Hello,
I have the following scenario:
[box_rac]----[fw_rac] <--iked site-to-site--> [fw_krz]--[box_krz]
[box_rac] pulls (rsync) "big data" from [box_krz] through VPN.
I need to put this traffic to the total background, making way for any other
packets going through VPN, NICs, from/to any other boxes on both sides.
I tried to do it by "catching" this traffic on [fw_rac]/[fw_krz] by specific
rules [1] and setting the lowest priority fot it.
Unfortunately it doesn't seem to work as expected. Bandwidth seems to be shared
roughly equally with other traffic (tested with pushing data (netcat) through
VPN in the same time).
I would appreciate your advice or any clues on what I have done wrong. Thank
you.
[fw_rac] and [fw_krz] have analogical rulesets [2].
[1]
[fw_rac]:
pass out quick on enc0 from $box_rac to $box_krz set prio (0, 0) keep state
[fw_krz]:
pass out quick on enc0 from $box_krz to $box_rac set prio (0, 0) keep state
[2] pf.conf [fw_rac]:
ext_if = "vr0"
lan_rac_if = "vr2" #
lan_rac_local = $lan_rac_if:network # 10.0.15.0/24
backup_if = "vr3" #
backup_local = $backup_if:network # 10.0.115/24
box_rac = "10.0.115.151"
box_krz = "10.0.100.151"
set fingerprints "/dev/null"
set skip on { lo, enc0 }
set block-policy drop
set optimization normal
set ruleset-optimization basic
antispoof quick for {lo0, $lan_rac_if, $backup_if }
match out log on $ext_if inet proto { tcp, udp, icmp } from { $lan_rac_local,
$backup_local } nat-to $ext_if set prio (3, 7)
block all
match out all scrub (no-df random-id)
pass out on egress keep state
pass out quick on enc0 from $box_rac to $box_krz set prio (0, 0) keep state
pass out quick on $ext_if from $box_rac to $box_krz set prio (0, 0) keep state
pass from { 10.0.201.0/24, $lan_rac_local, $backup_local } to any set prio (3,
7) keep state
ssh_port = "1071"
table <ssh_trust> const { $bud, $rdk_wy, $rdk_mon, $krz_wan, 10.0.2.0/24,
10.0.15.0/24, 10.0.100.0/24 }
table <bruteforce> persist counters
block from <bruteforce>
pass in log quick inet proto tcp from <ssh_trust> to $ext_if port $ssh_port
flags S/SA \
set prio (7, 7) keep state \
(max-src-conn 15, max-src-conn-rate 2/10, overload <bruteforce> flush
global)
icmp_types = "{ echoreq, unreach }"
pass inet proto icmp all icmp-type $icmp_types \
set prio (7, 7) keep state
table <vpn_peers> const { $krz_wan }
pass out quick on egress proto esp from (egress:0) to <vpn_peers>
set prio (6, 7) keep state
pass out quick on egress proto udp from (egress:0) to <vpn_peers> port {500,
4500} set prio (6, 7) keep state
pass in quick on egress proto esp from <vpn_peers> to (egress:0)
set prio (6, 7) keep state
pass in quick on egress proto udp from <vpn_peers> to (egress:0) port {500,
4500} set prio (6, 7) keep state
pass in on egress proto udp from any to (egress:0) port {isakmp,ipsec-nat-t}
set prio (6,7) keep state
pass in on egress proto {ah,esp} set prio (6,7) keep state
block return in on ! lo0 proto tcp to port 6000:6010
--
Radek
