I have the following set up in a lab:
[WinXP]----(LAN)[edgefw](WAN1)----(Link1)[mock- ](WAN)----[to my "real" LAN]
[ ](WAN2)----(Link2)[router](LAN)----[Win7]
The WinXP box has a chargen server running for testing (I just installed
the Windows XP Simple Internet Services).
Edgefw and mockrouter are running pfSense 2.0-RC1.
What this setup is intended to simulate is a Multi-WAN scenario, where
edgefw is the router for a LAN which has two different WAN connections
that are NATed.
Mockrouter is inserted into the mix simply to simulate the two seperate
Internet connections (Link1 and Link2). Mockrouter's WAN connection to
my real LAN is just a convenience for me so I can still access the web
on my lab machines and not strictly relevant to the lab.
Edgefw is configured with two WAN connections, and has a default route
out of both of them. The specific part of this setup I'm having
difficulty with is routing reply packets for TCP connections.
What I have done is that I've made two port forwards on edgefw, from the
WAN1 edge IP and the WAN2 edge IP into the WinXP machine on the TCP
chargen port.
When WAN1 is the default gateway, if I connect from my Win7 box to
edgefw's WAN1 IP on the chargen port packets in both directions flow
through WAN1. This is to be expected.
If I instead connect the same way, but with WAN2's IP, the packets going
from Win7 to WinXP flow through WAN2, which is to be expected. However,
packets returning on the same connection will exit on WAN1. Which is
expected, but not desired - WAN1 is the default route after all, and
it's not like the kernel makes routing decisions based on pf's state table.
To solve this problem, I googled, and I turned up with the following
solution that applies to hand-written pf that I believe would work in my
scenario:
pass out on $ext_if1 from $ext_if2 route-to ($ext_if2 $ext_gw2)
pass out on $ext_if2 from $ext_if1 route-to ($ext_if1 $ext_gw1)
This is taken from the PF User's Guide
(http://www.openbsd.org/faq/pf/pools.html)
So, I tried to replicate this very set of rules using the Floating Rules
functionality. I set a rule that would match packets exiting WAN1 with
WAN2's source IP address, and perform policy routing on it to shove it
out over WAN2 instead. And vice versa. This however did nothing. I tried
enabling logging on these rules, and it seems that they are never matched.
I'm at a loss as to how to solve this at the moment. I'm suspecting that
perhaps the return packets are never subject to firewall rules to begin
with (since they are part of a known state) or perhaps, that the
floating rules are applied too early (before NATing) or too late (never
reached?) in the complete ruleset.
What I'm trying to accomplish does not seem too far out of the ordinary.
Am I missing something, or is this something that is not acheivable with
pfSense? Do I need to build a generic BSD box instead and hand-roll my
rules?
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Commercial support available - https://portal.pfsense.org
