[87386] in North American Network Operators' Group
Re: NAT Configuration for Dual WAN Router
daemon@ATHENA.MIT.EDU (Brian Kerr)
Thu Dec 15 16:58:13 2005
Date: Thu, 15 Dec 2005 16:57:44 -0500
From: Brian Kerr <kerrboy@gmail.com>
To: nanog@merit.edu
In-Reply-To: <004e01c60119$069e0fb0$0a26a8c0@windows.jmdn>
Errors-To: owner-nanog@merit.edu
------=_Part_12159_21473914.1134683864202
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On 12/14/05, Joe Johnson <nanog@sendjoeanemail.com> wrote:
>
> I've been trying over and over to figure this one out, but I'm just hitti=
ng
> the end of my wits. We have a remote office that can only get 768Kbps DS=
L,
> which they've not totally maxed out. So management's solution now is to =
buy
> a second DSL line, but they won't let me buy a dual WAN router (in case t=
hey
> add a 3rd DSL line).
This works flawlessly with a cheap hardware running openbsd+pf. I've
done this in several instances when load balancing "users" over two
connections was required. I've attached a pf.conf that does just
this.
The other solution(if you want to call it that) was a Symantec
dual-wan router/vpn appliance which was horribly broken and met a
timely death once the openbsd box replaced it.
-Brian
------=_Part_12159_21473914.1134683864202
Content-Type: application/octet-stream; name=pf.conf
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="pf.conf"
# $OpenBSD: pf.conf,v 1.27 2004/03/02 20:13:55 cedric Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
#table <spamd> persist
#table <spamd-white> persist
#pass quick on { lo $int_if }
#antispoof quick for { lo $int_if }
lan_net = "192.168.2.0/24"
prod_net = "192.168.1.0/24"
westcoast_net = "x.x.x.x/30"
xo_net = "x.x.x.x/28"
int_if = "dc0"
ext_if1 = "dc1"
ext_if2 = "dc2"
ext_gw1 = "x.x.x.x"
ext_gw2 = "x.x.x.x"
openbsd_xo_ext = "x.x.x.x"
# scrub all inbound packets
scrub in all
# nat outgoing connections on each internet interface
nat on $ext_if1 from $lan_net to any -> ($ext_if1) sticky-address
nat on $ext_if2 from $lan_net to any -> ($ext_if2) sticky-address
#redirect to ftp proxy for passive mode function
rdr pass on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
# default deny
block in from any to any
block out from any to any
# pass traffic on the loopback interface in either direction
pass quick on lo all
# pass all outgoing packets on internal interface
pass out on $int_if from any to $lan_net
pass out on $int_if from any to $prod_net
# pass in quick any packets destined for the gateway itself
pass in quick on $int_if from $lan_net to $int_if
# load balance outgoing tcp traffic from internal network.
pass in on $int_if route-to \
{ ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
proto tcp from $lan_net to any flags S/SA modulate state
# load balance outgoing udp and icmp traffic from internal network
pass in on $int_if route-to \
{ ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
proto { udp, icmp } from $lan_net to any modulate state
# aim bypass rule - needed to go out only one interface
pass in on $int_if route-to ($ext_if1 $ext_gw1) \
proto tcp from $lan_net to any port 5190 flags S/SA modulate state
# verisign bypass rule - needed to go out only one interface
pass in on $int_if route-to ($ext_if1 $ext_gw1) \
proto tcp from $lan_net to x.x.x.x port { 80 443 } flags S/SA modulate state
#ftp proxy rules
pass in log on $ext_if1 proto tcp from any port 20 to $ext_if1 port { 55000 >< \
57000 } flags S/SA keep state
pass in log on $ext_if2 proto tcp from any port 20 to $ext_if2 port { 55000 >< \
57000 } flags S/SA keep state
# general "pass out" rules for external interfaces
pass out on $ext_if1 proto tcp from any to any flags S/SA keep state
pass out on $ext_if1 proto { udp, icmp } from any to any keep state
pass out on $ext_if2 proto tcp from any to any flags S/SA keep state
pass out on $ext_if2 proto { udp, icmp } from any to any keep state
# route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
# $ext_if2 and $ext_gw2
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
------=_Part_12159_21473914.1134683864202--
