[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RDR - Load Balanced Configuration



Similar to other posts on this list, I have created a "test" system running OpenBSD 3.6 snapshot and have configured PF so that all traffic is (sort of) load balanced between the two gateway interfaces on the pf box. The out going traffic is being load balanced round-robin style for outgoing traffic and incoming traffic works on both interfaces.

My problem is that I cannot seem to redirect traffic to my webserver on the internal LAN. Requests to either of the gw IP's get the OpenBSD webserver and not the server at 10.0.0.100 on the LAN as indicated by the rdr rules. I intentionally removed the default block rules to simplify debugging.

Suggestions?

Network layout and pf.conf details are listed below:

rl0, ext_if1 = ADSL (DHCP client)
rl1, ext_if2 = Cable broadband (DHCP client)
xl0, int_if  = LAN and DHCP server.


__________ rl0 ------| OBSD 3.6 | | PF |---- xl0-----LAN rl1 ------|__________|


pf.conf ______________________ lan_net = "10.0.0.0/24" int_if = "xl0" ext_if1 = "rl0" ext_if2 = "rl1" ext_gw1 = "192.168.0.1" ext_gw2 = "70.64.64.1" server = "10.0.0.100"

#  nat outgoing connections on each internet interface
nat on $ext_if1 from $lan_net to any -> ($ext_if1)
nat on $ext_if2 from $lan_net to any -> ($ext_if2)

# redirect (port forward) desired ports
rdr on $ext_if1 proto tcp from any to $ext_gw1 port www -> $server port www
rdr on $ext_if2 proto tcp from any to $ext_gw2 port www -> $server port www


#  default deny
#block in log all
#block out from any to any

#  pass all outgoing packets on internal interface
pass out on $int_if from any to $lan_net

#  pass in quick any packets destined for the gateway itself
pass in quick on $int_if from $lan_net to $int_if

#  load balance outgoing tcp traffic from internal network.
pass in on $int_if route-to \
    { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
    proto tcp from $lan_net to any flags S/SA modulate state

#  load balance outgoing udp and icmp traffic from internal network
pass in on $int_if route-to \
    { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
    proto { udp, icmp } from $lan_net to any keep state

#  general "pass out" rules for external interfaces
pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if1 proto { udp, icmp } from any to any keep state
pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if2 proto { udp, icmp } from any to any keep state

#  route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
#  $ext_if2 and $ext_gw2
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any

pass in on { $ext_if1, $ext_if2 } proto tcp from any to $server port www keep state
pass out on { $ext_if1, $ext_if2 } from $lan_net to any modulate state
______________________



ifconfig


lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        address: 00:40:05:89:66:49
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::240:5ff:fe89:6649%rl0 prefixlen 64 scopeid 0x1
        inet 192.168.0.3 netmask 0xffffff00 broadcast 192.168.0.255
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        address: 00:40:05:83:24:34
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::240:5ff:fe83:2434%rl1 prefixlen 64 scopeid 0x2
        inet 70.64.66.115 netmask 0xfffffc00 broadcast 255.255.255.255
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        address: 00:b0:d0:de:df:07
        media: Ethernet autoselect (none)
        status: no carrier
        inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
        inet6 fe80::2b0:d0ff:fede:df07%xl0 prefixlen 64 scopeid 0x3



Thanks,

--
Scott A. Gerhardt, P.Geo.
Gerhardt Information Technologies