On Wed, Jun 22, 2016 at 3:26 PM, Jeremy <open...@smartpoint.co.nz> wrote:
> I have a SOHO firewall in production which has been connected to the
> net via an ADSL line. We have a new fibre connection which will replace
> the ADSL connection once I get the system switched over. I am having
> trouble with the pf configuration during the transition period.
>
> What I would like to achieve is that connections come in on either
> external interface and are routed appropriately to the internal network,
> where I'm running a mail and web server etc. Outgoing connections should
> also be handled via either interface, but this is less important.
>
> Complicating the situation is that this is a remote setup and I need to
> modify the configuration without losing connectivity to the server in
> the meantime. (It's a long drive if I need to go on-site to correct any
> mistakes.) I've been making changes on the fly and rebooting (which
> restores defaults) if anything goes wrong.
>
> I have attached my pf.conf where I have attempted to update the
> config to handle this situation but I can't get it working correctly.
> The LAN is connected on em0. The original ADSL connection is on em1 and
> the new fibre link is on em2
>
> The original installation has /etc/mygate containing 172.16.8.1 (adsl
> modem)
>
> I'm not sure that I need to modify the routing to handle inbound
> connections on both interfaces but have attempted to do the following
> via the shell:
>
> # pfctl -f /etc/pf.conf.new
> # route add -mpath default 192.168.1.1
> # route add -mpath default 172.16.8.1
> # sysctl net.inet.ip.multipath=1
>
> I suspect I have issues with the "egress" keyword but I'm not sure how
> to correctly/safely activate my configuration without losing
> connectivity on one or both interfaces. Generally I can reach services
> on the firewall machine itself but cannot access the internal network
> services from outside. (Changing the default route usually brings
> connections via the associated link, down.)
>
> I don't actually *need* load-balancing or equal cost multipath
> routing. I just want a configuration where I have two external
> interfaces which both carry traffic and packets flow over the right
> interface (so this looks pretty much like the same thing.)
>
>
> Could someone please cast an eye over what I'm doing and point me in
> the right direction. Thanks. Much appreciated.
>
>
>
> =========/etc/pf.conf.new===================
> # macros
> int_if="em0"
> ext_if1="em1"
> ext_if2="em2"
> ext_gw1="172.16.8.1"
> ext_gw2="192.168.1.1"
>
> lan_net="192.168.7.0/24"
>
> tcp_services="{ 22, 113 }"
> udp_services="{ 161 }"
> mail_services="{ 587, 993, 995 }"
> web_services="{ 80, 443 }"
>
> icmp_types="echoreq"
>
> web_server = "192.168.7.77"
> mail_server = "192.168.7.77"
>
> # options
> set block-policy return
> set loginterface egress
> set skip on lo
>
> # match rules
> match in all scrub (no-df random-id max-mss 1440)
> #match out on egress inet from $int_if:network to any nat-to (egress:0)
> match out on $ext_if1 from $int_if:network nat-to ($ext_if1)
> match out on $ext_if2 from $int_if:network nat-to ($ext_if2)
>
> # filter rules
> block in log
>
> pass out quick
>
> # Balance two external interfaces
> pass in on $int_if from $int_if:network reply-to \
> { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin
>
> pass out on $ext_if1 from $ext_if2 reply-to ($ext_if2 $ext_gw2)
> pass out on $ext_if2 from $ext_if1 reply-to ($ext_if1 $ext_gw1)
>
> # Allow access to services running on the firewall
> pass in on egress inet proto tcp from any to (egress) port \
> $tcp_services flags S/SA keep state \
> (max-src-conn-rate 5/300)
> pass in on egress inet proto udp from any to (egress) port $udp_services
>
> # Redirect traffic to the interior servers
> pass in on egress inet proto tcp from any to (egress) port \
> $web_services rdr-to $web_server synproxy state \
> (max-src-conn-rate 100/10)
> pass in on egress inet proto tcp from any to (egress) port \
> $mail_services rdr-to $mail_server
>
> # Forward SNMP on alternative port through to internal server
> pass in on egress inet proto udp to (egress) port 162 \
> rdr-to $web_server port 161
>
> pass in inet proto icmp all icmp-type $icmp_types
> pass in on $int_if
> pass in log on $ext_if2
>
>
I've setup a few OpenBSD machines to do failover with 2 internet
interfaces. I didn't use multipath, pf will pass traffic without it. I
did find it necessary to specify a reply-to for each of my pass in rules
for services on the 2nd interface. For example I would need these 2 rules
to pass traffic in on both interfaces, ext_if has the default route and is
egress.
pass in on egress inet proto tcp from any to $server port 80
pass in on $ex2_if inet proto tcp from any to $server port 80 reply-to (
$ex2_if $ex2_gw )
