Hi, I'm using two external interfaces myself, and I believe I had the
same problem you describe in your message. I bet when you do:
netstat -rnf inet | grep default
you will see that your (ext_if2 ext_gw2) comes on top. Thus, my theory
is that the kernel is preferring your second external interface due to
your routing table (i.e. the order of your default routes).
Since I don't know how to handle this in pf.conf for connections
originating from my firewall, such as an http proxy running on the
firewall, just as in your case too (otherwise route-to and reply-to work
fine), I change my routing table in rc files.
Specifically, I rearrange the order of my default routes to have my
first external interface/gateway on top:
route add default -ifp ext_if1 -mpath ext_gw1
route add default -ifp ext_if2 -mpath ext_gw2
Accordingly, I removed the similar shell commands in hostname.if(5)
files.
Hope this helps,
On Tue, 2007-01-23 at 08:36 -0800, S t i n g r a y wrote:
> Well thanks to everyone who help me coming close to using multiple external
> links for internet.
> but its still not working, my scenario is that i have 2 ISP's connection now
> the main internet connection is the powerful one which i only want to use
> for specific protocols which i have defined in a macro called ports now
> rest is supposed to goto to my 2nd internet connection which is a weak &
> cheap connection basically there to allow p2p applications access.
> Main internet is ext_if1 (xl0)
> slow internet is ext_if2 (xl2)
> LAN is int_if (xl1)
> now the problem is that when ever i apply my pf.conf file all the traffic
> goes to 2nd slow internet connection.
>
> my pf.conf file
> lan_net = "10.0.0.0/16"
> int_if = "xl1"
> ext_if1 = "xl0"
> ext_if2 = "xl2"
> ext_gw1 = "192.168.0.1"
> ext_gw2 = "203.81.235.1"
> chadd = "10.0.0.1"
> ports = " 22 25 53 80 110 119 123 143 443 465 554 900 995 1755 1863"
> table <allowedclients> persist file "/etc/allowedclients"
>
> nat on $ext_if1 inet proto {tcp, udp } from <allowedclients> to any port \
> { $ports } -> ($ext_if1)
> nat on $ext_if2 inet proto {tcp, udp } from <allowedclients> to any \
> -> ($ext_if2)
>
> rdr on $int_if proto tcp from <allowedclients> to any port 80 -> $chadd port
> 8080
>
> pass out log on $int_if from any to $lan_net
>
> pass in log quick on $int_if from $lan_net to $int_if
> pass in log on $int_if route-to { ($ext_if2 $ext_gw2) } from \
> $lan_net to any flags S/SA keep state
> pass in log on $int_if route-to { ($ext_if1 $ext_gw1) } inet proto tcp from \
> $lan_net to any port {$ports} flags S/SA keep state
>
> pass out log on $ext_if2 proto tcp from any to any flags S/SA modulate state
> pass out log on $ext_if2 proto { udp, icmp } from any to any keep state
> pass out log on $ext_if1 proto tcp from any to any flags S/SA modulate state
> pass out log on $ext_if1 proto { udp, icmp } from any to any keep state
>
> pass out log on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
> pass out log on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
>
> this is what happens
>
> bash-3.1# tcpdump -nettipflog0
> tcpdump: WARNING: pflog0: no IPv4 address assigned
> tcpdump: listening on pflog0, link-type PFLOG
> 1169566778.398818 rule 18/(match) pass out on xl2: 203.81.235.185.5698 >
> 8.7.232.215.80: [|tcp] (DF)
> 1169566778.553623 rule 18/(match) pass out on xl2: 203.81.235.185.13550 >
