Load Balancing, Interface 2 pings but won't successfully forward/translate ports

Sabrtooth

Sabrtooth

If someone suggests a better title, I will happily change it.

I've set up a FreeBSD 7.2 Router on my network and migrated to PF 4.1 today using this manual.

So I have ten IP addresses, five on each connection. One DSL (re0), one Cable (re2).

Code: 
################ Macros ####################################
lan_net = "{192.168.22.0/24, 127.0.0.8/8, 192.168.12.0/24, 10.0.64.0}"
int_if1 = "re1"
int_if2 = "re3"
all_int = "{ re1, re3 }"
ext_if1 = "re0"
ext_if2 = "re2"
all_ext = "{ re0, re2 }"
ext_gw1 = "A.A.A.A"
ext_gw2 = "B.B.B.B"

Here are my Load Balancing Rules:
Code: 
# pass in quick any packets destined for the gateway itself
pass in quick on $int_if1 from $lan_net to $int_if1
pass in quick on $int_if2 from $lan_net to $int_if2
# load balance outgoing tcp traffic from internal network.
pass in on $int_if1 route-to \
{ ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
proto tcp from $lan_net to any flags S/SA modulate state
pass in on $int_if2 route-to \
{ ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
proto tcp from $lan_net to any flags S/SA modulate state
# load balance outgoing udp and icmp traffic from internal network
pass in on $int_if1 route-to \
{ ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
proto { udp, icmp } from $lan_net to any keep state
pass in on $int_if2 route-to \
{ ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
proto { udp, icmp } from $lan_net to any keep state
# general "pass out" rules for external interfaces
pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if1 proto { udp, icmp } from any to any keep state
pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if2 proto { udp, icmp } from any to any keep state
# route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
# $ext_if2 and $ext_gw2
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any

I've set load balancing up, round robin, successfully and am pleased. I'm antsy to get to tweaking and making it work more efficiently.

The problem I am having is redirected ports on the second connection (re2).

I'll post the whole thing upon request, but I'll just share the snippets that make my issue clear:

In order:
Code: 
rdr on $all_ext proto tcp from any to $all_ext port 3389 -> $server_ip port 3389
rdr on $all_ext proto tcp from any to $all_ext port 80 -> $server_ip port 80
rdr on $all_ext proto tcp from any to $all_ext port 443 -> $server_ip port 443

Code: 
pass in log on $all_ext proto tcp from any to $all_ext port 3389

Which is a little overkill and can be really simplified, but I was de-manufacturing the whole thing troubleshooting, so I apologize in advance.

The Problem: if an external user RDP's to any of the IPs assigned to the Cable connection, the connection doesn't go through. If the IP is on the DSL connection, it goes through fine.

I tcpdump pflog0 and it shows a match and pass (can provide if you want). I listen on the internal interface (re1) and it shows it going to the internal server and even coming back, but then it dies.

Let me know!:stud

I feel like I'm just burnt out and not seeing it.
 
I would break down that last pass rule to individual pass rules for each external interface and use reply-to for the rules on ext_if2 to make sure the return traffic goes back via ext_if2.

Code: 
reply-to
           The reply-to option is similar to route-to, but routes packets that
           pass in the opposite direction (replies) to the specified inter‐
           face.  Opposite direction is only defined in the context of a state
           entry, and reply-to is useful only in rules that create state.  It
           can be used on systems with multiple external connections to route
           all outgoing packets of a connection through the interface the
           incoming connection arrived through (symmetric routing enforce‐
           ment).
 
Thanks for the response kpa.

You're referring to these lines, right:
Code: 
pass in log on $all_ext proto tcp from any to $all_ext port 3389

and

Code: 
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any

Let me know.
 
I mean the "pass in" rule for RDP traffic:
Code: 
pass in log on $all_ext proto tcp from any to $all_ext port 3389
 
Thanks KPA,

So here's what I did:
Code: 
pass in log on $ext_if1 reply-to ($ext_if1 $ext_gw1) proto tcp from any to A.A.A.99 port 3389
pass in log on $ext_if2 reply-to ($ext_if2 $ext_gw2) proto tcp from any to B.B.B.38 port 3389

It also looks as if a line later in my firewall was getting in the way, which was:

Code: 
pass in log on $ext_if1 reply-to ($ext_if1 $ext_gw1) proto tcp from any to any port $tcp_services
pass in log on $ext_if2 reply-to ($ext_if2 $ext_gw2) proto tcp from any to any port $tcp_services

Since $tcp_services listed 3389 as well. So it works now.

To anyone reading, I used kpa's advice, broke the command out and it didn't work. I went through my firewall settings before coming back and found a line that also routed the 3389 port. I broke that out as kpa suggested (see second quote above), and it worked!

Thanks KPA!
 
You must log in or register to reply here.
Back
Top