH on both interfaces
pass in log quick on $ext_if1 inet proto tcp from !$lan_net to ($ext_if1)
port 22 flags S/SA keep state ( max-src-conn 5, max-src-co
nn-rate 3/30 ) queue (q_def, q_pri)
pass in log quick on $ext_if2 inet proto tcp from !$lan_net to ($ext_if2)
port 22 flags S/SA keep state ( max-src-conn 5, max-src-co
nn-rate 3/30 ) queue (q_def, q_pri)
pass in log on $ext_if1 proto tcp from any to ($ext_if1) port ftp flags S/SA
keep state queue (q_def, q_pri)
pass in log on $ext_if2 proto tcp from any to ($ext_if2) port ftp flags S/SA
keep state queue (q_def, q_pri)
# active FTP
pass in log quick on $ext_if1 inet proto tcp from any to $ext_if1 port >
49151 flags S/SA keep state queue (q_def, q_pri)
pass in log quick on $ext_if2 inet proto tcp from any to $ext_if2 port >
49151 flags S/SA keep state queue (q_def, q_pri)
# dns
# pass in log on { $ext_if1 $ext_if2 } proto tcp from any to any port domain
keep state
pass out on $ext_if1 proto tcp from $ext_if1 to any port domain keep state
pass out on $ext_if2 proto tcp from $ext_if2 to any port domain keep state
# general "pass out" rules for external interfaces
pass out on $ext_if1 proto tcp from any to any flags S/SA keep state queue
(q_def, q_pri)
pass out on $ext_if1 proto udp from any to any keep state
pass out on $ext_if2 proto tcp from any to any flags S/SA keep state queue
(q_def, q_pri)
pass out on $ext_if2 proto udp from any to any keep state
# route packets trough the appropiate gateways
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
