Hello pf uber-users out there - I need your assistance.

I've been using pf for a couple of years now (love it to tears!) but never
in this sort of situation and I want to know if this can even be done.

em0 is gateway to cable provider
em1 is gateway to dsl provider
em2 is network dmz for servers (nat'ed)
em3 is network for wireliss (authpf/nat'ed)
em4 is network for internal machines (nat'ed)

Now what I have is the whole shebang nat'ed through to the dsl interface --
I have considered load balancing between the two, but have decided that the
relative bandwidth variance (512Mbit/s on DSL + 3.2Mbit/s on Cable) would
make everything half real fast and half not so fast. Ideally what I would
like is to be able to do the following:

1) rdr critical ports from both the cable and dsl interfaces to the servers
in the dmz and _have it go back out on the same interface_ -> I'm running
into trouble getting the packets to go back out the cable interface, my
guess is because the dsl is my default gateway. Resolutions to this? I
could do a reverse nat rule so that requests to the cable interface appear
to the server as coming from the nat box itself, but I'd like to have a
better solution if one exists... I tried to use a route-to rule to fix it
up but it didn't seem to work right. Your advice is greatly appreciated.

2) nat everything from em4 through to the cable, unless cable is offline
then automatic fallover to the dsl (no problem scripting that - but if there
are any issues I should be aware of in setting this up do give me a heads
up)

Thanks a lot,
Adam

--
"Mr. Spock, letting yourself get hit on the head is not
something King Solomon would approve." -- Captain Kirk

"Adam Taube" <nospam@thenewsgroups.com> wrote:

%Hello pf uber-users out there - I need your assistance.
%
%I've been using pf for a couple of years now (love it to tears!) but
never
%in this sort of situation and I want to know if this can even be
done.
%
%em0 is gateway to cable provider
%em1 is gateway to dsl provider
%em2 is network dmz for servers (nat'ed)
%em3 is network for wireliss (authpf/nat'ed)
%em4 is network for internal machines (nat'ed)
%
%Now what I have is the whole shebang nat'ed through to the dsl
interface --
%I have considered load balancing between the two, but have decided
that the
%relative bandwidth variance (512Mbit/s on DSL + 3.2Mbit/s on Cable)
would
%make everything half real fast and half not so fast. Ideally what I
would
%like is to be able to do the following:
%
%1) rdr critical ports from both the cable and dsl interfaces to the
servers
%in the dmz and _have it go back out on the same interface_ -> I'm
running
%into trouble getting the packets to go back out the cable interface,
my
%guess is because the dsl is my default gateway. Resolutions to this?
I
%could do a reverse nat rule so that requests to the cable interface
appear
%to the server as coming from the nat box itself, but I'd like to have
a
%better solution if one exists... I tried to use a route-to rule to
fix it
%up but it didn't seem to work right. Your advice is greatly
appreciated.
%
%2) nat everything from em4 through to the cable, unless cable is
offline
%then automatic fallover to the dsl (no problem scripting that - but
if there
%are any issues I should be aware of in setting this up do give me a
heads
%up)

Adam, I tried a similar set up (2 outside lines and 2 inside subnet
with each outside line feeding one subnet) and couldn't get anything
to go through the second outside line.

Ben

Adam Taube wrote:
> Hello pf uber-users out there - I need your assistance.
>
> I've been using pf for a couple of years now (love it to tears!) but never
> in this sort of situation and I want to know if this can even be done.
>
> em0 is gateway to cable provider
> em1 is gateway to dsl provider
> em2 is network dmz for servers (nat'ed)
> em3 is network for wireliss (authpf/nat'ed)
> em4 is network for internal machines (nat'ed)
>
> Now what I have is the whole shebang nat'ed through to the dsl interface --
> I have considered load balancing between the two, but have decided that the
> relative bandwidth variance (512Mbit/s on DSL + 3.2Mbit/s on Cable) would
> make everything half real fast and half not so fast. Ideally what I would
> like is to be able to do the following:
>
> 1) rdr critical ports from both the cable and dsl interfaces to the servers
> in the dmz and _have it go back out on the same interface_ -> I'm running
> into trouble getting the packets to go back out the cable interface, my
> guess is because the dsl is my default gateway. Resolutions to this? I
> could do a reverse nat rule so that requests to the cable interface appear
> to the server as coming from the nat box itself, but I'd like to have a
> better solution if one exists... I tried to use a route-to rule to fix it
> up but it didn't seem to work right. Your advice is greatly appreciated.
>
> 2) nat everything from em4 through to the cable, unless cable is offline
> then automatic fallover to the dsl (no problem scripting that - but if there
> are any issues I should be aware of in setting this up do give me a heads
> up)
>
> Thanks a lot,
> Adam
>

Hi,

Have a look at the Internet Router Discovery Protocol that comes with
gated, quagga or routed. A very nice way to announce default gateways.
Might help in that situation.

