Dual WAN & HTTPS Sites

[alpha202ej]

Hi everyone,

Anyone ever have any issues accessing certain HTTPS sites? We have have our OpenBSD box acting as the firewall and it utilizes an aysmetrical dual WAN connection (two different ISPs). The error that is most telling is from LogMeIn where it states I have an IP address mismatch. This doesn't make sense to me since I have a rule that forces HTTPS traffic to only go through the first WAN interface. Furthermore, I also went ahead an reloaded my PF to only utilize the one interface and still have the same issue (did a pfctl -F all -f /etc/pf.conf).

Below is my pf.conf.

Code:

# PF Configuration

############
## MACROS ##
############

# Interfaces
int_if  = "vr0" #Internal Interface
ext_if1 = "vr1" #External Interface T1
ext_if2 = "axe0" #External Interface WiMAX
ext_gw1 = "x.x.x.x"
ext_gw2 = "y.y.y.y"
vpn_if  = "tun0" #VPN Tunnel
vlan100 = "vlan100" #VLAN Interface 10.0.2.0/24

# Misc
ext = "{ vr1, axe0 }"
localnet = "10.0.0.0/24"
vlan100net = "10.0.2.0/24"
abcnet = "10.21.0.0/16"
vpnnet = "172.25.0.0/24"
#SH_Ext = "x.x.x.x"
SH_Int = "10.0.0.11"
nonroute = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
              10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
              0.0.0.0/8, 240.0.0.0/4 }"
snglextports = "{ 21, 22, 443, 1194, 3389, 8008, 10000 }"
abc_scanner = "{ 21, 80, 443, 990, 2002, 3000:3019 }"
DHCP = "{ 67, 68 }"
icmp_types = "echoreq"
voipport = "{ 4569 }"

# Addresses
MFC8780 = "10.0.0.5"

# Ports
RDP = "{ 3389 }"

# FTP Pass
anchor "ftp-proxy/*"
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021

############
## TABLES ##
############


####################
## GLOBAL OPTIONS ##
####################

set skip on lo0

###########################
## TRAFFIC NORMALIZATION ##
###########################


####################
## QUEUEING RULES ##
####################


#########################################
## TRANSLATION RULES (NAT) & SCRUBBING ##
#########################################

match in all scrub (no-df max-mss 1440)

match out on $vpn_if from $localnet nat-to $vpn_if
match out on $ext_if1 from $localnet nat-to ($ext_if1)
match out on $ext_if2 from $localnet nat-to ($ext_if2)
match out on $ext_if1 from $vlan100net nat-to ($ext_if1)
match out on $ext_if2 from $vlan100net nat-to ($ext_if2)

###################
## FILTERS RULES ##
###################

#antispoof for $int_if
#antispoof for $ext_if1
#antispoof for $ext_if2

block in log
block out log

# Block Non-Routable Addresses
#block drop in quick on $ext_if from $nonroute to any
#block drop out quick on $ext_if from any to $nonroute

pass inet proto { tcp, udp } from { self, $localnet, $vlan100net, $vpnnet }

# Single WAN - DISABLED
#pass out log on $ext_if1 proto { tcp udp icmp } all

### Dual WAN Configuration
pass in log on $int_if from { $localnet, $vpnnet } route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin
pass in on $vlan100 from $vlan100net route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin

# Single External Connection Path for Secure Ports
pass in on $int_if proto { tcp, udp } from { $localnet, $vpnnet } to port $snglextports route-to ($ext_if1 $ext_gw1)

# General "Pass Out" Rules For External Interface
pass out on $ext_if1
pass out on $ext_if2

# Route Packets From any IPs on on $ext_if1 to $ext_gw1 and the same for ext_if2 and $ext_gw2
pass out on $ext_if1 from $ext_if2 route-to ($ext_if2 $ext_gw2)
pass out on $ext_if2 from $ext_if1 route-to ($ext_if1 $ext_gw1)

pass in inet proto tcp to port ssh
pass inet proto icmp

# VPN
pass quick on $vpn_if
pass in on !$ext_if1 to $abcnet
pass in on !$ext_if2 to $abcnet
pass in quick proto udp from any to port 1194

block in on ! lo0 proto tcp to port 6000:6010

Anyone know what might be going on because at this point I am baffled. Thanks!

[jggimi]

I think that you should add "log" to all of your rules, both pass and block, and use tcpdump with pflog0, and watch which pass rules apply.

I say this because watching pass rules may show you that the packets you want to direct to a single ISP with route-to are matching unintended rules. Unless "quick" is used, in PF, the last matching rule wins.

I see this rule, which I think you want to apply to this traffic:

Code:

# Single External Connection Path for Secure Ports pass in on $int_if proto { tcp, udp } from { $localnet, $vpnnet } to port $snglextports route-to ($ext_if1 $ext_gw1)

but the very next set of rules will find a match, since they pass all outbound traffic, and negate your prior matching rules:

Code:

# General "Pass Out" Rules For External Interface pass out on $ext_if1 pass out on $ext_if2

Use tcpdump, and see if it helps you debug this.