On Thu, Sep 26, 2024 at 07:21:38PM +0200, Nicolas Goy wrote: > Hello, > > I want to use OpenBSD as firewall for a configuration where every hosts is > isolated.
cool. > For example, let's say I have 1.0.0.0/24 subnet and 2000::/56 subnet. > > I want each host to have a single ip for ipv4, and a /64 for ipv6. > > On the layer 2 side, I can configure a single VLAN for each host, I can either > show each VLAN to the OpenBSD router as different VLAN or I an use PVLAN to > have > a single VLAN on the OpenBSD side. > > Now, with ipv6 it's easy, I can create a /64 for each host, but for ipv4 it's > trickier. I'd like to use as few IP as I can and I think the lowest I can do > is > to use 2 IP per host. > > I was wondering if you had general advices on what was the best configuration. > > I looked at hetzner, and for ipv4, they use point to point ethernet, so the > host > has ip in 1.0.0.24 with route to 1.0.0.23/32. It uses Linux's SystemD > "[Address] Peer" > configuration and I am not sure exactly what it entails. For ipv6 it uses > fe80::1 as gateway which is also a bit weird as I would expect the gateway to > be > on the same subnet. > > The general idea is to be able to manage all firewalling between hosts using > pf. > > Regards > > -- > Nicolas Goy > Developer and Engineer > Goyman SA we have done this with PVLAN at work. the firewalls are set up with promisc ports on the network, and the hosts are all on isolated ports. we use a normal subnet on this network, ie, we allocate a /25 (or /24, whatever) and set up carp on it, and it works. the only problem is if you want the hosts to be able to talk to each other. in that situation you'll want to steer all the traffic to the firewalls. the way we do that is with proxy arp, at least i think that's what the accepted name in the industry is for what we're doing. we basically get the firewalls to accept ARP packets from protected clients to protected clients and reply to them with their own MAC address. this causes the protected clients to send their packets via the firewall instead of directly to each other. i wrote https://github.com/eait-itig/commarp to fiddle with the arp packets. using a /32 on each host with a single shared gateway ip for the subnet should work too. the config on the protected host side sounded fiddly though, especially if you have multiple hosts on promisc or community ports on the pvlan that you want to be accessible without going via the router.
