ФІО = FreeBSD PF 2 канала Запитання:http://habrahabr.ru/post/66851/ ==================================== ANSWER ==================================== http://www.ussr.kiev.ua/ru/PF_Squid END of ANSWER ==================================== ANSWER ==================================== http://habrahabr.ru/post/124447/ END of ANSWER ==================================== ANSWER ==================================== https://forums.freebsd.org/threads/ipfw-one-isp-two-xdsl-internet-channels-load-balancing.36205/ END of ANSWER ==================================== ANSWER ==================================== http://wiki.mesouug.com/index.php/FreeBSD_/_One_ISP_/_Two_and_more_xDSL/internet_channels_/_Load_balancing END of ANSWER ==================================== ANSWER ==================================== #!/bin/sh DELAY=`/usr/bin/jot -r 1 0 9` # Delay echo "${DELAY} seconds delay..." sleep ${DELAY} PIDS=`pgrep -f "/bin/sh /etc/firewall" | wc -l` #Check if copy of process is already running: if [ ${PIDS} -gt 1 ]; then echo "Another copy is already running." exit 1 fi #Flush out list before we begin. ipfw -q -f flush ipfw -q -f nat flush ipfw -q pipe flush ipfw -q queue flush ################################################################################ #Set rules command prefix cmd="ipfw -q" pif0="adsl1" pif0ip=`ifconfig $pif0 inet | grep inet | awk '{print $2}'` pif0gw=`ifconfig $pif0 inet | grep inet | awk '{print $4}'` pif1="adsl2" pif1ip=`ifconfig $pif1 inet | grep inet | awk '{print $2}'` pif1gw=`ifconfig $pif1 inet | grep inet | awk '{print $4}'` pif2="vlan200" pif2ip="10.61.168.231" pif2gw="10.61.168.1" if [ ! -z "$pif0ip" ]; then pif0status="UP" else pif0status="DOWN" fi if [ ! -z "$pif1ip" ]; then pif1status="UP" else pif1status="DOWN" fi if [ -f /vlan200.status ]; then pif2status=`cat /vlan200.status` else pif2status="DOWN" fi # Override #pif0status="DOWN" #pif1status="DOWN" #pif2status="DOWN" ################################################################################ $cmd add 100 allow ip from any to any via lo0 $cmd add deny ip from any to 127.0.0.0/8 $cmd add deny ip from 127.0.0.0/8 to any $cmd add 1100 skipto 2040 ip from any to any out xmit $lif tagged 101 keep-state $cmd add skipto 2080 ip from any to any out xmit $lif tagged 102 keep-state $cmd add skipto 2100 ip from any to any out xmit $lif tagged 120 keep-state $cmd add 1500 deny gre from 192.168.1.XXX to any // This rule will drop first GRE packet from PPTP SERVER when VPN initiates # Next few IF's will keep firewall rules consistent in cases if ISP connections will go down if [ $pif0status == "UP" ] && [ $pif1status == "UP" ]; then $cmd add 2000 skipto 2040 ip from table\(101\) to any in recv $lif // Smart Load balancing using arpalert $cmd add skipto 2080 ip from table\(102\) to any in recv $lif // Smart Load balancing using arpalert fi if [ $pif2status == "UP" ]; then $cmd add skipto 2100 ip from table\(120\) to any in recv $lif // Smart Load balancing using arpalert fi if [ $pif0status == "UP" ]; then $cmd add 2040 setfib 0 ip from any to any via $lif keep-state $cmd add 2050 allow tag 101 ip from any to any via $lif fi if [ $pif1status == "UP" ]; then $cmd add 2080 setfib 1 ip from any to any via $lif keep-state $cmd add 2090 allow tag 102 ip from any to any via $lif fi if [ $pif2status == "UP" ]; then $cmd add 2100 setfib 2 ip from any to any via $lif keep-state $cmd add 2110 allow tag 120 ip from any to any via $lif fi ################################################################################ $cmd add 3050 deny ip from any to 192.168.0.0/16 in recv $pifs $cmd add deny ip from 192.168.0.0/16 to any in recv $pifs $cmd add deny ip from any to 172.16.0.0/12 in recv $pifs $cmd add deny ip from 172.16.0.0/12 to any in recv $pifs $cmd add deny ip from any to 10.0.0.0/8 in recv $pifs $cmd add deny ip from 10.0.0.0/8 to any in recv $pifs $cmd add deny ip from any to 169.254.0.0/16 in recv $pifs $cmd add deny ip from 169.254.0.0/16 to any in recv $pifs ################################################################################ if [ $pif1status == "UP" ]; then $cmd add 11000 fwd $pif1gw all from $pif1ip to any via $pif0 // Send reply to necessary interface fi if [ $pif2status == "UP" ]; then $cmd add 11100 fwd $pif2gw all from $pif2ip to any via $pif0 // Send reply to necessary interface fi ################################################################################ $cmd add 13000 skipto 31000 log ip from any to $pif0ip 22 in recv $pif0 // sshd $cmd add skipto 31000 log ip from any to $pif1ip 22 in recv $pif1 // sshd $cmd add skipto 31000 log ip from any to $pif2ip 22 in recv $pif2 // sshd $cmd add skipto 31000 log ip from any to $pif0ip 1723 in recv $pif0 // PPTP server $cmd add skipto 31000 log ip from any to $pif1ip 1723 in recv $pif1 // PPTP server $cmd add skipto 31000 log ip from any to $pif2ip 1723 in recv $pif2 // PPTP server $cmd add skipto 31000 gre from any to $pif0ip in recv $pif0 // PPTP server $cmd add skipto 31000 gre from any to $pif1ip in recv $pif1 // PPTP server $cmd add skipto 31000 gre from any to $pif2ip in recv $pif2 // PPTP server ################################################################################ if [ $pif0status == "UP" ]; then $cmd add 20000 deny log ip from any to any in via $pif0 setup // Reject and Log all setup of incoming connections from the outside $cmd add deny log ip from any to any in via $pif1 setup // Reject and Log all setup of incoming connections from the outside $cmd add deny log ip from any to any in via $pif2 setup // Reject and Log all setup of incoming connections from the outside fi ################################################################################ if [ $pif0status == "UP" ]; then $cmd nat 101 config if $pif0 same_ports reset \ redirect_port tcp 192.168.1.XXX:1723 $pif0ip:1723 \ redirect_proto gre 192.168.1.XXX $pif0ip fi if [ $pif1status == "UP" ]; then $cmd nat 102 config if $pif1 same_ports reset \ redirect_port tcp 192.168.1.XXX:1723 $pif1ip:1723 \ redirect_proto gre 192.168.1.XXX $pif1ip fi if [ $pif2status == "UP" ]; then $cmd nat 120 config if $pif2 same_ports reset \ redirect_port tcp 192.168.1.XXX:1723 $pif2ip:1723 \ redirect_proto gre 192.168.1.XXX $pif2ip fi ################################################################################ # NAT if [ $pif0status == "UP" ]; then $cmd add 31000 nat 101 ip from any to any via $pif0 // $pif0 nat $cmd add skipto 35000 tag 101 ip from any to any in recv $pif0 fi if [ $pif1status == "UP" ]; then $cmd add 31500 nat 102 ip from any to any via $pif1 // $pif1 nat $cmd add skipto 35000 tag 102 ip from any to any in recv $pif1 fi if [ $pif2status == "UP" ]; then $cmd add 32500 nat 120 ip from any to any via $pif2 // $pif2 nat $cmd add skipto 35000 tag 120 ip from any to any in recv $pif2 fi ################################################################################ $cmd add 35000 allow tcp from any to any established // Allow TCP through if setup succeeded $cmd add 50000 allow all from any to any $cmd add 65534 deny all from any to any ################################################################################ exit 0 END of ANSWER ==================================== ANSWER ==================================== http://skeletor.org.ua/?p=1279 END of ANSWER ==================================== ANSWER ==================================== http://birdofluck.livejournal.com/8778.html END of ANSWER ==================================== ANSWER ==================================== Well, let's suppose that your ISP interfaces have respectively $ispN_ip and $ispN_router as interface IP and ISP router IP. And that $natN is the divert port corresponding to the NAT for the given ISP. Then you get something like # This treats incoming trafic ipfw add 1310 divert $nat1 ip from any to any in via $if1 ipfw add 1320 divert $nat2 ip from any to any in via $if2 ... ipfw add 13N0 divert $natN ip from any to any in via $ifN # Check states ipfw add 3000 check-state # Load balance outgoing trafic # Note: change 1/N, 1/(N-1), etc by actual values for your N ipfw add 10100 prob 1/N skipto 20100 ip from $internal to any keep-state ipfw add 10200 prob 1/(N-1) skipto 20200 ip from $internal to any keep-state ... ipfw add 10N00 skipto 20N00 ip from $internal to any keep-state # Do outgoing NAT ipfw add 20100 divert $nat1 from $internal to any out ipfw add 20110 fwd $isp1_router ip from $isp1_ip ipfw add 20200 divert $nat2 from $internal to any out ipfw add 20210 fwd $isp2_router ip from $isp2_ip ... ipfw add 20N00 divert $natN from $internal to any out ipfw add 20N10 fwd $ispN_router ip from $ispN_ip And here is what the natd.conf would look like ### ISP 1 ### port 8868 dynamic yes interface re1 ### ISP 2 ### instance dsl2 port 8869 dynamic yes interface re2 ### ISP N ### instance dsl3 port 8870 dynamic yes interface re END of ANSWER ==================================== ANSWER ==================================== http://www.linux.org.ru/forum/admin/10011112 END of ANSWER ==================================== ANSWER ==================================== #!