LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   *BSD (https://www.linuxquestions.org/questions/%2Absd-17/)
-   -   OpenBSD 4.3 pf+enc0+network balancing Help Needed. (https://www.linuxquestions.org/questions/%2Absd-17/openbsd-4-3-pf-enc0-network-balancing-help-needed-724725/)

August_Leaves 05-08-2009 01:47 PM
OpenBSD 4.3 pf+enc0+network balancing Help Needed.
 
LAN1 --- OpenBSD Box --- ext_if1 -- Internet VPN --- OpenBSD Box --- LAN2+
....................\__ ext_if2 --- Other Internet

Thats what i need to do. History is pretty simple. We had only one internet channel in the office, and recently added the second. My goal is to route-to all non-VPN traffic to the ext_if2. I'm fighting with it for a few weeks, but for no noticeable success.

VPN is managed thro isakmpd="-K" and "ike esp" in ipsec.conf (easy enc0 interface)


Thats my pf.conf Before the new internet channel:
Quote:
# vi /etc/pf.conf
#Macross
ext_if1 = "vr0"
ext_if2 = "vr1" # just added
int_if = "vr2"
remote_gw = "a.b.c.d"
remote_nets = "{10.10.0.0/24, 10.0.2.0/24, 10.205.1.0/24, 10.0.4.0/24}"
tcp_services = "{ 22 }"
icmp_types = "echoreq"

# Options
set block-policy return
set loginterface $ext_if1


set skip on {lo0, enc0, vr2}

scrub in

# nat/rdr
nat on $ext_if inet from !($ext_if1) -> ($ext_if1:0)


nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021


# pf
block in

pass out keep state

anchor "ftp-proxy/*"
antispoof quick for { $ext_if1 $ext_if2 lo $int_if }


#vpn exchange
pass in on $ext_if1 proto esp from $remote_gw to $ext_if1
pass out on $ext_if1 proto esp from $ext_if1 to $remote_gw

pass in on $ext_if1 proto udp from $remote_gw to $ext_if1 port {isakmp, ipsec-nat-t}
pass out on $ext_if1 proto udp from $ext_if to $remote_gw port {isakmp, ipsec-nat-t}

pass in on enc0 proto ipencap from $remote_gw to $ext_if1 keep state (if-bound)
pass out on enc0 proto ipencap from $ext_if1 to $remote_gw keep state (if-bound)

pass in on enc0 from $remote_nets to $int_if:network keep state (if-bound)
pass out on enc0 from $int_if:network to $remote_nets keep state (if-bound)


#nat1
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state

pass in on $int_if inet proto tcp from any to ($int_if) \
port $tcp_services flags S/SA keep state

pass in inet proto icmp all icmp-type $icmp_types keep state
Any means of splitting simple and encapsulated traffic will be greatly appreciated. :)

tekhead2 06-26-2009 11:47 AM
So let me get this straight you've got two WAN links going to an OpenBSD router and your trying to divert VPN traffic to the second WAN link instead of the main link? It sounds like your trying to load balance daul WANS and dedicate one of the links to just a VPN connection? Is that what your trying to accomplish?


All times are GMT -5. The time now is 11:12 PM.