[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Load balance outgoing traffic



Hi,
I'm trying to load balance outgoing traffic, as suggested on newest PF
FAQ. However my config involves a DMZ, a internal interface, e one
external interfaces bounded to two different IPs.
I evolved the suggested FAQ config into this one:
lan_net = "{ 172.0.0.0/8 192.168.0.0/16 }"
dmz_if  = "xl0"
int_if  = "xl1"
ext_if1 = "xl2"
ext_if2 = "xl2"
ext_gw1 = "200.199.88.254"
ext_gw2 = "200.223.47.201"
dmz_net = "200.199.88.0/27"
#  nat outgoing connections on each internet interface
nat on $ext_if1 from $lan_net to any -> \
	{ 200.223.47.206 200.199.88.253 }
# nat on $ext_if2 from $lan_net to any -> ($ext_if2)
#  default deny
# block in  from any to any
# block out from any to any
pass in quick from 200.164.87.200 to any keep state
#so I can always login...
pass in on $ext_if1 reply-to (xl2 200.199.88.254) from any to \
	{ 200.199.88.3, 200.199.88.6, 200.199.88.7, 200.199.88.8,
200.199.88.29} flags S/SA keep state
#  pass all outgoing packets on internal interface
pass out on { $int_if $dmz_if } from any to $lan_net
#  pass in quick any packets destined for the gateway itself
pass in quick on $int_if from $lan_net to $int_if
pass in quick on $dmz_if from $lan_net to $dmz_if
#  load balance outgoing tcp traffic from internal network.
pass in on { $dmz_if $int_if } route-to \
    { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
    proto tcp from $lan_net to any flags S/SA modulate state
#  load balance outgoing udp and icmp traffic from internal network
pass in on { $dmz_if $int_if } route-to \
    { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
    proto { udp, icmp } from $lan_net to any keep state
#  general "pass out" rules for external interfaces
pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if1 proto { udp, icmp } from any to any keep state
pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if2 proto { udp, icmp } from any to any keep state
#  route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
#  $ext_if2 and $ext_gw2
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) \
	from 200.223.47.206 to any 
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) \ 
	from 200.199.88.0/24 to any
My main problem now is that I can't connect to any server. Tcpdumping my
external interface shows:
23:47:42.026330 200.164.87.200.3539 > 200.199.88.6.110: S
822284698:822284698(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
23:47:42.041697 200.199.88.6.110 > 200.164.87.200.3539: S
182352690:182352690(0) ack 822284699 win 17520 <mss 1460,nop,nop,sackOK>
(DF) 
23:47:55.735084 200.199.88.6.110 > 200.164.87.200.3539: S
182352690:182352690(0) ack 822284699 win 17520 <mss 1460,nop,nop,sackOK>
(DF) 
23:48:14.103843 200.199.88.6.110 > 200.164.87.200.3539: S
182352690:182352690(0) ack 822284699 win 17520 <mss 1460,nop,nop,sackOK>
(DF) 
23:48:45.099651 200.199.88.6.110 > 200.164.87.200.3539: S
182352690:182352690(0) ack 822284699 win 17520 <mss 1460,nop,nop,sackOK>
(DF) 
23:49:46.937678 200.199.88.6.110 > 200.164.87.200.3539: R 0:0(0)
ack 1 win 0 (DF)
>From what I see, packets coming to POP server are received, answered,
and goes outside external interface, but it never reaches back the
original sender.
As it's late, and I can't wonder why this is happening, I decided to ask
you guys if you have some hint. I must say this is not my real
ruleset, and I'm using it for learning and finally apply it on
production rules.
TIA!
-- 
[]'s,
Fernando Braga
VCNet Ltda.
Maceió (AL), Brazil
[email protected]
+55 (82) 336-2079