I have 2 external interfaces on my router. One interface is via DSL
(vr0) and one interface is a tunnel over the DSL (tun0).
vr0 provides 1 dynamic ip address and tun0 four static ip addresses.
All there addresses are external internet addresses.
I also have an internal interface, fxp0 where the router is 10.0.0.1
and is providing clients with 10.0.0.x addresses via DHCP.
What I would like to do here is:
* Map four internal 10.0.0.x addresses of the internal intefrace to
the external addresses provided by the tunnel
* Map the rest of the 10.0.0.x addresses of the internal interface
directly to the DSL connection with NAT.
I have asked about this earlier and I got some hints.
I have now modified the rules some and I think I got it to work
better.
I earlier experienced that packets from the NATed network actually was
duplicated to both the tunnel interface and the physical interface.
I think that my new rules will prevent that. According to tcpdump they
are not duplicated any more.
The config below seem to work allthough the speed seem to be a little
slower than I expected
I dont know if it is because of my rules being incorrect or my
internet provider
having issues.
I also have problems with the route-to rule. Since my external IP
address is provided
with DHCP I dont know if I am always going to get the same gateway
adress and I cannot
find a way having pf finding the default route on itself.
Thankful for any input
BR/
Jens
# $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or
net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between
interfaces.
ext_if="vr0"
tun_if="tun0"
int_if="fxp0"
int_net="10.0.0.0/24"
intaddr_whiterussian="10.0.0.1"
intaddr_irishcoffe="10.0.0.6"
intaddr_bloodymary="10.0.0.3"
intaddr_longislandicetea="10.0.0.8"
tunaddr_whiterussian="88.80.3.55"
tunaddr_irishcoffe="88.80.3.56"
tunaddr_bloodymary="88.80.3.57"
tunaddr_longislandicetea="88.80.3.58"
set skip on lo
binat on $tun_if proto {tcp, udp, icmp} from $intaddr_whiterussian to
any -> $tunaddr_whiterussian
binat on $tun_if proto {tcp, udp, icmp} from $intaddr_irishcoffe to
any -> $tunaddr_irishcoffe
binat on $tun_if proto {tcp, udp, icmp} from $intaddr_bloodymary to
any -> $tunaddr_bloodymary
binat on $tun_if proto {tcp, udp, icmp} from $intaddr_longislandicetea
to any -> $tunaddr_longislandicetea
no nat on $tun_if from { $tunaddr_whiterussian, $tunaddr_irishcoffe,
$tunaddr_bloodymary, $tunaddr_longislandicetea } to any
nat on $tun_if from $int_if:network to any -> ( $ext_if )
block all
table <tunaddr> { $tunaddr_whiterussian, $tunaddr_irishcoffe,
$tunaddr_bloodymary, $tunaddr_longislandicetea }
#Pass out on all interfaces
pass out on { $int_if } keep state
pass out on { $ext_if } keep state
pass out on { $tun_if } from { $tunaddr_whiterussian,
$tunaddr_irishcoffe, $tunaddr_bloodymary, $tunaddr_longislandicetea }
keep state
pass out on { $tun_if } route-to ( $ext_if 85.228.192.1 ) from !
<tunaddr> keep state
#Internal network
pass in on { $int_if } inet proto tcp from $int_net to any flags S/SA
modulate state
pass in on { $int_if } inet proto { udp, icmp } from $int_net to any
keep state
#Safeguard, we should always be able to access SSH
pass in quick proto tcp to any port 22 keep state
#Internet
pass in on { $tun_if } proto { tcp } from any to
$intaddr_longislandicetea port { 22, 33667, 9090, 136, 137, 138, 139,
5900 } keep state
pass in on { $tun_if } proto { tcp } from any to $intaddr_irishcoffe
port { 22, 51413 } keep state
pass in on { $tun_if } proto { tcp } from any to $intaddr_whiterussian
port { 20, 21, 22, 25, 80, 110, 119, 136, 137, 138, 139, 143, 443,
993, 995 } keep state
