Thanks I figured it out.
I missed the nat rule for $ext_if2
--Siju
On Tue, Oct 14, 2008 at 1:03 PM, Siju George <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I have firewall
>
> sk0 - LAN Interface
> rl1 - Primary internet connection
> rl2 - secondary Internet connection
>
> I have a line in pf.conf
>
> pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from
> <hifxchn2> to any keep state
>
> to route requests from hosts in <hifxchn2> through the rl2 internet
> connection but it does not seem to work.
>
> the full pf.conf is below
>
> ===========================================================================================================
> ##NETWORK INTERFACES
> #
> int_if="sk0" #HiFX LAN Interface - Connected to Main
> Swithches - using 172.16.0.0/12 Range.
> ext_if="rl1" #Dataone Connection - "rl2" interface
> Connected to the Dataone Router.
> ext_if2="rl2"
> ext_ifgw="122.166.40.1"
> proxy="122.166.40.36"
>
>
> #Private IP Address Range Specified by RFC 1918.
> #
> priv_nets="{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"
>
>
> #Computers in HiFX LAN that are permitted to bypass squid to make HTTP
> and HTTPS connections directly to the Internet
> #
> table <bypass-squid-users> persist file "/etc/pf-tables/bypass-squid-users"
>
> #Websites to which bypassing SQUID is allowed.
> #
> table <bypass-squid-sites> persist file "/etc/pf-tables/bypass-squid-sites"
> table <lanspl> persist file "/etc/pf-tables/lanspl"
> table <adm> persist file "/etc/pf-tables/adms"
> table <vtcservers> persist file "/etc/pf-tables/vtcservers"
> table <bannedIPs> persist file "/etc/pf-tables/bannedIPs"
> table <authpf_users> persist
> table <hifxchn2> persist file "/etc/pf-tables/hifxchn2"
>
> #Traffic Normalization - Required for "pppoe" connection.
> #
> scrub on $ext_if all no-df random-id fragment reassemble
>
> ###"Network Address Translation" and "Port Redirection"
> ###The First Matching rule wins here for any packet and no further
> "nat" or "rdr" rules are checked.
> nat-anchor "authpf/*"
> rdr-anchor "authpf/*"
> binat-anchor "authpf/*"
>
> nat pass on $ext_if from <adm> to any -> ($ext_if)
> nat-anchor "ftp-proxy/*"
> rdr-anchor "ftp-proxy/*"
> rdr pass on $int_if proto tcp from $int_if:network to any port 21 ->
> 127.0.0.1 port 8021
>
> # redirect to beergas website
> rdr pass on $ext_if inet proto tcp from any to any port 80 ->
> 172.16.4.12 port 80
> rdr pass on $ext_if inet proto tcp from any to any port 443 ->
> 172.16.4.12 port 443
>
> ###
> #
> nat on $ext_if from <bypass-squid-users> to any -> ($ext_if)
>
> #NAT connections to specified websites.
> nat on $ext_if from any to <bypass-squid-sites> port { 80, 443 } -> ($ext_if)
> nat on $ext_if from any to <bypass-squid-sites> port { 80, 443 } -> ($ext_if2)
>
> #Block NAT for other hosts to port 80 and 443 on the Internet.
> #They should all go via SQUID CACHE PROXY
> #
> no nat on $ext_if from any to any port { 80, 443 }
> no nat on $ext_if2 from any to any port { 80, 443 }
>
> #Allow NAT for rest of the Computers to Internet - port 80 and 443 is
> already blocked for these hosts by the rule above.
> #
> nat on $ext_if from $int_if:network to any -> ($ext_if)
> nat on $ext_if2 from $int_if:network to any -> ($ext_if2)
>
> #The SQUID CACHE PROXY Listens on localhost interface port 8080 for
> security reasons.
> #PROXY configuration for computers in the HIFX LAN Machine in the IP
> Address of $int_if and port 8080
> #Hence all Traffic comming to $int_if port 8080 should be redirected
> to SQUID running on localhost:8080
> #
>
> no rdr on $int_if from any to 70.86.222.30
> rdr on $int_if proto tcp from any to any port 8080 -> 127.0.0.1 port 8080
>
> ###Filter Rules.
> ###The last matching rule wins here for packets except when the quick
> word is used in which case Further rules are not processed.
> #Starting with a Deny all Traffic Policy. Later rules open up the
> firewall for required traffic.
>
> block all
> pass in quick on $ext_if inet proto tcp from any to any port ssh keep state
>
> #Blocking RFC1918 Traffic.
> block in log quick on $ext_if from $priv_nets to any
> block out log quick on $ext_if from any to $priv_nets
> block out log quick on $ext_if from any to <bannedIPs>
>
> #Allow all traffic on the localhost interface.
>
> pass quick on lo0 all
>
> #Allow Traffic from HIFX LAN to pass through the firewall & also allow
> traffic from firewall to enter the LAN.
>
> pass in quick on $int_if from any to $int_if keep state
> pass out quick on $int_if from $int_if to any keep state
>
>
> pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from
> <hifxchn2> to any keep state
>
> pass in quick on $int_if from $int_if:network to any keep state
> pass out quick on $int_if from any to $int_if:network keep state
>
>
>
> #Allow Trafficfrom Firewall to pass out to the Internet.
> pass out on $ext_if proto tcp all modulate state flags S/SA
> pass out on $ext_if2 proto tcp all modulate state flags S/SA
> pass out on $ext_if proto { udp, icmp } all keep state
> pass out on $ext_if2 proto { udp, icmp } all keep state
>
>
> #ftp-proxy
> anchor "ftp-proxy/*"
> pass out proto tcp from $proxy to any port 21 keep state
>
> #authpf
> anchor "authpf/*"
>
> ====================================================================================================
>
> # ifconfig -a
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
> groups: lo
> inet 127.0.0.1 netmask 0xff000000
> inet6 ::1 prefixlen 128
> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
> rl0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
> lladdr 00:50:fc:7d:4e:50
> media: Ethernet autoselect
> status: no carrier
> rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> lladdr 00:e0:4d:06:2b:65
> groups: egress extif
> media: Ethernet autoselect (100baseTX full-duplex)
> status: active
> inet 122.166.40.36 netmask 0xffffff00 broadcast 122.166.40.255
> inet6 fe80::2e0:4dff:fe06:2b65%rl1 prefixlen 64 scopeid 0x2
> rl2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> lladdr 00:e0:4d:06:2b:68
> groups: extif
> media: Ethernet autoselect (100baseTX full-duplex)
> status: active
> inet 122.166.40.99 netmask 0xffffff00 broadcast 122.166.40.255
> inet6 fe80::2e0:4dff:fe06:2b68%rl2 prefixlen 64 scopeid 0x3
> sk0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> lladdr 00:0f:3d:88:9e:d4
> media: Ethernet autoselect (100baseTX full-duplex,flag0,flag1)
> status: active
> inet 172.17.1.0 netmask 0xfff00000 broadcast 172.31.255.255
> inet6 fe80::20f:3dff:fe88:9ed4%sk0 prefixlen 64 scopeid 0x4
> pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
> pfsync0: flags=0<> mtu 1460
> groups: carp
> enc0: flags=0<> mtu 1536
> =================================================================================
