Differences

This shows you the differences between two versions of the page.

--- network:packet_filter:load_balance [2013/09/20 20:37]
tschulz
+++ network:packet_filter:load_balance [2014/03/05 09:44] (current)
tschulz [Route traffic based on destination]
@@ Line 1: / Line 1: @@
   * route-to roundrobin will not work with ftp since every transfer opens up a new connection
   * use **round-robin proto tcp from $lan_net to any port !ftp flags S/SA modulate state** to exempt ftp
-<file config pf.conf>
+<file pf pf.conf>
 # --------------- file /etc/pf.conf --------------------
 lan_net = "10.1.0.0/22"
@@ Line 30: / Line 30: @@
 pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) proto tcp from ($ext_if2) to any
 pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) proto tcp  from ($ext_if1) to any
+</file>
+====== Route traffic based on destination ======
+  * packet filter matches on the last rule that matches, so start with a generic rule and get more specific as you write the config file.
+<file pf>
+pass in on $int_if route-to { ($ext_if1 $ext_gw1),($ext_if1 $ext_gw1),($ext_if2 $ext_gw2) } round-robin proto tcp from <dynamic_ips> to <ext_nets> port {80} flags S/SA modulate state
+pass in on $int_if route-to { ($ext_if1 $ext_gw1),($ext_if1 $ext_gw1),($ext_if2 $ext_gw2) } round-robin proto {udp,icmp} from <dynamic_ips> to <ext_nets> keep state
+pass in on $int_if route-to { ($ext_if2 $ext_gw2) } proto tcp from <dynamic_ips> to 208.85.40.0/21 port {80} flags S/SA modulate state  # route panadora through wcta
+pass in on $int_if route-to { ($ext_if1 $ext_gw1) } proto tcp from <dynamic_ips> to 17.0.0.0/8 port {80} flags S/SA modulate state # route apple through FED
 </file>

ISD 820 Knowledge Base

User Tools

Site Tools

Differences

Page Tools