Hi all,

I'm trying to create a dynamic DNS multihoming solution with a pf
firewall router. I posted the complete description in
<17096700.0310311650.488dcb9d@posting.google.com > (1) but I'll post
the portion relevant to my question here.

Let's say that we have two ISPs:
ISP1 provides us with addresses 1.1.1.0/24
ISP2 provides us with addresses 2.2.2.0/24

If I have the following pf configuration, I need to ensure that
answers to packets coming from ISP1 will use ISP1, and the answer to
the ones coming from ISP2 will use ISP2. I'm pretty sure that this is
what will happen, but I'd like to have a confirmation from people who
know about pf.

accept quick on $isp1 from any to 1.1.1.40 port 80
binat on $isp1 from 10.10.1.40 to any -> 1.1.1.40
accept quick on $isp2 from any to 2.2.2.40 port 80
binat on $isp2 from 10.10.2.40 to any -> 2.2.2.40

Thanks a lot,
GFK's

Ref:
1: http://tinyurl.com/tfzm

--
Guillaume Filion, ing. jr
Logidac Tech., Beaumont, Québec, Canada - http://logidac.com/
PGP Key and more: http://guillaume.filion.org/

On 3 Nov 2003 06:37:21 -0800, Guillaume Filion wrote:

> If I have the following pf configuration, I need to ensure that
> answers to packets coming from ISP1 will use ISP1, and the answer to
> the ones coming from ISP2 will use ISP2. I'm pretty sure that this is
> what will happen, but I'd like to have a confirmation from people who
> know about pf.

Outgoing replies to all incoming connections will go through the
(single) default gateway, by default. You can use 'reply-to' in the
rule creating state for the incoming connection to route replies
for connections coming from the non-default ISP back out through
the same ISP. See pf.conf(5). BTW, it's 'pass', not 'accept'

Daniel

Daniel Hartmeier <daniel@benzedrine.cx> wrote in message news:<slrnbqdipf.rru.daniel@insomnia.benzedrine.cx >...
> On 3 Nov 2003 06:37:21 -0800, Guillaume Filion wrote:
> > If I have the following pf configuration, I need to ensure that
> > answers to packets coming from ISP1 will use ISP1, and the answer to
> > the ones coming from ISP2 will use ISP2. I'm pretty sure that this is
> > what will happen, but I'd like to have a confirmation from people who
> > know about pf.
>
> Outgoing replies to all incoming connections will go through the
> (single) default gateway, by default. You can use 'reply-to' in the
> rule creating state for the incoming connection to route replies
> for connections coming from the non-default ISP back out through
> the same ISP. See pf.conf(5).

Oh, thanks for the explanation, I would have missed it completely.
While we're at it, my internal adressing scheme is that every source
address in the 10.10.1.0/24 subnet should go to ISP1 and that source
address in the 10.10.2.0/24 subnet should go to ISP2 (check out
http://tinyurl.com/tfzm for a complete explanation). With that in
mind, should I set it up using route-to, reply-to or both?

-- using only route-to --
pass in quick on $lan route-to $isp1:$isp1gw from 10.10.1.0/24 to any
binat on $isp1 from 10.10.1.40 to any -> 1.1.1.40
pass in quick on $lan route-to $isp2:$isp2gw from 10.10.2.0/24 to any
binat on $isp2 from 10.10.2.40 to any -> 2.2.2.40
-- using only reply-to --
pass in quick on $isp1 reply-to $isp1:$isp1gw from any to 1.1.1.40
port 80 keep state
binat on $isp1 from 10.10.1.40 to any -> 1.1.1.40
pass in quick on $isp2 reply-to $isp2:$isp2gw from any to 2.2.2.40
port 80 keep state
binat on $isp2 from 10.10.2.40 to any -> 2.2.2.40
-- using both --
pass in quick on $lan route-to $isp1:$isp1gw from 10.10.1.0/24 to any
pass in quick on $isp1 reply-to $isp1:$isp1gw from any to 1.1.1.40
port 80 keep state
binat on $isp1 from 10.10.1.40 to any -> 1.1.1.40
pass in quick on $lan route-to $isp2:$isp2gw from 10.10.2.0/24 to any
pass in quick on $isp2 reply-to $isp2:$isp2gw from any to 2.2.2.40
port 80 keep state
binat on $isp2 from 10.10.2.40 to any -> 2.2.2.40
----

Also, do I need to use the 'keep state' option for reply-to to work?

> BTW, it's 'pass', not 'accept'

Doh! That's what happens when you don't test things before posting
them...

Thanks,
GFK's
--
Guillaume Filion, ing. jr
Logidac Tech., Beaumont, Québec, Canada - http://logidac.com/
PGP Key and more: http://guillaume.filion.org/

On 4 Nov 2003 08:03:26 -0800, Guillaume Filion wrote:

> While we're at it, my internal adressing scheme is that every source
> address in the 10.10.1.0/24 subnet should go to ISP1 and that source
> address in the 10.10.2.0/24 subnet should go to ISP2 (check out
> http://tinyurl.com/tfzm for a complete explanation). With that in
> mind, should I set it up using route-to, reply-to or both?

route-to only affects packets flowing in the same direction as the
packet that created the state entry, while reply-to only affects
packets that flow in the reverse direction (of the initial packet).

So, you need both to achieve both goals:

a) Use route-to on the rules that cover outgoing connections,
like

pass in on $lan route-to ($isp1 $isp1gw) from 10.10.1.0/24 \
to any keep state

b) Use reply-to on the rules that cover incoming connections, like

pass in on $isp1 reply-to ($isp1 $isp1gw) from any \
to 1.1.1.40 port 80 keep state

If you filter on all interfaces, you can use route-to and reply-to
on either the internal or external interfaces, you might have to
adjust source/destination address matching depending on whether
binat translation has already happened when the packet is filtered
(translation happens before filtering, on each interface).

And passing a connection on one interface (with keep state) does
not automatically pass the connection through another interface.
When filtering on all interface, you have to pass the connection
in on one interface and pass it out on the other(s), creating
two separate state entries for each connection passing through
the firewall.

BTW, all translation rules must come first (before any filter
rules) in pf.conf. It's hard to get a complete ruleset right
without actually trying and loading it, so I suggest you
start experimenting with a real machine

Daniel