Hello Torsten ! If i understood you well, the answer to your question is here !
http://www.openbsd.org/faq/pf/pools.html Under the section Load Balancing outgoing traffic, or take a look at: http://www.openbsd.org/faq/faq6.html#Multipath There are good examples there ! I hope this can help ! Jorge V On Tue, Jan 10, 2012 at 8:38 AM, Dr.-Ing. Torsten Finke < torsten.fi...@igh-essen.com> wrote: > Dear List, > > Here I show my network topology. Maybe it seems quite typical. My > internal network is located behind an Intl/Extl Firewall which is > connected to the Internet(IN) via pppoe/ppp(8). On the other side I run > different systems, for instance a home office network, a mobile laptop, > and several customers. > > > +---+ +---+ > | A | | B | (PC) > +-+-+ +-+-+ > | | +---------+ > --+-----+---| Intl FW |---(DMZ)---+ > (LAN/int) +---------+ | > | > +---------------------------------------+ > | +---+ > | ____ | Z | (PC) > | ( ) +---+ > | +---------+ pppoe/ppp(8) +-----------+ ( ) +----+ | > | | |--------------| DSL-Modem |--( )--| GW |----+- > | | | rl0/tun0 +-----------+ ( ) +----+ (HomeOffice) > +--| Extl FW | ( IN ) +----------+ > | | pppoe/ppp(8) +-----------+ ( )--| Customer | > | |--------------| DSL-Modem |--( ) +----------+ > +---------+ rl1/tun1 +-----------+ ( ) +--------+ > OpenBSD 4.8 (____)--| Mobile | > +--------+ > > My question is about the setup of routing and packet filtering on the > External Firewall: > > How can I force my Extl. FW to reply on exactly the same interface it > had been requested on? For example I am running OpenVPN(1194/UDP) > between my HomeOffice (Z=Client) and the Intl. FW(=Server). Alike I > would appretiate SSH-portforwarding from Internet to the Intl. FW. > > I tried using "route-to" and "reply-to", but that did not work - > PF.CONF(5) says this should do, but I could not figure out, how. I did > not not understand how "route-to" and "reply-to" actually work (could > not find any explanation, though I have tried hard to search for). > > Everything else (NAT, outbound load balancing, filtering) works just > fine. > > My routing is: > > default XXX.X.XX.XXX UGSP 2 101853 - 8 tun0 > default XXX.X.XX.XXX UGSP 0 988 - 8 tun1 > > I manage my multipath routes (net.inet.ip.multipath=1) via > - ppp.linkup: > MYADDR: > shell route add -mpath default HISADDR > > - ppp.linkdown > MYADDR: > shell route delete -mpath default HISADDR > > What I tried in pf.conf is: > > pass in on tun0 all keep state reply-to ( tun0 tun0:peer ) > pass in on tun1 all keep state reply-to ( tun1 tun1:peer ) > > Asking PF statistics (pfctl -v -s rules) shows that no packet has been > operated by those "reply-to" rules. > > Since I consider PF a brilliant concept I would really appretiate any > hint that would help. Thanks to all OpenBSD developers for their great > work and thanks for any advice. > > > Best regards > > Torsten > > > -- > ------------------------------------------------------------------------ > Torsten Finke > f...@igh-essen.com > ------------------------------------------------------------------------ > > -- Cordialmente, 00110111 00111011
