I think, that is not very clear. Sorry for my english.
I want to connect, behind my firewall, to an ftp server from internet.
I don't have ftp server behind firewall.
For that i try'it with this rules:
nat-anchor "ftp-proxy/*"
nat on $ext_if1 from $lan_net to any -> ($ext_if1)
nat on $ext_if2 from $lan_net to any -> ($ext_if2)
rdr-anchor "ftp-proxy/*"
rdr pass on $LAN proto tcp from $IPINT to any port 21 -> 127.0.0.1 port 8021
# --------- rules for FTP proxy
anchor "ftp-proxy/*"
#----------load balancing outgoing packets
pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2),
($ext_if1 $ext_gw1) } round-robin from $lan_net to any keep state
#----------ensure that packets with a source address belonging to
$ext_if1 are always routed to $ext_gw1
# (and similarly for $ext_if2 and $ext_gw2)
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
In my case, $IPINT is an private class of addresses.
I can't use multipath, because don't have links with equal cost.
Giancarlo Razzolini wrote:
> Steven Surdock escreveu:
>
>> Fratiman Vladut wrote:
>>
>>> I have an OpenBSD 4.3 router, act as load balancing server about two
>>> ISP's I follow example from http://www.openbsd.org/faq/pf/pools.html
>>> Everything work well, except connection to any ftp server.
>>> I try to use example from
>>> http://www.mail-archive.com/misc@openbsd.org/msg58157.html, but
>>> without any success.
>>> Any suggestion?
>>>
>> Is it not working in that it is not load balanced or is ftp not working
>> at all?
>>
>> There are many posts indicating that you cannot load balance services
>> running on the OBSD host *using PF*. At this point I believe your only
>> choices are:
>> + Use multipath routing (not PF route-to) for load balanced
>> services (man route)
>> + Use multiple proxies on the host, each bound to a different
>> external IP, and use route-to on the inbound request. (I have not seen
>> this posted, nor have I tried it myself, but I believe it might work.)
>>
>> -Steve S.
>>
>>
>>
> I've run into the same issue, and do the second choice, that is running
> two, or more, ftp-proxies on the firewall each bound to a different
> port, and with a different src address for the outgoing connection. I've
> tried to understand the multipath routing, but without success. Anyone
> have some good info on this, beside route manual pages?
>
> My regards,
>
> --
> Giancarlo Razzolini
> Linux User 172199
> Red Hat Certified Engineer no:804006389722501
> Moleque Sem Conteudo Numero #002
> Slackware Current
> OpenBSD Stable
> Ubuntu 7.04 Feisty Fawn
> Snike Tecnologia em Informatica
> 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
>
> [demime 1.01d removed an attachment of type application/pgp-signature which
> had a name of signature.asc]
