Hi all : We've a firewall with 4 interfaces (2 outside to two differents routers and ISP,1 inside and 1 DMZ),the machine is running a Squid web proxy too, we wanna make balancing on outgoing connections only for the web traffic, we have get to do that, and now the packets are going out on ext_if and ext_if2 but they're all coming back in ext_if, then wich are arising from traffic on ext_if2 are rejected, maybe a NAT problem or is related to stateful tables.....any idea?
This is the pf.conf : #Interfaces ext_if="em1" int_if="em0" ext_if2="em2" dmz_if="rl0" ext_gw="192.168.3.1" ext_gw2="192.168.0.1" loop="lo0" #networks ext_net="192.168.3.0/24" int_net="192.168.1.0/24" dmz_net="192.168.2.0/24" #some hosts dmz_host="192.168.2.2" #this is the mail server and fax (for internal net) server private = "{127.0.0.0/8 192.168.1.0/24 172.16.0.0/12 10.0.0.0/8}" capaos= "{4099, 5090, 4661, 4662, 4665, 4672, 1214, 1863, 5190, 6891:6900, 4500,\ 59, 1080, 6660:6669, 113, 6699, 6257, 5000, 5001, 2234}" #options set block-policy drop set loginterface $ext_if set optimization normal #set skip on $loop #normalizations scrub in on $ext_if all scrub in on $ext_if2 all #nat / rd nat on $ext_if from !($ext_if) to any -> ($ext_if) #changed to that rules to make the routing nat on $ext_if2 from !($ext_if2) to any -> ($ext_if2) rdr on $int_if inet proto tcp from any to any port www -> 192.168.1.1 port 8080 # squid rdr on $ext_if inet proto tcp from any to $ext_if port smtp -> $dmz_host port smtp rdr on $int_if inet proto tcp from any to $dmz_host port smtp -> $dmz_host port smtp rdr on $int_if inet proto tcp from any to $dmz_host port pop3 -> $dmz_host port pop3 rdr on $int_if inet proto tcp from any to $dmz_host port ssh -> $dmz_host port ssh rdr on $int_if inet proto tcp from any to $dmz_host port 4559 -> $dmz_host port 4559 #hylafax #rules block in log all block in quick inet6 all block out quick inet6 all #flags anti so escaner block in log quick proto tcp all flags SF/SFRA block in log quick proto tcp all flags SFUP/SFRAU block in log quick proto tcp all flags FPU/SFRAUP block in log quick proto tcp all flags /SFRA block in log quick proto tcp all flags F/SFRA block in log quick proto tcp all flags U/SFRAU block in log quick proto tcp all flags P #antispoof quick for {$int_if, $ext_if } #block return in log on $ext_if proto {udp, tcp}all #output load balancing tcp pass out on $ext_if from any to any modulate state #I put first that rule so the second match the web traffic pass out log on $ext_if route-to \ { ($ext_if $ext_gw), ($ext_if2 $ext_gw2) } round-robin \ proto tcp from any to any port www keep state pass in on $int_if all keep state pass out log on $int_if inet proto udp from $dmz_host to 192.168.1.8 port 53 #NFS Memnoch (this is a NFS connection from DMZ to LAN) pass out log on $int_if inet proto {tcp udp}to 192.168.1.48 port 111 pass out log on $int_if inet proto {tcp udp}to 192.168.1.48 port 2049 pass in log on $dmz_if all keep state #still not refined pass out log on $dmz_if all keep state pass out log on $ext_if2 from any to any modulate state # ext_if2 outgoing rule #route packets from any IPs on $ext_if to $ext_gw and $ext_if2 to $ext_gw2 #that's referenced in the FAQ..necessary? neither works.. #pass out on $ext_if route-to ($ext_if2 $ext_gw2) from $ext_if2 to any modulate state #pass out on $ext_if2 route-to ($ext_if $ext_gw) from $ext_if to any modulate state block in log quick on $ext_if inet from any to {255.255.255.255, 213.172.59.151} block return-rst in log quick on $ext_if proto tcp from any to any port \ {111, 1080, 6000, 6667, 139, 4662} block in log quick on $ext_if2 inet from any to {255.255.255.255, 213.172.59.151} block return-rst in log quick on $ext_if2 proto tcp from any to any port \ {111, 1080, 6000, 6667, 139, 4662} #block return-rst in log quick on $int_if proto tcp from any to any port \ #{111,1080, 6000, 6667, 139, 4662} #Bloqueo puertos block out log quick on $ext_if proto tcp from any to any port $capaos block out log quick on $ext_if2 proto tcp from any to any port $capaos #proxy pass in on $int_if inet proto tcp from any to 192.168.1.1 port 8080 keep state #ssh pass in log on $int_if inet proto tcp from any to 192.168.1.1 port ssh keep state pass in log on $int_if inet proto tcp from any to 192.168.2.2 port ssh keep state #pass in log on $dmz_if inet proto tcp from $int_net to $dmz_host port ssh keep state #lo0 pass quick on lo0 all ---------------------------------------------------- Remember we want to balance the web outgoing traffic, generated by the Squid proxy in the same machine.... Thks in advance and greetings from Spain.... Jose M;