Differences

This shows you the differences between two versions of the page.

--- network:packet_filter:load_balance [2013/03/15 14:17]
tschulz created
+++ network:packet_filter:load_balance [2014/03/05 09:44] (current)
tschulz [Route traffic based on destination]
@@ Line 1: / Line 1: @@
-<file config pf.conf>
+  * route-to roundrobin will not work with ftp since every transfer opens up a new connection
+  * use **round-robin proto tcp from $lan_net to any port !ftp flags S/SA modulate state** to exempt ftp
+<file pf pf.conf>
 # --------------- file /etc/pf.conf --------------------
 lan_net = "10.1.0.0/22"
@@ Line 30: / Line 32: @@
 </file>
+====== Route traffic based on destination ======
+  * packet filter matches on the last rule that matches, so start with a generic rule and get more specific as you write the config file.
+<file pf>
+pass in on $int_if route-to { ($ext_if1 $ext_gw1),($ext_if1 $ext_gw1),($ext_if2 $ext_gw2) } round-robin proto tcp from <dynamic_ips> to <ext_nets> port {80} flags S/SA modulate state
+pass in on $int_if route-to { ($ext_if1 $ext_gw1),($ext_if1 $ext_gw1),($ext_if2 $ext_gw2) } round-robin proto {udp,icmp} from <dynamic_ips> to <ext_nets> keep state
+pass in on $int_if route-to { ($ext_if2 $ext_gw2) } proto tcp from <dynamic_ips> to 208.85.40.0/21 port {80} flags S/SA modulate state  # route panadora through wcta
+pass in on $int_if route-to { ($ext_if1 $ext_gw1) } proto tcp from <dynamic_ips> to 17.0.0.0/8 port {80} flags S/SA modulate state # route apple through FED
+</file>

ISD 820 Knowledge Base