subject:"Re\: Load Balance net connections w\/ redirect"

Re: Load Balance net connections w/ redirect

2005-07-18 Thread Will H. Backman

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of
 James Harless
 Sent: Saturday, July 16, 2005 4:27 AM
 Cc: OpenBSD-misc list
 Subject: Re: Load Balance net connections w/ redirect

 I'm not sure I understand the suggestion.  Feel free to enlighten
 me... I'm completely open to ideas.

 James

 On 7/15/05, Will H. Backman [EMAIL PROTECTED] wrote:
   -Original Message-
   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf
  Of
   James Harless
   Sent: Friday, July 15, 2005 2:33 PM
   To: misc@openbsd.org
   Subject: Load Balance net connections w/ redirect

   Hello all,

   I'm trying to redirect specific ports through a pf firewall that
   loadbalances 2 outgoing net connections and having some problems.
   This firewall connects to 2 different ISPs.  It also performs
   greylisting and pre-filtering of mail for viruses(virii?).  I know
   that I need to work in the 'reply-to' option somehow but, I can't
see
   to get it working.

  Why not use an exterior routing protocol, which is designed to do
this?

 --
 What would Bilano do?

I'm making some assumptions about your setup.  In general, when you load
balance two connections, you use a routing protocol with your upstream
providers.  The routing protocol can detect link failures, and it is
important to have routing table updates at both ends of your internet
connections.

Re: Load Balance net connections w/ redirect

2005-07-18 Thread James Harless

Well, my objective is to have fail-over on the outbound connections,
primarily.  The load-balancing comes about because of that. 
Load-balancing is definitely not a requirement for this site and I
probably should have worded my email a bit differently.  One
connection is a cable modem and the other ADSL.

I really want the connections to fail-over when the other isn't
available.  I achieved this through the current configuration but,
maybe not in an optimal fashion.  I don't need to balance the incoming
connections (and don't want to) but, I'm having issues getting the
gateway to reply w/o balancing issues.

I've attached my newest pf.conf in the hopes that you might be able to
see my error.  This is (obviously) the first time I've worked with
this type of setup so, I'm uncertain where the issue lies.  It seems
like I need to get rdr and reply-to to work together but, maybe there
is a different method.

Thanks,

James



--


## pf.conf ##
ext_if1=fxp1
ext_gw1=2.2.2.2
ext_if2=fxp2
ext_gw2=3.3.3.3
int_if=fxp0
lan_net=192.168.1.1/24
exch_svr=192.168.1.150
exch_svc={ 80, 443 }

table spamd persist
table spamd-white persist
table mywhite persist file /root/goodips
table myblack persist file /root/badips

scrub in

# nat all outbound traffic on each interface
nat on $ext_if1 from $lan_net to any - ($ext_if1)
nat on $ext_if2 from $lan_net to any - ($ext_if2)

rdr pass on $int_if proto tcp to port ftp - 127.0.0.1 port 8021

rdr pass on $int_if proto tcp from $exch_svr to port smtp \
   - 127.0.0.1 port smtp

rdr pass on $ext_if1 proto tcp from spamd to port smtp \
   - 127.0.0.1 port spamd
rdr pass on $ext_if2 proto tcp from spamd to port smtp \
   - 127.0.0.1 port spamd

rdr pass on $ext_if1 proto tcp from mywhite to port smtp \
   - 127.0.0.1 port smtp
rdr pass on $ext_if2 proto tcp from mywhite to port smtp \
   - 127.0.0.1 port smtp

rdr pass on $ext_if1 proto tcp from !spamd-white to port smtp \
   - 127.0.0.1 port spamd
rdr pass on $ext_if2 proto tcp from !spamd-white to port smtp \
   - 127.0.0.1 port spamd

**rdr on $ext_if1 proto tcp from any to port $exch_svc - 192.168.1.150
**rdr on $ext_if1 proto tcp from any to port 407 - 192.168.1.21

# Default block all traffic incoming  outgoing
block all

# pass all outgoing packets on internal interface
pass out quick on $int_if from any to $int_if:network
# pass in quick any packets destined for the gateway itself from the lan
pass in quick on $int_if from $int_if:network to $int_if

# load balance outgoing tcp traffic from internal network
pass in quick on $int_if route-to \
   { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
   proto tcp from $lan_net to any flags S/SA modulate state
# load balance outgoing udp  icmp traffic from internal network
pass in quick on $int_if route-to \
   { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
   proto { udp, icmp } from $lan_net to any keep state


