Or How I learned to stop worrying and love my dual WAN with routed subnet and policy based routing pf firewall
One of the reasons I continue to use FreeBSD for my gateway/router/firewall is the pf firewall. My routing needs are way more elaborate than anything a pre-cooked router package like DD-WRT or even pfSense can do, so I have to roll my own firewall. Currently I have two DSL connections, through two different companies. I have a dynamic IP connection from my employer, Primus Canda, and I have a static IP connection with a routed /30 subnet from TekSavvy.
My setup needs to satisfy the following requirements:
- The Primus connection is used for all local LAN traffic
- The TekSavvy connection is used for all traffic to and from the routed subnet
- Connections from the local LAN to the routed subnet do not traverse the internet
- Traffic shaping on both connections, with different rulesets for each connection
- UPnP support, using miniupnpd
For the connection for the LAN, the traffic shaping needs to do the following:
- SSH and DNS traffic need high priority
- Traffic to and from my workplace VPN needs priority
- VoIP traffic needs high priority
- HTTP and regular web traffic should feel fast and responsive
- Anything left over goes to P2P and other uncategorized traffic
For the connection with the routed subnet, the requirements are a little different:
- SSH and DNS need high priority
- Inbound FTP control traffic (ie, not the actual data but just the control connection) needs priority
- Traffic originating from the routed subnet needs priority (this mostly just amounts to DNS requests and package updates
- FTP data traffic needs to fill in whatever is left over
This is all possible with pf, and I find the pf.conf format to be far more readable and thus less prone to errors than an iptables config file. To accomplish this I use packet tagging to label packets, and then use policy based routing to direct and control the traffic.
Continue reading »