> 66.249.91.83.80: [|tcp] (DF)
> 1169566779.005110 rule 18/(match) pass out on xl2: 203.81.235.185.16245 >
> 209.0.144.87.80: [|tcp] (DF)
> 1169566779.102642 rule 1/(match) pass in on xl1: 10.0.2.41.1601 >
> 10.0.0.1.8080: [|tcp] (DF)
> 1169566779.105302 rule 18/(match) pass out on xl2: 203.81.235.185.5672 >
> 216.143.70.77.80: [|tcp]
> 1169566779.167718 rule 1/(match) pass in on xl1: 10.0.1.24.2402 >
> 10.0.0.1.8080: [|tcp] (DF)
> 1169566779.170640 rule 18/(match) pass out on xl2: 203.81.235.185.11598 >
> 64.40.101.40.80: [|tcp] (DF)
> 1169566779.457058 rule 2/(match) pass in on xl1: 10.0.2.7.2328 >
> 125.23.47.31.3460: [|tcp] (DF)
> 1169566779.457112 rule 21/(match) pass out on xl0: 10.0.2.7.2328 >
> 125.23.47.31.3460: [|tcp] (DF)
> 1169566779.615288 rule 18/(match) pass out on xl2: 203.81.235.185.33595 >
> 209.0.144.88.80: [|tcp] (DF)
> 1169566779.700708 rule 18/(match) pass out on xl2: 203.81.235.185.42575 >
> 72.14.209.85.80: [|tcp] (DF)
> 1169566779.994302 rule 1/(match) pass in on xl1: 10.0.2.8.4265 >
> 10.0.0.1.8080: [|tcp] (DF)
> 1169566780.005425 rule 18/(match) pass out on xl2: 203.81.235.185.31337 >
> 72.14.209.86.80: [|tcp] (DF)
> 1169566780.174899 rule 18/(match) pass out on xl2: 203.81.235.185.27385 >
> 8.2.96.67.80: [|tcp] (DF)
> 1169566780.475037 rule 2/(match) pass in on xl1: 10.0.1.19.138 >
> 10.0.255.255.138: udp 201
> 1169566780.475089 rule 22/(match) pass out on xl0: 10.0.1.19.138 >
> 10.0.255.255.138: udp 201
> 1169566780.652249 rule 18/(match) pass out on xl2: 203.81.235.185.44777 >
> 8.7.232.215.80: [|tcp] (DF)
> 1169566780.884663 rule 1/(match) pass in on xl1: 10.0.2.8.4266 >
> 10.0.0.1.8080: [|tcp] (DF)
> 1169566780.889225 rule 18/(match) pass out on xl2: 203.81.235.185.44736 >
> 72.14.217.189.80: [|tcp] (DF)
> 1169566780.920559 rule 2/(match) pass in on xl1: 10.0.3.6.3273 >
> 64.182.172.11.8585: [|tcp] (DF)
> 1169566780.920608 rule 21/(match) pass out on xl0: 10.0.3.6.3273 >
> 64.182.172.11.8585: [|tcp] (DF)
> 1169566780.927934 rule 18/(match) pass out on xl2: 203.81.235.185.2945 >
> 66.249.91.18.80: [|tcp] (DF)
> 1169566781.046297 rule 2/(match) pass in on xl1: 10.0.1.11.137 >
> 10.0.255.255.137: udp 50
> 1169566781.046351 rule 22/(match) pass out on xl0: 10.0.1.11.137 >
> 10.0.255.255.137: udp 50
> 1169566781.141521 rule 18/(match) pass out on xl2: 203.81.235.185.6110 >
> 209.0.144.87.80: [|tcp] (DF)
> 1169566781.389933 rule 2/(match) pass in on xl1: 10.0.4.19.137 >
> 10.0.255.255.137: udp 68
> 1169566781.390009 rule 22/(match) pass out on xl0: 10.0.4.19.137 >
> 10.0.255.255.137: udp 68
> 1169566781.505436 rule 18/(match) pass out on xl2: 203.81.235.185.12893 >
> 66.249.91.19.80: [|tcp] (DF)
> 1169566781.634241 rule 18/(match) pass out on xl2: 203.81.235.185.3396 >
> 209.0.144.88.80: [|tcp] (DF)
> 1169566782.052176 rule 1/(match) pass in on xl1: 10.0.3.6.3274 >
> 10.0.0.1.53:[|domain]
> 1169566782.145289 rule 17/(match) pass in on xl1: 10.0.1.44.1405 >
> 64.4.37.22.1863: [|tcp] (DF)
> 1169566782.145340 rule 18/(match) pass out on xl2: 203.81.235.185.60189 >
> 64.4.37.22.1863: [|tcp] (DF)
> 1169566782.286339 rule 1/(match) pass in on xl1: 10.0.1.32.1054 >
> 10.0.0.1.53:[|domain]
> 1169566782.773519 rule 19/(match) pass out on xl2: 203.81.235.185.37174 >
> 192.175.48.42.53:[|domain]