Gernot

"Ben" <bluesky6@ix.netcom.com> wrote in message
news:hkecl0po9vb3aadacogo8ioc2ni0e31rmk@4ax.com...
> "Adam Taube" <nospam@thenewsgroups.com> wrote:
>> Adam, I tried a similar set up (2 outside lines and 2 inside subnet
> with each outside line feeding one subnet) and couldn't get anything
> to go through the second outside line.
>
> Ben

Oh man... that's making me cry! ;-)

Adam

"Gernot W. Schmied" <gernot.schmied@chello.at> wrote in message
news:IvC5d.312019$vG5.193949@news.chello.at...
> Adam Taube wrote:
> Hi,
>
> Have a look at the Internet Router Discovery Protocol that comes with
> gated, quagga or routed. A very nice way to announce default gateways.
> Might help in that situation.
>
> Gernot

Will do. Thanks Gernot :-)

Adam

Gernot W. Schmied wrote:
> Adam Taube wrote:
>
>> Hello pf uber-users out there - I need your assistance.
>>
>> I've been using pf for a couple of years now (love it to tears!) but
>> never
>> in this sort of situation and I want to know if this can even be done.
>>
>> em0 is gateway to cable provider
>> em1 is gateway to dsl provider
>> em2 is network dmz for servers (nat'ed)
>> em3 is network for wireliss (authpf/nat'ed)
>> em4 is network for internal machines (nat'ed)
>>
>> Now what I have is the whole shebang nat'ed through to the dsl
>> interface -- I have considered load balancing between the two, but
>> have decided that the
>> relative bandwidth variance (512Mbit/s on DSL + 3.2Mbit/s on Cable) would
>> make everything half real fast and half not so fast. Ideally what I
>> would
>> like is to be able to do the following:
>>
>> 1) rdr critical ports from both the cable and dsl interfaces to the
>> servers
>> in the dmz and _have it go back out on the same interface_ -> I'm running
>> into trouble getting the packets to go back out the cable interface, my
>> guess is because the dsl is my default gateway. Resolutions to this? I
>> could do a reverse nat rule so that requests to the cable interface
>> appear
>> to the server as coming from the nat box itself, but I'd like to have a
>> better solution if one exists... I tried to use a route-to rule to
>> fix it
>> up but it didn't seem to work right. Your advice is greatly appreciated.
>>
>> 2) nat everything from em4 through to the cable, unless cable is offline
>> then automatic fallover to the dsl (no problem scripting that - but if
>> there
>> are any issues I should be aware of in setting this up do give me a heads
>> up)
>>
>> Thanks a lot,
>> Adam
>>
>
> Hi,
>
> Have a look at the Internet Router Discovery Protocol that comes with
> gated, quagga or routed. A very nice way to announce default gateways.
> Might help in that situation.
>
> Gernot
How would gated work with PF?

Sam

"sam" <samwun@hgcbroadband.com> wrote in message
news:cj7u06$12s8$1@news.hgc.com.hk...
> Gernot W. Schmied wrote:
> > Have a look at the Internet Router Discovery Protocol that comes with
> > gated, quagga or routed. A very nice way to announce default gateways.
> > Might help in that situation.
> How would gated work with PF?
>
> Sam

Yeah, I'm wondering. From the looks of it I would have to have a
routed/gated/zebra (pick one) box between my OpenBSD pf box and the two
internet connections... which wouldn't be a problem, but I was hoping I
could do this all on the box I have already set up.

Is it possible to route replies from machines in the dmz to go back out
through the network the original request came on? If so, how?
That is the question which seems to be eluding us...

I suppose another possibility is to have two OpenBSD firewalls running pf,
one for each ISP, that would both be connected to their own dmz's, the
servers in there having two network interfaces and their services listening
on both... but that's starting to sound like overkill to me. It makes sense
that there ought to be a slimmer, more elegant solution... especially with
our beloved pf ;-)

Adam

"Adam Taube" <nospam@thenewsgroups.com> wrote:

%
%"Ben" <bluesky6@ix.netcom.com> wrote in message
%news:hkecl0po9vb3aadacogo8ioc2ni0e31rmk@4ax.com.. .
%> "Adam Taube" <nospam@thenewsgroups.com> wrote:
%>> Adam, I tried a similar set up (2 outside lines and 2 inside
subnet
%> with each outside line feeding one subnet) and couldn't get
anything
%> to go through the second outside line.
%>
%> Ben
%
%Oh man... that's making me cry! ;-)

Well, if you find a one machine solution, post it here. :-)



Ben

> Well, if you find a one machine solution, post it here. :-)

Still looking... but if I do I will -- course I'm starting to loose hope.
Hmmmpf - might just have to go with a separate box as a router.

Unless anyone else has any ideas? Anyone? Cookies for the one who
volunteers the info! ;-)

Adam

I have something LIKE this (not exactly) working.
It took a while for the redir + nat + route/reply to
sink in. Here is what I have (mail server example)

3 leg OBSD 3.5
internal: $int_if
external link #1: $ext_if1 / gateway: $ext_gw1
external link #2: $ext_if2 / gateway: $ext_gw2

rdr on $ext_if1 proto tcp from any to $ext_ip1 port 25 -> $mailserver port 25
rdr on $ext_if2 proto tcp from any to $ext_ip2 port 25 -> $mailserver port 25

pass in quick on $ext_if1 reply-to ($ext_if1 $ext_gw1) inet proto tcp \
from any to $mailserver port 25
pass in quick on $ext_if2 reply-to ($ext_if2 $ext_gw2) inet proto tcp \
from any to $mailserver port 25

Note:
1) Do NOT try to use a single rdr + pass rule - you cannot use this rule type
in conjunction with a reply-to statement.

2) The pass rules are working on post NAT translated addresses.