On 2016-07-07, Jeremy <open...@smartpoint.co.nz> wrote:
> On 28/06/2016 4:38 a.m., Bobby Johnson wrote:
>> I've setup a few OpenBSD machines to do failover with 2 internet
>> interfaces. I didn't use multipath, pf will pass traffic without it.
>> I did find it necessary to specify a reply-to for each of my pass in
>> rules for services on the 2nd interface. For example I would need
>> these 2 rules to pass traffic in on both interfaces, ext_if has the
>> default route and is egress.
>>
>> pass in on egress inet proto tcp from any to $server port 80
>> pass in on $ex2_if inet proto tcp from any to $server port 80 reply-to
>> ( $ex2_if $ex2_gw )
>>
> I have revised my pf.conf rules and made changes along the lines
> suggested above.
> ie. ...reply-to ($ext_if2 $ext_gw2)
> (NB: I have also replaced all instances of "egress" with $ext_if1 in
> preparation for switch-over.)
>
> Incoming traffic now works but I'm concerned this is a little clumsy to
> have to duplicate each pass rule and add a reply-to field to each one.
> Is this the best practice ?
It is clumsy but I don't think there's another way to do it.
> If I want to use multi-path routes or switch my default route to
> "ext_if2" do I need to add a similar reply-to suffix for the existing
> egress/$ext_if1 rules ?
>
> Regarding using multiple outgoing routes; I've tried adding the
> following rules -
>
> -------------------------- /etc/pf.conf ---------------------------
> ...
> # Balance two external interfaces
> pass in on $int_if from $int_if:network reply-to \
> { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin
Should be route-to and IIRC it might need to be for the outgoing
packet ("pass out on $ext_if1") not the incoming one.
It's not required if you're doing mpath anyway though. There are
advantages and disadvantages either way:
- pf route-to lets you use sticky-address which is needed for some
secure sites (some banks etc don't like it when client IPs change
mid session).
- mpath routes take interface state into account, which route-to
doesn't.
> pass out on $ext_if1 from $ext_if2 reply-to ($ext_if2 $ext_gw2)
> pass out on $ext_if2 from $ext_if1 reply-to ($ext_if1 $ext_gw1)
> ...
> --------------------------------------------------------------------------
>
> - Are these necessary ? They don't seem to affect outgoing packets by
> themselves.
You want route-to not reply-to here. These let you nat inbound packets
to the various addresses, and have the outbound packets directed to the
correct interface. Doesn't matter so much for simple round-robin but useful
if you need to bind certain traffic to certain interfaces.
> # route add -mpath default 192.168.1.1
> # route add -mpath default 172.16.8.1
> # sysctl net.inet.ip.multipath=1
>
> This does direct outgoing packets via both interfaces but it looks like
> I now get problems with incoming packets not matching the pass
> in/reply-to rules and only passing the ext_if2 interface.
> Sorry, this is hard to describe and is more complex than I was hoping,
> but could anyone who has experience with a similar setup please take a
> look and suggest something. Thanks
If you don't already know about 'match log(matches)' and 'tcpdump
-neipflog0 -v' and looking up rules by number with 'pfctl -sr -R <num>'
it's worth playing with them, they can be quite helpful.
