Well, I've upgraded the router to 3.5, but still no luck.
I'm posting a pf.conf that I tried to use. Trying to put the "tagged"
requirement in the nat section didn't work, so I'm trying something along
the lines of what David recommended.
I had the default route set to the SDSL's router, and the box could access
the internet just fine. Computers on the internal network can see the
router, but nothing goes through.
I'm sure I'm making an obvious mistake, but I've gone over this a million
times (it's been a long day) with nothing.
Thanks a bunch!
pf.conf:
# Macro definitions
# ADSL interface
adsl_if="tl0"
# ADSL interface gateway
adsl_gw="a.a.a.a"
# ports sent through ADSL
adsl_ports="{ http, domain }"
# SDSL interface
sdsl_if="tl1"
# LAN interface
int_if="vr0"
# options
scrub all reassemble tcp
# nat on both interfaces from internal
nat on $adsl_if from $int_if to any -> ($adsl_if)
nat on $sdsl_if from $int_if to any -> ($sdsl_if)
# packet filtering
# default policy: block everything in, let everything out
block in
pass out modulate state
# let everything in on the internal interface and loopback
pass quick on lo
# (this will be overridden later as needed)
pass on $int_if
# but don't allow spoofed stuff
antispoof quick for { lo $int_if }
# route everything important through the ADSL line
pass in quick on $int_if route-to ($adsl_if $adsl_gw)\
proto { tcp, udp } from $int_if to port $adsl_ports
# route everything not important through the SDSL line (default)
pass in on $int_if proto from $int_if to any
# and send everything that's not TCP or UDP through the SDSL line
pass in on $int_if inet proto { icmp } from $int_if to any
-Coda
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> Coda Hale
> Sent: Saturday, July 24, 2004 3:14 PM
> To: PF Mailing List
> Subject: NAT with two external interfaces
>
> Hello all,
>
> I put together a router/firewall with OpenBSD 3.3 a while back and it
> works
> like a dream. Pf was surprisingly easy to learn, and I'm definitely sold.
> The network I manage is going to change at the end of the month, and I'm
> having a hard time wrapping my head around how my pf.conf should reflect
> this. I've spent quite a bit of time researching this, but I want to make
> sure this will work the first or second time around - this change will
> affect ~150 people, and I *really* want to have as little downtime as
> possible.
>
> I'm trying to get a functional pf.conf written on the router as-is (3.3)
> and
> then upgrade to 3.5.
>
> We'll be installing an SDSL line in addition to the ADSL line we have, so
> the network will look like this:
>
> ADSL via a.a.a.a <------\
> |
> [tl0]
> OpenBSD Box [vr0] --> LAN via b.b.b.b
> [tl1]
> |
> SDSL via c.c.c.c <------/
>
> The "a.a.a.a" is just a generic standin for the IPs that have been
> statically assigned to each interface. I've been referring to the ADSL
> connection as the "top" interface and the SDSL as the "bottom" interface.
>
> The goal is to split the traffic between these connections based on the
> destination port; essential traffic - DNS, web, email, IM, ssh, telnet,
> etc.
> - will be routed through the top, and everything else will be routed
> through
> the bottom.
>
> What is the best way to do this? I know I need two NAT rules, like this:
> nat on $i_top from $i_int/24 to any -> $i_top
> nat on $i_bottom from $i_int/24 to any -> $i_bottom
>
> But I'm not clear on how port redirection should work. Should I set the
> router's default route to the top or bottom external interface? Should I
> use
> route-to or reply-to? I've been trying to implement a successful test case
> here, but nothing seems to work. A rule like:
>
> pass in quick on $i_internal \
> reply-to ($if_top $if_top_gw)\
> proto tcp from any to any port 80
>
> don't seem to do anything, even as the last rule in a set of passes. Will
> this work on 3.5, but not on 3.3?
>
> Has anyone implemented something similar to this? I've read all of the PF
> manual, but the sections on splitting connections over multiple interfaces
> deal mostly with round-robin and the like, and don't mention scenarios
> like
> mine. Searching for tutorials, how-tos, and FAQs found plenty that really
> only dealt with single external interfaces. Any help you guys could throw
> me
> would be *much* appreciated.
>
> Thanks a million!
>
>
>
> -Coda
>
>
>
