OpenBSD 5 i386
fxp0 - WAN interface to ISP - xxx.xxx.xxx.116
xl0 - WAN interface to head office via Cisco VPN - xxx.xxx.xxx.131
xl1 - LAN interface to internal network - 192.168.1.0/24
I need to route a small amount of FTP traffic to head office through a
second WAN connection, which connects to the company VPN through a
Cisco router over which I have no control. The remaining Internet
traffic exits via a standard DSL link to the ISP.
I do not need link aggregation of the two WAN interfaces.
1) Do I delete /etc/mygate and add routes instead to hostname.xl0 and
hostname.fxp0?
e.g.,
/etc/hostname.fxp0
inet xxx.xxx.xxx.116 255.255.255.240
!route add 0.0.0.0 xxx.xxx.xxx.113
/etc/hostname.xl0
inet xxx.xxx.xxx.131 255.255.255.192
!route add -net 123.456.789 xxx.xxx.xxx.129
2) I have two rules for NAT in pf.conf.
match out on $ext_if1 from $lan_net nat-to ($ext_if1)
match out on $ext_if2 from $lan_net nat-to ($ext_if2)
What I am not clear about is how to deal with FTP to head office. I
have ftp-proxy running. Do I use route-to on the internal interface
before FTP traffic for head office from the LAN has been re-directed to
ftp-proxy ...
pass in on $int_if proto tcp from $lan_net to 123.456.789.xxx \
port ftp route-to ($ext_if1 $ext_gw1)
pass in quick on $int_if inet proto tcp to port 21 \
divert-to 127.0.0.1 port 8021
... or on the external interface, after it has been re-directed
through ftp-proxy:
pass in quick on $int_if inet proto tcp to port 21 \
divert-to 127.0.0.1 port 8021
pass out on $ext_if proto tcp from lo0 to 123.456.789.xxx \
port ftp route-to ($ext_if1 $ext_gw1)
?
--
Gerard Lally
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