# pass out rules for external interfaces
pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if1 proto { udp, icmp } from any to any keep state
pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if2 proto { udp, icmp } from any to any keep state

# route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
#   ext_if2  $ext_gw2

pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any \
   flags S/SA modulate state
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any \
   flags S/SA modulate state


pass quick on { lo }
antispoof quick for { lo }

pass in on $ext_if1 reply-to ($ext_if1 $ext_gw1) proto tcp from any to \
   $ext_if1 port ssh keep state
pass in on $ext_if2 reply-to ($ext_if2 $ext_gw2) proto tcp from any to \
   $ext_if2 port ssh keep state

#pass in on $ext_if proto tcp to $ext_gw1 port  49151 user proxy keep state

pass in on $ext_if1 reply-to ($ext_if1 $ext_gw1) proto tcp from any to \
   $ext_if1 port smtp keep state
pass in on $ext_if2 reply-to ($ext_if2 $ext_gw2) proto tcp from any to \
   $ext_if2 port smtp keep state

**pass in on $ext_if1 reply-to ($ext_if1 $ext_gw1) proto tcp from any to \
**  $exch_svr port $exch_svc keep state
**pass in on $ext_if1 reply-to ($ext_if1 $ext_gw1) proto tcp from any to \
**  any port 407 keep state


On 7/18/05, Will H. Backman [EMAIL PROTECTED] wrote:
 
  -Original Message-
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
 Of
  James Harless
  Sent: Saturday, July 16, 2005 4:27 AM
  Cc: OpenBSD-misc list
  Subject: Re: Load Balance net connections w/ redirect
 
  I'm not sure I understand the suggestion.  Feel free to enlighten
  me... I'm completely open to ideas.
 
  James
 
  On 7/15/05, Will H. Backman [EMAIL PROTECTED] wrote:
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
 Behalf
   Of
James Harless
Sent: Friday, July

Re: Load Balance net connections w/ redirect

2005-07-18 Thread Abraham Al-Saleh

On 7/18/05, James Harless [EMAIL PROTECTED] wrote:

 Well, my objective is to have fail-over on the outbound connections,
 primarily. The load-balancing comes about because of that.
 Load-balancing is definitely not a requirement for this site and I
 probably should have worded my email a bit differently. One
 connection is a cable modem and the other ADSL.

 I really want the connections to fail-over when the other isn't
 available. I achieved this through the current configuration but,
 maybe not in an optimal fashion. I don't need to balance the incoming
 connections (and don't want to) but, I'm having issues getting the
 gateway to reply w/o balancing issues.

 I've attached my newest pf.conf in the hopes that you might be able to
 see my error. This is (obviously) the first time I've worked with
 this type of setup so, I'm uncertain where the issue lies. It seems
 like I need to get rdr and reply-to to work together but, maybe there
 is a different method.

 Thanks,

 James

 snip


You'll probably save alot of lines in your pf.conf if you just do this:

pass in on $ext_if1 reply-to ($ext_if1 $ext_gw1) from any to \
$ext_if1 keep state
pass in on $ext_if2 reply-to ($ext_if2 $ext_gw2) from any to \
$ext_if2 keep state

Re: Load Balance net connections w/ redirect

2005-07-16 Thread James Harless

I'm not sure I understand the suggestion.  Feel free to enlighten
me... I'm completely open to ideas.

James

On 7/15/05, Will H. Backman [EMAIL PROTECTED] wrote:
  -Original Message-
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
 Of
  James Harless
  Sent: Friday, July 15, 2005 2:33 PM
  To: misc@openbsd.org
  Subject: Load Balance net connections w/ redirect
 
  Hello all,
 
  I'm trying to redirect specific ports through a pf firewall that
  loadbalances 2 outgoing net connections and having some problems.
  This firewall connects to 2 different ISPs.  It also performs
  greylisting and pre-filtering of mail for viruses(virii?).  I know
  that I need to work in the 'reply-to' option somehow but, I can't see
  to get it working.
 
 Why not use an exterior routing protocol, which is designed to do this?
 


-- 
What would Bilano do?

Re: Load Balance net connections w/ redirect

Re: Load Balance net connections w/ redirect

Re: Load Balance net connections w/ redirect

Re: Load Balance net connections w/ redirect

4 matches

Site Navigation

Mail list logo

Footer information