Trying to get multiWAN to work on 2.0



  • The various posts I've read have said:

    • you need a firewall rule at the end of the list that points to a gateway.

    • The gateway should be defined as being your 2 (or more WANS) in the routing page (system_gateways.php)

    The firewall rules should be expressed in the output from  pfctl -sr
    (IPs changed to protect the guilty)

    
    # pfctl -sr
    scrub in on nfe0 all fragment reassemble
    scrub in on et0 all fragment reassemble
    scrub in on dc0 all fragment reassemble
    scrub in on re0 all fragment reassemble
    anchor "relayd/*" all
    block drop in log all label "Default deny rule"
    block drop out log all label "Default deny rule"
    block drop in quick inet6 all
    block drop out quick inet6 all
    block drop quick proto tcp from any port = 0 to any
    block drop quick proto tcp from any to any port = 0
    block drop quick proto udp from any port = 0 to any
    block drop quick proto udp from any to any port = 0
    block drop quick from <snort2c>to any label "Block snort2c hosts"
    block drop quick from any to <snort2c>label "Block snort2c hosts"
    block drop in log quick proto tcp from <sshlockout>to any port = ssh label "sshlockout"
    block drop in log quick proto tcp from <webconfiguratorlockout>to any port = http label "webConfiguratorlockout"
    block drop in quick from <virusprot>to any label "virusprot overload table"
    block drop in log quick on nfe0 from <bogons>to any label "block bogon networks from WAN1"
    block drop in on ! nfe0 inet from 7.7.7.5/30 to any
    block drop in inet from 7.7.7.7 to any 
    block drop in on ! et0 inet from 10.10.1.0/24 to any
    block drop in inet from 10.10.1.1 to any
    block drop in on ! dc0 inet from 10.10.128.0/24 to any
    block drop in inet from 10.10.128.1 to any
    block drop in on nfe0 inet6 from fe80::21a:4dff:fef0:209a to any
    block drop in on et0 inet6 from fe80::213:3bff:fe03:447 to any
    block drop in on dc0 inet6 from fe80::260:6eff:fe75:fd52 to any
    block drop in log quick on re0 from <bogons>to any label "block bogon networks from WAN2" 
    block drop in on ! re0 inet from 8.8.8.6/29 to any
    block drop in inet from 8.8.8.8 to any
    block drop in on re0 inet6 from fe80::21d:fff:febe:25d6 to any
    pass in on lo0 all flags S/SA keep state label "pass loopback"
    pass out on lo0 all flags S/SA keep state label "pass loopback"
    pass out all flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (nfe0 7.7.7.6) inet from 7.7.7.7 to ! 7.7.7.5/30 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (re0 8.8.8.7) inet from 8.8.8.8 to ! 8.8.8.6/29 flags S/SA keep state allow-opts label "let out anything from firewall host itself" 
    pass in quick on et0 proto tcp from any to (et0) port = http flags S/SA keep state label "anti-lockout rule"
    pass in quick on et0 proto tcp from any to (et0) port = ssh flags S/SA keep state label "anti-lockout rule"
    pass in quick on nfe0 reply-to (nfe0 7.7.7.6) inet from any to 10.10.128.0/24 flags S/SA keep state label "USER_RULE"
    pass in quick on nfe0 reply-to (nfe0 7.7.7.6) inet proto tcp from any to any port = auth flags S/SA keep state label "USER_RULE: Mail External access"
    pass in quick on nfe0 reply-to (nfe0 7.7.7.6) inet proto tcp from any to any port = https flags S/SA keep state label "USER_RULE"
    pass in quick on nfe0 reply-to (nfe0 7.7.7.6) inet proto udp from any to 7.7.7.7 keep state label "USER_RULE: OpenVPN mainVPN wizard"
    pass in quick on nfe0 reply-to (nfe0 7.7.7.6) inet proto tcp from any to any port = ssh flags S/SA keep state label "USER_RULE: ssh"
    pass in quick on nfe0 reply-to (nfe0 7.7.7.6) inet proto tcp from any to 10.10.1.2 port = smtp flags S/SA keep state label "USER_RULE: NAT mail inbound for mmc"pass in quick on nfe0 reply-to (nfe0 7.7.7.6) inet proto tcp from any to 10.10.1.2 port = https flags S/SA keep state label "USER_RULE: NAT mail ident for mmc"
    pass in quick on nfe0 reply-to (nfe0 7.7.7.6) inet proto tcp from any to 10.10.128.16 port = down flags S/SA keep state label "USER_RULE: NAT MGXxx port 2022"
    pass in quick on nfe0 reply-to (nfe0 7.7.7.6) inet proto tcp from any to 10.10.128.16 port = 8443 flags S/SA keep state label "USER_RULE: NAT MGXxx port 8443"
    pass in quick on nfe0 reply-to (nfe0 7.7.7.6) inet proto tcp from any to 10.10.128.16 port = 8444 flags S/SA keep state label "USER_RULE: NAT MGXxx port 8444"
    pass in quick on et0 inet from 10.10.1.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
    pass in quick on openvpn all flags S/SA keep state label "USER_RULE: OpenVPN mainVPN wizard"
    pass in quick on dc0 all flags S/SA keep state label "USER_RULE: Allow Web"
    anchor "tftp-proxy/*" all
    anchor "miniupnpd" all</bogons></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c> 
    

    Per http://www.openbsd.org/faq/pf/pools.html#outgoing
    Address pools can be used in combination with the route-to filter option to load balance two or more Internet connections when a proper multi-path routing protocol (like BGP4) is unavailable. By using route-to with a round-robin address pool, outbound connections can be evenly distributed among multiple outbound paths.

    As I see the pfctl -sr the route-to statements say ! external interface…. the ! part I am not groking - why is it there?
    And there is no match-out blah nat-to - why is that not there?

    Now elsewhere in all the pfSense webpages, someone pointed out problems with round robin with the whole changing of your IP and how some websites will be upset with your IP being 7.7.7.7 and then later 8.8.8.8  I remember this being addressed by putting a table in play to map connections …. and my memory is pf does this with  match out on  blah source-hash  As my pfctl output lacks that - how do I get that into the output via the web configurator?

    And the last thing I do not grok - in theory if pf is doing all the heavy lifting of routing, if I did a netstat -rn | grep default | wc -l  I should see a 0 and not a 1, correct?
    (aka set no default routes)


Log in to reply