/bin/sh - fwcmd="/sbin/ipfw -q" ips1="em0" ips2="em1" ${fwcmd} -f flush # allow ssh on all interface ${fwcmd} add allow tcp from any to me 2211 in via ${ips1} ${fwcmd} add allow tcp from any to me 2211 in via ${ips2} # network address translation ${fwcmd} add fwd 195.111.111.111 ip from 195.151.111.112 to any ${fwcmd} add fwd 62.117.222.222 ip from 62.117.222.223 to any ${fwcmd} nat 1 config if ${ips1} reset deny_in same_ports unreg_only redirect_port tcp 192.168.ххх.ххх:2900 2900 ${fwcmd} nat 2 config if ${ips2} reset deny_in same_ports unreg_only redirect_port tcp 192.168.ххх.ххх:2900 2900 ${fwcmd} add nat 1 all from any to any ${fwcmd} add nat 2 all from any to any # Deny all ${fwcmd} add deny all from any to any END of ANSWER ==================================== ANSWER ==================================== http://www.lissyara.su/articles/freebsd/tuning/ipfw_nat/ END of ANSWER ==================================== ANSWER ==================================== ${FwCMD} add nat 100 all from ${User1} to any out via ${LanOut1} ${FwCMD} add nat 100 all from any to ${IpOut} in via ${LanOut1} ${FwCMD} add nat 200 all from ${User2} to any out via ${LanOut2} ${FwCMD} add nat 200 all from any to ${IpOut} in via ${LanOut2} END of ANSWER ==================================== ANSWER ==================================== http://www.hilik.org.ua/freebsd-организовываем-резервный-канал/ END of ANSWER ==================================== ANSWER ==================================== http://technotrance.su/index.php/moi-zametki/24-autoswitching-internet END of ANSWER ==================================== ANSWER ==================================== http://habrahabr.ru/post/66851/ END of ANSWER ==================================== ANSWER ==================================== Проблему перенаправлением порта 3389 решил. в etc/natd.conf написано - port 8668 redirect_port tcp 192.168.10.1:3389 212.119.109.58:3389 redirect_port tcp 192.168.10.5:110 212.119.109.58:110 firewall.conf - fwcmd="/sbin/ipfw -q" lanout="fxp0" lanin="fxp1" ipout="212.212.212.121" ipin="192.168.10.254" netmask="24" netin="192.168.10.0" ${fwcmd} -f flush ${fwcmd} add check-state ${fwcmd} add allow ip from any to any via lo0 ${fwcmd} add divert 8668 tcp from any to 212.212.212.121 3389 via fxp0 ${fwcmd} add divert 8668 tcp from 192.168.10.1 3389 to any via fxp0 ${fwcmd} add allow tcp from any to 192.168.10.1 3389 via any ${fwcmd} add divert 8668 tcp from any to 212.212.212.121 110 via fxp0 ${fwcmd} add divert 8668 tcp from 192.168.10.5 110 to any via fxp0 ${fwcmd} add allow tcp from any to 192.168.10.5 110 via any ${fwcmd} add divert natd ip from ${netin}/${netmask} to any out via ${lanout} ${fwcmd} add divert natd ip from any to ${ipout} in via ${lanout} ${fwcmd} add allow tcp from any to any established ${fwcmd} add allow ip from ${ipout} to any out xmit ${lanout} ${fwcmd} add allow udp from any 53 to any via ${lanout} ${fwcmd} add allow tcp from any to ${ipout} 49152-65535 via ${lanout} ${fwcmd} add allow icmp from any to any icmptypes 0,8,11 ${fwcmd} add allow tcp from any to ${ipout} 25 via ${lanout} ${fwcmd} add allow tcp from any to ${ipout} 110 via ${lanout} ${fwcmd} add allow tcp from any to any via ${lanin} ${fwcmd} add allow udp from any to any via ${lanin} ${fwcmd} add allow icmp from any to any via ${lanin} ${fwcmd} add deny log tcp from any to any В таком виде редирект порта 3389 работает, а вот почта так и не перенаправляется на 192.168.10.5 END of ANSWER ==================================== ANSWER ==================================== http://forum.lissyara.su/viewtopic.php?f=8&t=19448 END of ANSWER ==================================== ANSWER ==================================== http://www.opennet.ru/base/net/2link_balance2.txt.html END of ANSWER ==================================== ANSWER ==================================== http://sysadmins.ru/topic320039.html END of ANSWER ====================================