Share your knowledge at the LQ Wiki.
Go Back > Forums > Other *NIX Forums > *BSD
User Name
*BSD This forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.


  Search this Thread
Old 05-08-2009, 01:47 PM   #1
LQ Newbie
Registered: Apr 2009
Posts: 1

Rep: Reputation: 0
OpenBSD 4.3 pf+enc0+network balancing Help Needed.

LAN1 --- OpenBSD Box --- ext_if1 -- Internet VPN --- OpenBSD Box --- LAN2+
....................\__ ext_if2 --- Other Internet

Thats what i need to do. History is pretty simple. We had only one internet channel in the office, and recently added the second. My goal is to route-to all non-VPN traffic to the ext_if2. I'm fighting with it for a few weeks, but for no noticeable success.

VPN is managed thro isakmpd="-K" and "ike esp" in ipsec.conf (easy enc0 interface)

Thats my pf.conf Before the new internet channel:
# vi /etc/pf.conf
ext_if1 = "vr0"
ext_if2 = "vr1" # just added
int_if = "vr2"
remote_gw = "a.b.c.d"
remote_nets = "{,,,}"
tcp_services = "{ 22 }"
icmp_types = "echoreq"

# Options
set block-policy return
set loginterface $ext_if1

set skip on {lo0, enc0, vr2}

scrub in

# nat/rdr
nat on $ext_if inet from !($ext_if1) -> ($ext_if1:0)

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp to port ftp -> port 8021

# pf
block in

pass out keep state

anchor "ftp-proxy/*"
antispoof quick for { $ext_if1 $ext_if2 lo $int_if }

#vpn exchange
pass in on $ext_if1 proto esp from $remote_gw to $ext_if1
pass out on $ext_if1 proto esp from $ext_if1 to $remote_gw

pass in on $ext_if1 proto udp from $remote_gw to $ext_if1 port {isakmp, ipsec-nat-t}
pass out on $ext_if1 proto udp from $ext_if to $remote_gw port {isakmp, ipsec-nat-t}

pass in on enc0 proto ipencap from $remote_gw to $ext_if1 keep state (if-bound)
pass out on enc0 proto ipencap from $ext_if1 to $remote_gw keep state (if-bound)

pass in on enc0 from $remote_nets to $int_if:network keep state (if-bound)
pass out on enc0 from $int_if:network to $remote_nets keep state (if-bound)

pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state

pass in on $int_if inet proto tcp from any to ($int_if) \
port $tcp_services flags S/SA keep state

pass in inet proto icmp all icmp-type $icmp_types keep state
Any means of splitting simple and encapsulated traffic will be greatly appreciated.

Last edited by August_Leaves; 05-09-2009 at 02:38 AM.
Old 06-26-2009, 11:47 AM   #2
Registered: Apr 2004
Distribution: slackware/FreeBSD/Vector
Posts: 291

Rep: Reputation: 52
So let me get this straight you've got two WAN links going to an OpenBSD router and your trying to divert VPN traffic to the second WAN link instead of the main link? It sounds like your trying to load balance daul WANS and dedicate one of the links to just a VPN connection? Is that what your trying to accomplish?


openbsd, pf, vpn

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
network load balancing Ammad Linux - Networking 1 08-09-2007 02:24 AM
network load balancing? jetpig Linux - Networking 3 11-08-2006 05:25 PM
OpenBSD 3.8 UnOfficial ISO Needed ? TuxBuddy *BSD 1 12-10-2005 04:08 PM
2 network cards, single network, load balancing? tormentum Linux - Networking 1 02-13-2005 02:37 PM
Network load balancing?? trycoon Linux - Networking 3 01-21-2003 03:53 PM > Forums > Other *NIX Forums > *BSD

All times are GMT -5. The time now is 06:36 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration