Hello Jorge, > If i understood you well, the answer to your question is here ! > > > http://www.openbsd.org/faq/pf/pools.html > > Under the section Load Balancing outgoing traffic, or take a look at: > > http://www.openbsd.org/faq/faq6.html#Multipath > > > There are good examples there ! > > I hope this can help !
thank you for this. The FAQ on pools has nice examples but none of them really faces my problem. It discusses load balancing of incoming traffic to several servers as well as load balancing of outgoing traffic. I cannot figure out how to dispatch replies to incoming requests over different connections. The FAQ on multipath has helped me very well to set up multiple default routes - this works very well. Best regards Torsten > > Dear List, > > > > Here I show my network topology. Maybe it seems quite typical. My > > internal network is located behind an Intl/Extl Firewall which is > > connected to the Internet(IN) via pppoe/ppp(8). On the other side I run > > different systems, for instance a home office network, a mobile laptop, > > and several customers. > > > > > > +---+ +---+ > > | A | | B | (PC) > > +-+-+ +-+-+ > > | | +---------+ > > --+-----+---| Intl FW |---(DMZ)---+ > > (LAN/int) +---------+ | > > | > > +---------------------------------------+ > > | +---+ > > | ____ | Z | (PC) > > | ( ) +---+ > > | +---------+ pppoe/ppp(8) +-----------+ ( ) +----+ | > > | | |--------------| DSL-Modem |--( )--| GW |----+- > > | | | rl0/tun0 +-----------+ ( ) +----+ (HomeOffice) > > +--| Extl FW | ( IN ) +----------+ > > | | pppoe/ppp(8) +-----------+ ( )--| Customer | > > | |--------------| DSL-Modem |--( ) +----------+ > > +---------+ rl1/tun1 +-----------+ ( ) +--------+ > > OpenBSD 4.8 (____)--| Mobile | > > +--------+ > > > > My question is about the setup of routing and packet filtering on the > > External Firewall: > > > > How can I force my Extl. FW to reply on exactly the same interface it > > had been requested on? For example I am running OpenVPN(1194/UDP) > > between my HomeOffice (Z=Client) and the Intl. FW(=Server). Alike I > > would appretiate SSH-portforwarding from Internet to the Intl. FW. > > > > I tried using "route-to" and "reply-to", but that did not work - > > PF.CONF(5) says this should do, but I could not figure out, how. I did > > not not understand how "route-to" and "reply-to" actually work (could > > not find any explanation, though I have tried hard to search for). > > > > Everything else (NAT, outbound load balancing, filtering) works just > > fine. > > > > My routing is: > > > > default XXX.X.XX.XXX UGSP 2 101853 - 8 tun0 > > default XXX.X.XX.XXX UGSP 0 988 - 8 tun1 > > > > I manage my multipath routes (net.inet.ip.multipath=1) via > > - ppp.linkup: > > MYADDR: > > shell route add -mpath default HISADDR > > > > - ppp.linkdown > > MYADDR: > > shell route delete -mpath default HISADDR > > > > What I tried in pf.conf is: > > > > pass in on tun0 all keep state reply-to ( tun0 tun0:peer ) > > pass in on tun1 all keep state reply-to ( tun1 tun1:peer ) > > > > Asking PF statistics (pfctl -v -s rules) shows that no packet has been > > operated by those "reply-to" rules. > > > > Since I consider PF a brilliant concept I would really appretiate any > > hint that would help. Thanks to all OpenBSD developers for their great > > work and thanks for any advice. > > > > > > Best regards > > > > Torsten > > > > > > -- > > ------------------------------------------------------------------------ > > Torsten Finke > > f...@igh-essen.com > > ------------------------------------------------------------------------ > > > > > > > -- > Cordialmente, > > 00110111 00111011 -- ------------------------------------------------------------------------ Torsten Finke f...@igh-essen.com ------------------------------------------------------------------------
