Re: PF Load Balancing Outbound Connections - Default Gateway Problems

From: Lynden (chugg_at_shaw.ca)
Date: 07/27/04

  • Next message: Keith Matthews: "Re: VIA Rhine II chipsets" 
    Date: Tue, 27 Jul 2004 05:47:14 GMT

    "Lynden" <chugg@shaw.ca> wrote in message news:...
    > Hello,
    >
    > I have i386 Openbsd 3.5 installed and working with PF running. I have
    2
    > separate ISP Cable connections coming in, and I am using the load
    balancing
    > features of PF as described at
    > http://www.openbsd.org/faq/pf/pools.html#outgoing.
    >
    >

    Sorry for that. I'm having a problem where any traffic that is supposed (as
    dictated by the below route-to ruleset) to go out the interface for ISP #2
    instead goes out the interface for ISP #1. The default gateway for the
    machine is the default gateway belonging to ISP#1. Chaging the default
    gateway for the machine reverses the scenario exactly. See below for the
    applicable PF config :

    lan_net = "192.168.1.0/24"
    int_if = "xl1"
    ext_if1 = "xl0"
    ext_if2 = "ep2"
    ext_gw1 = "68.144.210.x"
    ext_gw2 = "68.144.192.x"

    # route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
    # $ext_if2 and $ext_gw2
    pass out quick on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
    pass out quick on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any

    Basically, it doesn't look like that the above route-to rule is having any
    effect on the traffic outbound for ISP#2, or the default gateway for the
    machine is overriding these rulesets.

    TCPDumps confirm that the packets outbound on ISP#1's interface are being
    sourced from the correct IP, so the PF state machine is working, but it's
    just being forwarded out the wrong interface.

    After the above route-to rule has been translated by PF, here's what I get,
    where X is the interface's IP on the subnet :

    pass out quick on ep2 route-to inet from 68.144.211.x to any
    pass out quick on xl0 route-to inet from 68.144.192.x to any

    Does the above translated rule look correct? Any suggestions on having PF
    obey the route-to ruleset instead of obeying the default gateway in the
    routing table?

    Please let me know if more configs would be helpful or a better explanation
    of how the network is laid out,

    thanks!

    Lynden

  • Next message: Keith Matthews: "Re: VIA Rhine II chipsets"

    Relevant Pages

    • Re: Liunx and DSL routing
      ... So aaa.aaa.aaa.158 must be the IP address of a Zyxel interface, ... as the "gateway" IP address in the aaa.aaa.aaa.156/30 subnet as well as ... traffic from other hosts to your host and from your host to other hosts. ... the ISP? ...
      (comp.os.linux.networking)
    • Re: simple ping; pinging 101
      ... > to be able connect arrakis eth0 to the hub, ping caladan, disconnect ... need to use the address that is assigned by your ISP on that interface. ... The arrakis box should end up with a default gateway that points to your ...
      (Fedora)
    • Re: SMTP authentification
      ... I just went through a similar exercise, moving from one DSL to another. ... DSL ISP) ... Alternate gateway: not defined ... > to use a certain style of email address in the From: header. ...
      (comp.os.vms)
    • Re: Sharing ISPs
      ... the faster ISP below the one for the slower. ... ISP's networks to the routing table using a merit value that was below ... either default gateway, ... Those URLs you provided seem to indicate that the problem of one ISP failing ...
      (microsoft.public.windows.server.networking)
    • Re: Exchange Reverse DNS
      ... It isn't really an exchange issue at ... Armed with that info, I would contact your ISP, and persist in talking to ... I also would suspect the gateway, but it could be how they have the net mask ...
      (microsoft.public.exchange.admin)