> 1169566783.227876 rule 18/(match) pass out on xl2: 203.81.235.185.12589 >
> 66.230.155.6.80: [|tcp] (DF)
> 1169566783.565189 rule 1/(match) pass in on xl1: 10.0.2.41.1603 >
> 10.0.0.1.8080: [|tcp] (DF)
> 1169566783.868916 rule 1/(match) pass in on xl1: 10.0.2.8.4267 >
> 10.0.0.1.8080: [|tcp] (DF)
> 1169566783.873699 rule 18/(match) pass out on xl2: 203.81.235.185.31607 >
> 72.14.217.189.80: [|tcp] (DF)
> 1169566783.939254 rule 18/(match) pass out on xl2: 203.81.235.185.3147 >
> 66.249.91.83.80: [|tcp] (DF)
> 1169566783.944207 rule 1/(match) pass in on xl1: 10.0.2.41.1604 >
> 10.0.0.1.8080: [|tcp] (DF)
> 1169566783.948180 rule 18/(match) pass out on xl2: 203.81.235.185.39092 >
> 64.4.15.61.80: [|tcp] (DF)
> 1169566785.695035 rule 1/(match) pass in on xl1: 10.0.0.5.2305 >
> 10.0.0.1.8080: [|tcp] (DF)
> 1169566785.697572 rule 18/(match) pass out on xl2: 203.81.235.185.22226 >
> 81.95.147.107.80: [|tcp] (DF)
> 1169566785.776452 rule 1/(match) pass in on xl1: 10.0.2.41.1605 >
> 10.0.0.1.8080: [|tcp] (DF)
> 1169566785.930252 rule 1/(match) pass in on xl1: 10.0.2.41.1606 >
> 10.0.0.1.8080: [|tcp] (DF)
> 1169566785.935663 rule 18/(match) pass out on xl2: 203.81.235.185.12836 >
> 209.191.65.8.80: [|tcp] (DF)
> 1169566786.317411 rule 18/(match) pass out on xl2: 203.81.235.185.16717 >
> 72.14.209.87.80: [|tcp] (DF)
> 1169566786.626559 rule 2/(match) pass in on xl1: 10.0.2.44.2212 >
> 65.43.85.53.6667: [|tcp] (DF)
> 1169566786.626613 rule 21/(match) pass out on xl0: 10.0.2.44.2212 >
> 65.43.85.53.6667: [|tcp] (DF)
> 1169566787.104918 rule 18/(match) pass out on xl2: 203.81.235.185.21187 >
> 204.13.161.25.80: [|tcp] (DF)
> 1169566787.113192 rule 17/(match) pass in on xl1: 10.0.2.37.2124 >
> 207.46.26.36.1863: [|tcp] (DF)
> 1169566787.113242 rule 18/(match) pass out on xl2: 203.81.235.185.64047 >
> 207.46.26.36.1863: [|tcp] (DF)
>
> my ifconfig command provides
>
> bash-3.1# ifconfig
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
> groups: lo
> inet 127.0.0.1 netmask 0xff000000
> inet6 ::1 prefixlen 128
> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
> xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> lladdr 00:50:04:03:fa:96
> media: Ethernet autoselect (100baseTX full-duplex)
> status: active
> inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255
> inet6 fe80::250:4ff:fe03:fa96%xl0 prefixlen 64 scopeid 0x1
> xl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> lladdr 00:50:04:a0:39:9a
> media: Ethernet autoselect (10baseT half-duplex)
> status: active
> inet 10.0.0.1 netmask 0xffff0000 broadcast 10.0.255.255
> inet6 fe80::250:4ff:fea0:399a%xl1 prefixlen 64 scopeid 0x2
> xl2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> lladdr 00:10:5a:22:64:c7
> groups: egress
> media: Ethernet autoselect (100baseTX full-duplex)
> status: active
> inet6 fe80::210:5aff:fe22:64c7%xl2 prefixlen 64 scopeid 0x3
> inet 203.81.235.185 netmask 0xffffff00 broadcast 203.81.235.255
> pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
> enc0: flags=0<> mtu 1536
>
> i did update to OpenBSD current would be great full if you help me out.
>
> Regards
>
>
>
>
> *:$., 88,.$:*(((*$ Stingray *:$., 88,.$:*((*$
>
>
>
>
>
>
>
>
> ____________________________________________________________________________________
> Need a quick answer? Get one in minutes from people who know.
> Ask your question on www.Answers.yahoo.com
