Hi All,
I have 2 ISP(diagram in attachment) pf to forward the packet based on
PF: Address Pools and Load
Balancing(http://www.openbsd.org.my/faq/pf/pools.html).
For this setup I use static routing. My problem is sometime the
network is slow. I mean when browse web to our internal server (from
outside) and when local user browse the net's.
When I disable the load balance, everything work as normal. User
didn't face any slow when using the net's.
Can anyone help me about this. Is there I need to use routed for my
networks?
Here is my pf setup and other's setting.
file: /etc/pf.conf
--------
lo = "lo0"
ext_if1 = "em0"
ext_if2 = "sis0"
int_if = "em1"
vir_if0 = "carp0"
vir_if1 = "carp1"
vir_if2 = "carp2"
lan_net = "10.10.10.0/24"
dummy_if = "{ em0, sis0 }"
dummy_net = "{ 192.168.1.0/24, 192.168.2.0/24 }"
gw_ext_ip = "10.2.249.29"
gw_ext_ip1 = "192.168.100.50"
gw_int_ip = "10.10.10.1"
gw_public_ip = "xxx.xxx.xxx.189"
web_ext_ip = "10.2.249.30"
web_int_ip = "10.10.10.4"
web_public_ip = "xxx.xxx.xxx.190"
gw_ip = "10.2.249.1"
gw2_ip = "192.168.100.1"
tcp_services = "{ 22, 25, 53, 80, pop3, ntp, imap, imap3, 443, imaps }"
udp_services = "{ 53, ntp }"
testing = "10.10.10.79"
# Non-routable IP numbers
martians= "{ 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16,
172.16.0.0/12, 192.0.2.0/24, 204.152.64.0/23, 240.0.0.0/4,
255.255.255.255/32 }"
# Options
set block-policy return
set loginterface $ext_if1
# Scrub incoming network packet.
scrub in all
# NAT 1:1 mapping
binat on $ext_if1 from $web_int_ip to any -> $web_ext_ip
# NAT exceptions
#no nat on $ext_if1 from $web_int_ip to any
nat on $ext_if1 from $lan_net to any -> $gw_ext_ip
nat on $ext_if2 from $lan_net to any -> $gw_ext_ip1
# Port redirect
#rdr on $ext_if1 proto tcp from any to $gw_ext_ip port 80 -> $testing
# Policy filtering
# Deny by default
block in log all
pass out all
# Block all the martians
block in on { $ext_if1, ext_if2 } inet from $martians to any
# Anti Spoof protection for external & internal interface
antispoof for { $ext_if1, ext_if2, int_if, vir_if0, vir_if1, vir_if2 } inet
# Allow loopback
pass quick on lo0 all
pass out quick on em0 all keep state
# Pass in Internal interface.
pass in quick on $int_if from $lan_net to $int_if
#Allow ssh to internal box(including this box)
pass in quick proto tcp from any to any port ssh flags S/SA keep state
# Allow tcp service to web.
pass in quick proto tcp from any to $web_int_ip port $tcp_services
flags S/SA keep state
pass in quick proto udp from any to $web_int_ip port $udp_services
# Allow port redirect connection to internal server.
#pass in quick proto tcp from any to $testing port 80 flags S/SA keep state
pass out on $int_if proto udp from $lan_net port $udp_services to any
pass out on $vir_if2 proto udp from any port $udp_services to $lan_net
# Allow traffic for local network for user browsing.
pass in on { $int_if, $vir_if2 } from $lan_net to any keep state
# Load balance the packet
#pass in on $int_if route-to { ($vir_if0 $gw_ip) } from $lan_net to
any keep state
pass in on $int_if route-to { ($vir_if0 $gw_ip), ($vir_if1 $gw2_ip) }
round-robin from $lan_net to any keep state
pass in on $int_if route-to { ($ext_if1 $gw_ip), ($ext_if2 $gw2_ip) }
round-robin from $lan_net to any keep state
pass out on $ext_if1 route-to ($vir_if0 $gw_ip) from $lan_net to any
pass out on $ext_if2 route-to ($vir_if1 $gw2_ip) from $lan_net to any
pass out on $ext_if1 route-to ($ext_if1 $gw_ip) from $lan_net to any
pass out on $ext_if2 route-to ($ext_if2 $gw2_ip) from $lan_net to any
pass in on em1 proto icmp keep state
pass in on $dummy_if proto icmp from $dummy_net
pass out on $dummy_if proto icmp from $dummy_net
# Carp
pass quick on { em1 } proto pfsync
pass on { em0 em1 sis0 } proto carp keep state
---
# ifconfig em0
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:12:3f:25:18:4e
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::212:3fff:fe25:184e%em0 prefixlen 64 scopeid 0x1
# ifconfig em1
em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:12:3f:25:18:4f
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 10.10.10.2 netmask 0xffffff00 broadcast 10.10.10.255
inet6 fe80::212:3fff:fe25:184f%em1 prefixlen 64 scopeid 0x2
# ifconfig sis0
sis0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:09:5b:06:4d:68
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.2.2 netmask 0xffffff00 broadcast 192.168.2.255
inet6 fe80::209:5bff:fe06:4d68%sis0 prefixlen 64 scopeid 0x3
# ifconfig carp0
carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 0
inet 10.2.249.29 netmask 0xffffffe0 broadcast 10.2.249.31
inet 10.2.249.30 netmask 0xffffffe0 broadcast 10.2.249.31
# ifconfig carp1
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
carp: MASTER carpdev sis0 vhid 2 advbase 1 advskew 0
inet 192.168.100.50 netmask 0xffff0000 broadcast 192.168.100.255
# ifconfig carp2
carp2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
carp: MASTER carpdev em1 vhid 3 advbase 1 advskew 0
inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255
# more /etc/mygate
10.2.249.1
p/s: sorry for my bad english.
--
Thanks & Regards,
Ikmal aka EvoIVGSR
http://www.leakage.org/
http://root.justdied.com/mylife/
http://www.openbsd.org.my/
http://mirrors.mybsd.org.my/
Office Network
----------------
ISP1 ISP2
| |
+---+---+
|
+--------+
| switch |
+---+----+
|
+---+---+
| |
+-+-+ +-+-+
|fw1| |fw2|
+-+-+ +-+-+
| |
+---+---+
|
+--+--+
| LAN |
+-----+
