freebsd+pfsense+panabit，如何实现？

scluse

freebsd+pf+panabit ，用三块网卡如何实现？ 双WAN+1LAN 情况下实何安装，请版主给个教程吧！

qczlQQ

#服务器pf.conf的设置
ext_if0="fxp0"
ext_if1="rl0"
int_if="em0"
lan_net="192.168.1.0/24"
ext_gw0="x.x.x.x"
ext_gw1="x.x.x.x"
#服务器端口
tcp_services="{21,22,80,113}"
#私有地址
priv_nets="{127.0.0.0/8,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8}"
#WEB服务器的内部地址
web_net="192.168.1.3"
icmp_types="echoreq"

set block-policy return
scrub in on $ext_if0 all fragment reassemble
scrub in on $ext_if1 all fragment reassemble
#转换
nat on $ext_if0 from $lan_net to any ->$ext_if0
nat on $ext_if1 from $lan_net to any ->$ext_if1
#重定向
rdr on $ext_if0 proto tcp from any to any port 80 ->$web_net
rdr on $ext_if1 proto tcp from any to any port 80 ->$web_net
#阻止所有外网
block on $ext_if0 all
block on $ext_if1 all
#禁止外网以内部地址进入
block drop in quick on $ext_if0 from $priv_nets to any
block drop out quick on $ext_if0 from any to $priv_nets
block drop in quick on $ext_if1 from $priv_nets to any
block drop out quick on $ext_if1 from any to $priv_nets

pass quick on lo0 all
pass out on $int_if from any to $lan_net
pass in quick on $int_if from any to $lan_net
pass in on $int_if route-to \
    { ($ext_if0 $ext_gw0),($ext_if1 $ext_gw1)} round-robin \
    proto tcp from $lan_net to any flags S/SA modulate state
   
pass in on $int_if route-to \
    { ($ext_if0 $ext_gw0),($ext_if1 $ext_gw1)} round-robin \
    proto {udp,icmp} from $lan_net to any keep state
   
pass out on $ext_if0 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if0 proto {udp,icmp} from any to any keep state
pass out on $ext_if1 proto {udp,icmp} from any to any keep state
pass out on $ext_if1 route-to ($ext_if0 $ext_gw0) from $ext_if0 to any
pass out on $ext_if0 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any

pass in on $ext_if0 inet proto tcp from any to ($ext_if0)\
port $tcp_services flags S/SA keep state
pass in on $ext_if1 inet proto tcp from any to ($ext_if1)\
port $tcp_services flags S/SA keep state
pass in on $ext_if0 proto tcp from any to $web_net port 80 flags S/SA synproxy state
pass in on $ext_if1 proto tcp from any to $web_net port 80 flags S/SA synproxy state
pass in inet proto icmp all icmp-type $icmp_types keep state

qczlQQ

关键
#转换
nat on $ext_if0 from $lan_net to any ->$ext_if0
nat on $ext_if1 from $lan_net to any ->$ext_if1


pass quick on lo0 all
pass out on $int_if from any to $lan_net
pass in quick on $int_if from any to $lan_net
pass in on $int_if route-to \
    { ($ext_if0 $ext_gw0),($ext_if1 $ext_gw1)} round-robin \
    proto tcp from $lan_net to any flags S/SA modulate state
   
pass in on $int_if route-to \
    { ($ext_if0 $ext_gw0),($ext_if1 $ext_gw1)} round-robin \
    proto {udp,icmp} from $lan_net to any keep state


还要做策略路由（要5个网卡）

[ 本帖最后由 qczlQQ 于 2008-7-5 10:16 编辑 ]

qczlQQ

如果是同一段IP
可以用IP池

qczlQQ

用IP池，需要四口网卡（或四个网卡）