|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: NAT and traffic directing
From: Saad Kadhi (saad
docisland.org)
Date: Fri Sep 03 2004 - 03:08:49 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, Sep 03, 2004 at 05:03:27PM +1000, Dave Harrison wrote:
> I have 2 ADSL links and coming into my firewall and I want to be able to
> direct certain kinds of traffic down one link, and certain other kinds
> down the other link.
>
> For example I would like to send all outbound HTTP traffic down one
> link, while my VPN connection goes down another link (one line has a
> better SLA but lower limits, while the other has higher limits but a not
> as good SLA - guess which data goes where ;-) ).
>
> I've read through the pf documentation, but a solution isn't springing
> to mind.
> I think the solution could involve packet tagging, but I'm not sure.
yup. the "route-to" keyword is what you need. also read the
faq/pf/pools.html page. I have a cable link and an adsl link and I:
- share the load between the two links for some connections.
- make some connections (whether port-based or host-based) go thru one
or the other link.
for example:
# Do not load balance the DNS queries from our local network to
# the outside. These must all go through our ADSL link to reach the ADSL
# provider's caching name servers.
pass in quick on $if_int proto tcp \
from <DnsLocal> to <DnsAdslIsp> \
port domain flags S/SAFRUP keep state
pass in quick on $if_int proto udp \
from <DnsLocal> to <DnsAdslIsp> \
port domain keep state
# Do not load balance traffic (all traffic!) initiated by the Windows
# workstation. All goes thru the CABLE link
pass in quick on $if_int route-to ($if_ext2 $gw_ext2) \
proto tcp \
from kaboo.sk.org to !<noLb> \
flags S/SAFRUP modulate state
pass in quick on $if_int route-to ($if_ext2 $gw_ext2) \
proto { udp icmp } \
from kaboo.sk.org to !<noLb> \
keep state
[snip]
# Load balance outgoing TCP traffic initiated by the internal network
# and going to the Internet among our two Internet connections (CABLE
# and ADSL).
pass in quick on $if_int route-to \
{ ($if_ext1 $gw_ext1), ($if_ext2 $gw_ext2) } round-robin \
proto tcp from ($if_int:network) \
to !<NoLb> flags S/SA modulate state
# Load balance outgoing ICMP and UDP traffic initiated by the internal
# network
# and going to the Internet among our two Internet connections (CABLE
# and ADSL).
pass in quick on $if_int route-to \
{ ($if_ext1 $gw_ext1), ($if_ext2 $gw_ext2) } round-robin \
proto { icmp udp } from ($if_int:network) \
to !<NoLb> keep state
--
cheers
- saad.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]