Hello ! I read again your mail and now i'm lost !
You Wrote: "How can I force my Extl. FW to reply on exactly the same interface it > > had been requested on? For example I am running OpenVPN(1194/UDP) > > between my HomeOffice (Z=Client) and the Intl. FW(=Server). Alike I > > would appretiate SSH-portforwarding from Internet to the Intl. FW. " SSH port forwarding from internet to Internal server is something like : ext_if=vr0 ext_ip=1.2.3.4 Spvt= 4.5.6.7 match in on $ext_if proto tcp from any to $ext_ip port 22 rdr-to $Spvt pass in on $ext_if proto tcp from any to $Spvt port 22 pass out on $int_if proto tcp from any to $Spvt port 22 The above line redirects all traffic coming from any place in internet to my external IP ( 1.2.3.4) to the server 4.5.6.7 which is located in my internal lan, in other words the packet comes in on external interface , goes out on internal interface .. These works on OpenBSD 4.8 or newer ! Is this what you need ? On Tue, Jan 10, 2012 at 10:46 AM, Dr.-Ing. Torsten Finke < torsten.fi...@igh-essen.com> wrote: > Hello Jorge, > > > If i understood you well, the answer to your question is here ! > > > > > > http://www.openbsd.org/faq/pf/pools.html > > > > Under the section Load Balancing outgoing traffic, or take a look at: > > > > http://www.openbsd.org/faq/faq6.html#Multipath > > > > > > There are good examples there ! > > > > I hope this can help ! > > thank you for this. The FAQ on pools has nice examples but none of them > really > faces my problem. It discusses load balancing of incoming traffic to > several > servers as well as load balancing of outgoing traffic. I cannot figure out > how > to dispatch replies to incoming requests over different connections. > > The FAQ on multipath has helped me very well to set up multiple default > routes > - this works very well. > > Best regards > > Torsten > > > > > Dear List, > > > > > > Here I show my network topology. Maybe it seems quite typical. My > > > internal network is located behind an Intl/Extl Firewall which is > > > connected to the Internet(IN) via pppoe/ppp(8). On the other side I run > > > different systems, for instance a home office network, a mobile laptop, > > > and several customers. > > > > > > > > > +---+ +---+ > > > | A | | B | (PC) > > > +-+-+ +-+-+ > > > | | +---------+ > > > --+-----+---| Intl FW |---(DMZ)---+ > > > (LAN/int) +---------+ | > > > | > > > +---------------------------------------+ > > > | +---+ > > > | ____ | Z | (PC) > > > | ( ) +---+ > > > | +---------+ pppoe/ppp(8) +-----------+ ( ) +----+ | > > > | | |--------------| DSL-Modem |--( )--| GW |----+- > > > | | | rl0/tun0 +-----------+ ( ) +----+ > (HomeOffice) > > > +--| Extl FW | ( IN ) +----------+ > > > | | pppoe/ppp(8) +-----------+ ( )--| Customer | > > > | |--------------| DSL-Modem |--( ) +----------+ > > > +---------+ rl1/tun1 +-----------+ ( ) +--------+ > > > OpenBSD 4.8 (____)--| Mobile | > > > +--------+ > > > > > > My question is about the setup of routing and packet filtering on the > > > External Firewall: > > > > > > How can I force my Extl. FW to reply on exactly the same interface it > > > had been requested on? For example I am running OpenVPN(1194/UDP) > > > between my HomeOffice (Z=Client) and the Intl. FW(=Server). Alike I > > > would appretiate SSH-portforwarding from Internet to the Intl. FW. > > > > > > I tried using "route-to" and "reply-to", but that did not work - > > > PF.CONF(5) says this should do, but I could not figure out, how. I did > > > not not understand how "route-to" and "reply-to" actually work (could > > > not find any explanation, though I have tried hard to search for). > > > > > > Everything else (NAT, outbound load balancing, filtering) works just > > > fine. > > > > > > My routing is: > > > > > > default XXX.X.XX.XXX UGSP 2 101853 - 8 tun0 > > > default XXX.X.XX.XXX UGSP 0 988 - 8 tun1 > > > > > > I manage my multipath routes (net.inet.ip.multipath=1) via > > > - ppp.linkup: > > > MYADDR: > > > shell route add -mpath default HISADDR > > > > > > - ppp.linkdown > > > MYADDR: > > > shell route delete -mpath default HISADDR > > > > > > What I tried in pf.conf is: > > > > > > pass in on tun0 all keep state reply-to ( tun0 tun0:peer ) > > > pass in on tun1 all keep state reply-to ( tun1 tun1:peer ) > > > > > > Asking PF statistics (pfctl -v -s rules) shows that no packet has been > > > operated by those "reply-to" rules. > > > > > > Since I consider PF a brilliant concept I would really appretiate any > > > hint that would help. Thanks to all OpenBSD developers for their great > > > work and thanks for any advice. > > > > > > > > > Best regards > > > > > > Torsten > > > > > > > > > -- > > > > ------------------------------------------------------------------------ > > > Torsten Finke > > > f...@igh-essen.com > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > -- > > Cordialmente, > > > > 00110111 00111011 > > > -- > ------------------------------------------------------------------------ > Torsten Finke > f...@igh-essen.com > ------------------------------------------------------------------------ > > -- Cordialmente, 00110111 00111011
