Hello,
I have what seems to be a simple problem, but I just can't manage to
solve it. Here's an outline of the current setup:
- We have a FreeBSD 6.3 box acting as a NAT gateway (using PF) at an
office
- There are two Internet links connected to the NAT gateway:
* ADSL, via nve0
* WiMax, via re0
- Both links are operating and get IPs from their corresponding IPs
via DHCP
- All communication between local hosts and the gateway is trusted
(we're a small office of developers)
What I'm trying to accomplish:
- Create a $macro consisting of a few specific IPs out on the Internet
- Push all traffic directed to $macro IPs over the ADSL/nve0 link
(with one exception, below)
- Push all other traffic, as well as SSH traffic directed to $macro
IPs, over the WiMax/re0 link
I believe the WiMax link's gateway should be set as the default route,
so that anything not specifically "caught" by PF will just go out that
way.
The stage I'm at now is that I have a working pf.conf that is doing
simple NAT for the WiMax link -- basically a run-of-the-mill, single-
link NAT setup. I need to turn it into the above. Even just directing
all traffic to $macro IPs over the ADSL link would be a great start
for me -- I'm sure I can figure out the SSH specifics myself.
My current pf.conf, with some harmless attempts at setting up the above:
# Define interfaces
int_if = "sk0"
wimax_if = "re0"
dsl_if = "nve0" # New addition
# Define special IPs
special_ips = "{ 66.11.119.68 }"
# Some basic options
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
set skip on lo
set skip on $int_if
# Normalize packets to prevent fragmentation attacks
scrub on $wimax_if all fragment reassemble reassemble tcp no-df random-
id max-mss 1400
scrub on $dsl_if all fragment reassemble reassemble tcp no-df random-
id max-mss 1400 # New addition
# Set up ALTQ for the purpose of prioritizing outgoing ACK packets
altq on $wimax_if priq bandwidth 180Kb queue { pri, std }
altq on $dsl_if priq bandwidth 570Kb queue { pri, std } # New addition
# Define priority queues
queue pri priority 7
queue std priority 1 priq(default)
# Do the NAT
nat on $wimax_if from $int_if:network to any -> ($wimax_if)
nat on $dsl_if from $int_if:network to $neo_ips -> ($dsl_if) # New
addition
# Block all incoming from Internet, but allow it out once it's been
initiated from inside
block in on $wimax_if
pass out on $wimax_if inet proto tcp from $wimax_if to any flags S/SA
keep state queue (std, pri)
pass out on $wimax_if inet proto { udp, icmp } from $wimax_if to any
keep state
# some pass out rule for $special_ips here?
# Allow pinging of our WAN IP
pass in on $wimax_if inet proto icmp all icmp-type echoreq keep state
pass in on $dsl_if inet proto icmp all icmp-type echoreq keep state
Any and all help would be greatly appreciated. Thank you. :-)
-- Tom
