I am trying to use OpenBSD 5.1 i386 as a firewall and content filter for a
network of ~ 40 people.
I have two modem internet connections which I want to load balance outgoing
traffic. 3 nics.
# I couldnt find a pf rule which sends packet from self (127.0.0.1?) to out
when not using /etc/mygate file. So I kept it filled
/etc/mygate
192.168.0.1 # ip of one modem
/etc/hostname.rl0
inet 192.168.0.249 255.255.255.255 # external if to default gw
/etc/hostname.re0
inet192.168.2.249 255.255.255.255 # external if to the second modem
/etc/hostname.rl1
inet 192.168.5.249 255.255.255.255 # internal if
I use named as a local name server. This causes some trouble.Sometimes when
rebooting computer hangs at named initiation
and after a Ctrl+C it continues. I tried some hacks (like disabling acpi
when booting) but I couldnt find the underlying reason and left
it as is.(You might consider this as a question)
/etc/resolv.conf
search ARRIS
nameserver 127.0.0.1
nameserver 208.67.222.222
nameserver 8.26.56.26
Here is the pf.conf
intif=rl1
extif1=rl0
extif2=re0
gw1="192.168.0.1"
gw2="192.168.2.1"
tcp_in_services="{ ssh,https,2020,2021}"
udpservices="{ domain,ntp }"
lannet=$intif:network
ext1net=$extif1:network
ext2net=$extif2:network
anchor "ftp-proxy/*"
pass in quick on $intif inet proto tcp to port 21 divert-to 127.0.0.1 port
8021
pass quick inet proto icmp all
# This is for local dns requests coming to self
pass in quick log on $intif inet proto {tcp,udp} from $lannet to port
$udpservices
#T his is for syslogging some modem logs to firewall which will be useless
if I accomplish my pf setup
pass in quick on $extif2 proto udp to any port 514
# I am doing nat to both external interfaces. Is this correct for my setup?
match out on $extif1 from $lannet nat-to $extif1
match out on $extif2 from $lannet nat-to $extif2
# This is for Dansguardian and -> squid
pass in quick log inet proto tcp from $lannet to port 80 divert-to
127.0.0.1 port 8080
block all
# Route-to rules for load balancing
pass in on $intif inet proto tcp from $lannet route-to { ($extif1 $gw1),
($extif2 $gw2) } round-robin modulate state
pass in on $intif inet proto udp from $lannet route-to { ($extif1 $gw1),
($extif2 $gw2) } round-robin modulate state
pass in on $intif inet proto icmp from $lannet route-to { ($extif1 $gw1),
($extif2 $gw2) } round-robin modulate state
# This is for some tcp,udp services made available across local networks
pass in on {$extif1,$extif2} inet proto tcp to port $tcp_in_services
pass in on {$extif1,$extif2} inet proto {tcp,udp} to port $udpservices
# Rules I copied from the FAQ for outgoing load balancing
pass out on $extif1
pass out on $extif2
pass out on $extif1 from $extif2 route-to ($extif2 $gw2)
pass out on $extif2 from $extif1 route-to ($extif1 $gw1)
I have read the FAQ many times, browsed through earlier emails sent to
@misc.
I should say that the FAQ is unclear about using /etc/mygate for my case.
It is unclear about the keyword self (or the handling of packets generated
from firewall), or I didnt understand the theory.
It is unclear about when one must use multipath routing and when not.
And IMHO the FAQ should contain some more elaborate pf configurations like
mine(?).
Because internet resources are either too outdated or too scarce.
I believe OpenBSD is a secure, easy OS for networking purposes like mines.
I will continue trying to use and evaluate it even if it costs too many
hours of reading and trying for me.
First question of mine. Is this pf.conf correct?
How can I place Squid into this configuration to achieve load balance
outgoing traffic?
What would be the necessary Squid configs or pf rules?
Thanks for reading.
