Home > BSD, OpenBSD > How to route traffic from two ISP in OpenBSD w/o BGP.

How to route traffic from two ISP in OpenBSD w/o BGP.

10/10/2011 Leave a comment Go to comments

Scenario: two independent ISPs, one LAN, one OpenBSD 4.9.

To do: create one default route via first ISP and pass in/out specified traffic via second ISP. Also create DMZ to access services from LAN via ISP 2 and allow reach internet from LAN. This scenario doesn’t include load balancing or fail-over.

Solution:


route add default 11.11.11.11

/etc/pf.conf:

#interfaces
ext_if1="pppoe0"
ext_gw1="11.11.11.11" #Gateway for pppoe0 - ISP1
ext_if2="em0"
ext_gw2="22.22.22.22" #Gatewat for em0 - ISP2
int_if="fxp0" #LAN

#PPPOE
match on $ext_if1 scrub (max-mss 1440)

# LIMIT UPLOAD
altq on $ext_if1 priq bandwidth 500Kb queue {up_std, up_prio}
queue up_prio priority 7
queue up_std priority 1 priq(default)

# Default policy
block in log all
block out log all
set block-policy drop

# loopback
set skip on lo

# NAT
pass out on $ext_if1 from 192.168.10.0/24 to any nat-to ($ext_if1)

# Allow anything from the internal network out onto the Internet
pass in quick on $int_if proto tcp from $int_if:network to any

# --- WWW DMZ
# WAN1
pass in quick on $ext_if1 proto tcp from any to ($ext_if1) port 80 rdr-to 192.168.10.2 port 80
# WAN2
pass in quick on $ext_if2 \
proto tcp from any to ($ext_if2) port 80 \
rdr-to 192.168.10.2 port 80 \
reply-to ($ext_if2 $ext_gw2)
# INT_IF out
pass out quick on $int_if proto tcp from any to 192.168.10.2 port 80
# --- WWW DMZ

/etc/sysctl.conf:


net.inet.ip.forwarding=1

reboot and voila!

Categories: BSD, OpenBSD
  1. No comments yet.
  1. No trackbacks yet.

Leave a comment