Can't see anything immediatly wrong with this but their are a few
things you could change/improve;
# Why are you setting the tcpflags. The defaults are fine and usualy
better.. And keep state is the default
tcpflags = "S/SA"
# macros
ext_if = "em0"
carp_ip = "<removed>"
int_nets = "{ <removed> }"
router = "<removed>"
# reject = black hole
table <reject> file "/etc/pf/reject"
# nat/rdr
match out on em0 from $int_nets to any nat-to $carp_ip
#**********************************************************************
#**********************************************************************
# Rules start here
#**********************************************************************
#**********************************************************************
set skip on { lo0, pfsync0, em1, em4 }
#######################################################################
# All the IN rules go here.
# allow ssh/smtp/dns to router <- Why are you addressing the physical
routers IP directly? Generaly it is better for all inbound traffic
(public DNS) to refer to CARP IPs so it doesn't matter which firewall
is live/if one is down etc.
pass in quick on $ext_if proto { tcp, udp } from any to { $router,
$carp_ip } port 53 set prio 6
pass in quick on $ext_if proto tcp from any to { $router, $carp_ip }
port { 25 } set prio 2
pass in quick on $ext_if proto tcp from any to { $router, $carp_ip }
port 22 synproxy state (max-src-conn-rate 5/60, overload <reject> flush
global) set prio (2,6)
#######################################################################
# all the OUT rules go here.
# allow router and nat out
pass out quick on $if_ext all modulate state
# block the rest
block out log quick all
block in log quick all
Good luck, Andy.
On Wed 22 Jan 2014 17:20:52 GMT, Gabriel Kuri wrote:
Here it is.
em0 - external interface (facing ISP)
em1 - internal interface, layer3, (facing switch running OSPF)
em4 - pfsync interface
pf.conf:
tcpflags = "S/SA"
# macros
ext_if = "em0"
carp_ip = "<removed>"
int_nets = "{ <removed> }"
router = "<removed>"
# reject = black hole
table <reject> file "/etc/pf/reject"
# nat/rdr
match out on em0 from $int_nets to any nat-to $carp_ip
#**********************************************************************
#**********************************************************************
# Rules start here
#**********************************************************************
#**********************************************************************
# anything goes on the loopback interface
pass in quick on lo0 all
pass out quick on lo0 all
# anything goes on em1
pass in quick on em1 all
pass out quick on em1 all
# anything goes on em4
pass in quick on em4 all
pass out quick on em4 all
#######################################################################
# All the IN rules go here.
# allow ssh/smtp/dns to router
pass in quick on $ext_if proto udp from any to $router port 53 keep state
pass in quick on $ext_if proto tcp from any to $router port {25 53} flags
$tcpflags keep state
pass in quick on $ext_if proto tcp from any to $router port 22 flags
$tcpflags keep state (max-src-conn-rate 5/60)
#######################################################################
# all the OUT rules go here.
# allow router out
pass out quick on $ext_if from <ip_removed> to any flags $tcpflags keep
state
# allow nat interface out
pass out quick on $ext_if from $carp_ip to any flags $tcpflags keep state
# block the rest
block out log quick all
block in log quick all
On Tue, Jan 21, 2014 at 11:21 PM, mxb <m...@alumni.chalmers.se> wrote:
You PF rules are needed too for this.
On 22 jan 2014, at 00:51, Gabriel Kuri <gk...@ieee.org> wrote:
I am running obsd 5.4 as my NAT router. I decided to setup a second obsd
box and run carp between the two for the external NATed interface (facing
the ISP). After I setup everything and switched pf to NAT using the
address
on the carp interface, I'm seeing about 12Mbps - 13Mbps on the download,
I
have a 60Mbps pipe (down). When I switch pf back to NAT using the address
on the physical interface, I get my full 60Mbps. Any ideas as to what I
could be doing wrong that would limit performance through the carp
interface to around 12Mbps - 13Mbps ?
Thanks ...
