I am posting this soultion in the hope that it might help someone else
that has been searching for the answer to running multiple external
interfaces and wishes to load balance outgoing private lan traffic and
also have all these interfaces available for incoming connections to a
dmz server. I claim no credit for this since it is a formulation of many
posts to various mailing lists.
example:
## NAT section
#Standard natting for outgoing connections.
nat on $ext_if1 from {$private_net, $dmz_srv} to any -> $ext_if1_ip
nat on $ext_if2 from {$private_net, $dmz_srv} to any -> $ext_if2_ip
nat on $ext_if3 from {$private_net, $dmz_srv} to any -> $ext_if3_ip
#These rdr rules send the incoming connections on the ext_if's to the
dmz server.
rdr on $ext_if1 inet proto tcp from any to $ext_if1_ip port { 25, 80,
110 } -> $dmz_srv
rdr on $ext_if2 inet proto tcp from any to $ext_if2_ip port { 25, 80,
110 } -> $dmz_srv
rdr on $ext_if3 inet proto tcp from any to $ext_if3_ip port { 25, 80,
110 } -> $dmz_srv
This rdr rule sends traffic from the lan destined for services on the
ext interfaces to the dmz since the previous rdr rules will have no effect.
rdr on $int_if inet proto tcp to {$ext_if1_ip, $ext_if2_ip, $ext_if3_ip
} port { 80, 25, 110 } -> $dmz_srv
## RULES section
#The following rules ensure that traffic incoming on the various
interfaces are routed back out the same interface it arrived on.
pass in quick on $ext_if1 reply-to ( $ext_if1 $ext_if1_router ) inet
proto tcp from any to $dmz_srv port { 25, 80, 110 } flags S/SA keep state
pass in quick on $ext_if2 reply-to ( $ext_if2 $ext_if2_router ) inet
proto tcp from any to $dmz_srv port { 25, 80, 110 } flags S/SA keep state
pass in quick on $ext_if3 reply-to ( $ext_if3 $ext_if1_router ) inet
proto tcp from any to $dmz_srv port { 25, 80, 110 } flags S/SA keep state
#Now to load balance the outgoing traffic. The previous sections are not
needed if you do not accept incoming connections.
pass in on $int_if route-to { ($ext_if1 $ext_if1_router), ($ext_if2
$ext_if2_router), ($ext_if3 $ext_if3_router) } round-robin from
$private_net to any keep state
# The following ensure that packets originating from the lan are routed
out the correct interface. Although i have found my setup works fine
without these, the pf guru's recommend it.
pass out on $ext_if1 route-to ($ext_if2 $ext_if2_router) from $ext_if2
to any
pass out on $ext_if1 route-to ($ext_if3 $ext_if3_router) from $ext_if3
to any
pass out on $ext_if2 route-to ($ext_if1 $ext_if1_router) from $ext_if1
to any
pass out on $ext_if2 route-to ($ext_if3 $ext_if3_router) from $ext_if3
to any
pass out on $ext_if3 route-to ($ext_if1 $ext_if1_router) from $ext_if1
to any
pass out on $ext_if3 route-to ($ext_if2 $ext_if2_router) from $ext_if2
to any
Be advised that there could be errors as this was typed in a rush and
adapted from our own ruleset for the sake of ease of reading.
--
Regards
Leon Botes
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
