Ngutek2 Packet Filter (PF) di OpenBSD 4.5 sebagai load balancing dengan 5 vlan


PF (Packet Filter) adalah firewall yang dikembangkan pertama kali oleh Daniel Hartmeier untuk OpenBSD dan menggantikan IPF yang berhubungan dengan masalah lisensi 1). Mulai dari OpenBSD 3.0, PF sudah tersedia pada base system, sekarang, FreeBSD dan DragonFlyBSD telah mengimport PF dalam base system, untuk NetBSD bisa diinstalasi melalui pkgsrc, sedangkan untuk Linux, dapat diambil di http://abstractvoid.se/pf4lin.html (experimental) dikutip dari : http://wiki.corebsd.or.id/

baiklah langsung saja kita buka file /etc/pf.conf

Code:
lan_net = “10.20.30.0/26″
int_if = “vr0″ //interffac ke luar

ext_if1 = “vlan51″
ext_if2 = “vlan52″
ext_if3 = “vlan53″
ext_if4 = “vlan54″
ext_if5 = “vlan55″

ext_gw1 = “10.20.30.9″
ext_gw2 = “10.20.30.13″
ext_gw3 = “10.20.30.17″
ext_gw4 = “10.20.30.21″
ext_gw5 = “10.20.30.25″

bts_net = “202.xxx.xxx.0/24″

table persist { 10.20.30.2 }
table persist { 202.93.16.16 202.43.167.114 202.43.167.0/24 202.43.161.0/24 }
scrub all

nat on $ext_if1 from $lan_net to any -> ($ext_if1)
nat on $ext_if2 from $lan_net to any -> ($ext_if2)
nat on $ext_if3 from $lan_net to any -> ($ext_if3)
nat on $ext_if4 from $lan_net to any -> ($ext_if4)
nat on $ext_if5 from $lan_net to any -> ($ext_if5)

pass out on $int_if from any to $lan_net
pass in quick on $int_if from $lan_net to $int_if

pass out on $int_if from any to $bts_net
pass in quick on $int_if from $bts_net to $int_if
#testing
#pass in quick on $int_if route-to { ($ext_if1 $ext_gw1) } proto tcp from $lan_net to 66.11.119.72 flags S/SA modulate state
#pass in quick on $int_if route-to { ($ext_if1 $ext_gw1) } proto tcp from $lan_net to 216.147.107.122 flags S/SA modulate state
#pass in quick on $int_if route-to { ($ext_if1 $ext_gw1) } proto tcp from $lan_net to 202.158.3.27 flags S/SA modulate state
#xtronik darurat
pass in quick on $int_if route-to { ($ext_if1 $ext_gw1) } proto tcp from $lan_net to 202.152.62.0/29 flags S/SA modulate state
pass in quick on $int_if route-to { ($ext_if1 $ext_gw1) } proto icmp from $lan_net to 202.152.62.0/29
pass out quick on $ext_if1 route-to ($ext_if1 $ext_gw1) from $ext_if1 to 202.152.62.0/29

#xtronik darurat part2
pass in quick on $int_if route-to { ($ext_if1 $ext_gw1) } proto tcp from $lan_net to 125.xxx.xxx.xxx flags S/SA modulate state
pass in quick on $int_if route-to { ($ext_if1 $ext_gw1) } proto icmp from $lan_net to 125.xxx.xxx.xxx
pass out quick on $ext_if1 route-to ($ext_if1 $ext_gw1) from $ext_if1 to 125.xxx.xxx.xxx
#ftp update untuk ragnarok
pass in quick on $int_if route-to { ($ext_if2 $ext_gw2) } proto tcp from $lan_net to 202.93.16.16 flags S/SA modulate state
pass out quick on $ext_if2 route-to ($ext_if2 $ext_gw2) from $ext_if2 to 202.93.16.16

#ftp ragnarok
pass in quick on $int_if route-to { ($ext_if3 $ext_gw3) } from $lan_net to flags S/SA modulate state
pass out quick on $ext_if3 route-to ($ext_if3 $ext_gw3) from $ext_if3 to

#ftp
pass in quick on $int_if route-to { ($ext_if3 $ext_gw3) } proto tcp from $lan_net to any port 21 flags S/SA modulate state
pass out quick on $ext_if3 route-to ($ext_if3 $ext_gw3) proto tcp from $ext_if3 to any port 21

pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) , ($ext_if3 $ext_gw3) , ($ext_if4 $ext_gw4),($ext_if5 $ext_gw5),} round-robin proto tcp from $lan_net to any flags S/SA modulate state
pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) , ($ext_if3 $ext_gw3) , ($ext_if4 $ext_gw4),($ext_if5 $ext_gw5),} round-robin proto { udp, icmp } from $lan_net to any keep state

pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if1 proto { udp, icmp } from any to any keep state
pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if2 proto { udp, icmp } from any to any keep state
pass out on $ext_if3 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if3 proto { udp, icmp } from any to any keep state
pass out on $ext_if4 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if4 proto { udp, icmp } from any to any keep state
pass out on $ext_if5 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if5 proto { udp, icmp } from any to any keep state

pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if1 route-to ($ext_if3 $ext_gw3) from $ext_if3 to any
pass out on $ext_if1 route-to ($ext_if4 $ext_gw4) from $ext_if4 to any
pass out on $ext_if1 route-to ($ext_if5 $ext_gw5) from $ext_if5 to any

pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
pass out on $ext_if2 route-to ($ext_if3 $ext_gw3) from $ext_if3 to any
pass out on $ext_if2 route-to ($ext_if4 $ext_gw4) from $ext_if4 to any
pass out on $ext_if2 route-to ($ext_if5 $ext_gw5) from $ext_if5 to any

pass out on $ext_if3 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
pass out on $ext_if3 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if3 route-to ($ext_if4 $ext_gw4) from $ext_if4 to any
pass out on $ext_if3 route-to ($ext_if5 $ext_gw5) from $ext_if5 to any

pass out on $ext_if4 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
pass out on $ext_if4 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if4 route-to ($ext_if3 $ext_gw3) from $ext_if3 to any
pass out on $ext_if4 route-to ($ext_if5 $ext_gw5) from $ext_if5 to any

pass out on $ext_if5 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
pass out on $ext_if5 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if5 route-to ($ext_if3 $ext_gw3) from $ext_if3 to any
pass out on $ext_if5 route-to ($ext_if4 $ext_gw4) from $ext_if4 to any

untuk menjalankan pf jalankan dengan perintah sebagai berikut
# pfctl -f /etc/pf.conf

seperti biasa jangan lupa ip.forwarding=1 pada file /etc/sysctl.conf
net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of IPv4 packets

net.inet.ip.mforwarding=1       # 1=Permit forwarding (routing) of IPv4 multicast packets

net.inet.ip.multipath=1        # 1=Enable IP multipath routing

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: