openbsd box as gateway for multiple internet connections

Mon, 22 Feb 2010 02:15:33 -0800 

Hi all,
I'm seraching for best practices, examples and documentation on how to build a openbsd gateway with multiple isp connections. 


the idea is simple: to have a gateway that load balances internet 
traffic from clients. it have to be faiulure tolerant, so that if a xDSL 
link fails, the gateway have to exclude the link from the possible routes.



i was thinking about a perl script in the crontab that checks the links 
(ie: ping to each isp gateway) and then adjusts the pf.conf accordingly. 
attached is my work-in-progress pf.conf: when I'll add another xDSL, 
I'll repeat (via script) the "tiscali" rows with the new xDSL specific 
parameters.


but, i'm new to this kind of configuration...

so any help/suggestion is very appreciated :-)

thanks in advance
leonardo


-----------------------------------------

set skip on lo

# INTERNAL NETWORK
INT_IF = "ale0"
INT_IP = "192.168.2.69"

# TISCALI SHDSL 2Mb
TISCALI    = "re0"
TISCALI_IP = "a.b.c.d"
TISCALI_GW = "a.b.c.d2"


MULTI_PATH = "route-to { (" $TISCALI $TISCALI_GW ") } round-robin" # add 
other xDSL here


table <LAN> { 10.0.0.0/8, 192.168.0.0/16 } # internal networks

table <SSHBL> persist file "/etc/sshbl.txt" # 
(http://www.sshbl.org/lists/base.txt)


altq on $INT_IF hfsc bandwidth 100Mb queue { def, allclients, mypc }

queue def        bandwidth 200Kb  priority 3 hfsc ( red, upperlimit 
300Kb, default)

queue allclients bandwidth 200Kb  priority 3 hfsc ( red, upperlimit 300Kb )
queue mypc       bandwidth 2640Kb priority 3 hfsc ( red, upperlimit 2640Kb )


altq on $TISCALI hfsc bandwidth 2Mb queue { tiscali_def, tiscali_admin, 
tiscali_web, tiscali_mail, tiscali_dns, tiscali_icmp, tiscali_vpn }

queue tiscali_def   bandwidth 650Kb  priority 3 hfsc ( red, default)
queue tiscali_web   bandwidth 500Kb  priority 5 hfsc ( red )

queue tiscali_mail  bandwidth 200Kb  priority 1 hfsc ( red, upperlimit 
800Kb )

queue tiscali_dns   bandwidth 50Kb   priority 6 hfsc ( red )
queue tiscali_icmp  bandwidth 50Kb   priority 7 hfsc ( red )

queue tiscali_vpn   bandwidth 500Kb  priority 7 hfsc ( red, upperlimit 
1000Kb )

queue tiscali_admin bandwidth 50Kb   priority 5 hfsc ( red )


# -------------------------------------------------- nat & rdr

nat log on $TISCALI from <LAN> -> $TISCALI_IP


rdr log on $INT_IF proto { tcp, udp } from <LAN> to ! $INT_IP port 53 -> 
$INT_IP # dns queries goes all here


# -------------------------------------------------- blocks & other stuff


block in quick log proto tcp from <SSHBL> to { $TISCALI_IP } port 22 
label "sshbl"


# -------------------------------------------------- internal if


pass in quick log on $INT_IF inet proto tcp from any to $INT_IP port 22 
label "admin ssh int_if" # this gateway administration



pass in  log on $INT_IF to $INT_IP            label "in this gw"     # 
traffic to this gateway
pass in  log on $INT_IF to ! $INT_IP          label "in through gw"  # 
traffic through this gateway
pass out log on $INT_IF from $INT_IP to any   label "out this gw"    # 
traffic out from this gateway
pass out log on $INT_IF from ! $INT_IP to any label "out through gw" # 
traffic out through this gateway


# -------------------------------------------------- tiscali shdsl


pass in quick log on $TISCALI inet proto tcp from any to $TISCALI_IP 
port 22 queue tiscali_admin label "admin ssh tiscali" # this gateway 
administration


block in log on $TISCALI label "in tiscali block"


pass out log on $TISCALI queue 
tiscali_def                                                                                         
label "out tiscali def"
pass out log on $TISCALI proto 
icmp                                                                             
queue tiscali_icmp label "out tiscali icmp"
pass out log on $TISCALI proto udp to port 
53                                                                   
queue tiscali_dns  label "out tiscali dns"
pass out log on $TISCALI proto 
gre                                                                              
queue tiscali_vpn  label "out tiscali vpngre"
pass out log on $TISCALI proto { tcp, udp } to port { 47, 50, 51, 88, 
115, 137, 500, 1723, 4500, 10000, 10001 } queue tiscali_vpn  label "out 
tiscali vpn"
pass out log on $TISCALI proto tcp to port { 25, 110, 143, 563, 993, 995 
}                                      queue tiscali_mail label "out 
tiscali mail"
pass out log on $TISCALI proto tcp to port { 20, 21, 80, 443 
}                                                  queue tiscali_web  
label "out tiscali web"


# -------------------------------------------------- clients queues


pass in quick log on $INT_IF $MULTI_PATH from 192.168.2.18 to ! <LAN> 
queue mypc       label "me routed" # my pc



pass in       log on $INT_IF $MULTI_PATH from <LAN>        to ! <LAN> 
queue allclients label "others routed"


# eof















    











					Reply via email to