Re: openbsd 4.7 pf + route-to question
Hi All, After a lot of testing I found out that my problem is appearing when I use NATTED links as my uplinks. When I use routed ip addresses without NAT my route-to setup is working for openbsd 4.5 and 4.7. When using route-to over at least 1 link with NAT (I've tested it with both an openbsd NAT on the current gateways and a linux gateway with iptables) it doesn't seem to be changing the route as I expected it would. For now my problem is solved, since I use public ip addresses for my gateways, so it turns out I need to have a test setup that also uses live addresses (like I do now). Thanks to all who helped me track this down and replied to me on and off the list. Kind regards, Maikel Verheijen
Re: openbsd 4.7 pf + route-to question
I think you need to specify the gateway. On a host I set up that uses DSL (pppoe(4) so the gw is 0.0.0.1): pass out on $ext_if1 from $ext_if2 to any route-to ($ext_if2 0.0.0.1) pass out on $ext_if2 from $ext_if1 to any route-to ($ext_if1 0.0.0.1) I don't know if your omission of 'to any' affects it, but it could also be matching a packet further down the list. I'd stick the route-to at the very bottom of your ruleset, or if you group them by direction/interface, at the bottom of the pass out on external interfaces and see if that helps? Tom
Re: openbsd 4.7 pf + route-to question
Em 27-07-2010 05:04, Maikel Verheijen escreveu: Hello fellow openbsd fans, While preparing a test environment for my upgrade to openbsd 4.7 I ran into a slight problem. My current setup uses route-to rules to send out traffic back out on the interface it received it on like this: pass out on $ext_if2 route-to ($ext_if1 $ext_if1_router) from ($ext_if2) pass out on $ext_if1 route-to ($ext_if2 $ext_if2_router) from ($ext_if2) After changing this to pass out on $ext_if2 from ($ext_if2) route-to ($ext_if1 $ext_if1_router) pass out on $ext_if1 from ($ext_if1) route-to ($ext_if2 $ext_if2_router) and applying this to a fresh install of openbsd 4.7 this only seems to work when I enable multi-path routing with 2 default gateways. This has the disadvantage that all traffic gets sent out round-robin, which is not what I want. Can anyone help me figure out what I'm doing wrong? This setup does seem to work on openbsd 4.5, didn't try 4.6 yet, but will do so later today to see if it works there. Thanks in advance, Kind regards, Maikel Verheijen Hi Maikel, I'm not shure but, don't you need to put some nat rules to translate between the two interfaces? match out on $ext_if1 from $ext_if2 nat-to $ext_if1 match out on $ext_if2 from $ext_if1 nat-to $ext_if2 My best regards, Fabio Almeida
Re: openbsd 4.7 pf + route-to question
On Tue, Jul 27 2010 at 04:10, Maikel Verheijen wrote: > Hello fellow openbsd fans, Hello, > While preparing a test environment for my upgrade to openbsd 4.7 I ran into a > slight problem. My current setup uses route-to rules to send out traffic back > out on the interface it received it on like this: > > pass out on $ext_if2 route-to ($ext_if1 $ext_if1_router) from ($ext_if2) > pass out on $ext_if1 route-to ($ext_if2 $ext_if2_router) from ($ext_if2) > > After changing this to > > pass out on $ext_if2 from ($ext_if2) route-to ($ext_if1 $ext_if1_router) > pass out on $ext_if1 from ($ext_if1) route-to ($ext_if2 $ext_if2_router) > > and applying this to a fresh install of openbsd 4.7 this only seems to work > when I enable multi-path routing with 2 default gateways. This has the > disadvantage that all traffic gets sent out round-robin, which is not what I > want. > > Can anyone help me figure out what I'm doing wrong? This setup does seem to > work on openbsd 4.5, didn't try 4.6 yet, but will do so later today to see if > it works there. I'm not sure route-to is supposed to work with "pass out" rules. I always thought it was only for incoming connections.
openbsd 4.7 pf + route-to question
Hello fellow openbsd fans, While preparing a test environment for my upgrade to openbsd 4.7 I ran into a slight problem. My current setup uses route-to rules to send out traffic back out on the interface it received it on like this: pass out on $ext_if2 route-to ($ext_if1 $ext_if1_router) from ($ext_if2) pass out on $ext_if1 route-to ($ext_if2 $ext_if2_router) from ($ext_if2) After changing this to pass out on $ext_if2 from ($ext_if2) route-to ($ext_if1 $ext_if1_router) pass out on $ext_if1 from ($ext_if1) route-to ($ext_if2 $ext_if2_router) and applying this to a fresh install of openbsd 4.7 this only seems to work when I enable multi-path routing with 2 default gateways. This has the disadvantage that all traffic gets sent out round-robin, which is not what I want. Can anyone help me figure out what I'm doing wrong? This setup does seem to work on openbsd 4.5, didn't try 4.6 yet, but will do so later today to see if it works there. Thanks in advance, Kind regards, Maikel Verheijen
'route to' question
Hello lists! (sorry if cross-list posting is frowned upon) I'm setting up a BSD/pf machine that will be working as a binat firewall for a number of hosts on two /28 subnets belonging to the same co-location provider. The BSD machine is already live, working hard for one subnet, and I don't have extra hardware to test this out in a lab environment (nice, I know), so I'd just like a little wisdom from the lists before I go live with this pf change: I'm wondering if I can use the "route to" option with pf in order to force all traffic from subnet A through subnet A's gateway, while subnet B's traffic goes through subnet B's gateway. Right now, subnet B is setup and running with B's gateway as the host for the 0.0.0.0 network. Now, with straight routing, I can't seem to find a way to enable multi-path routing to the 0.0.0.0 network along these lines: if src is from netA: pass traffic to gwA if src is from netB: pass traffic to gwB Now, since I have only one external interface (see diagram at bottom), how can I rearrange the following pf statements (from the pf faq): pass out on em0 route-to (em0 $ext_gw2) from em0 to any pass out on em0 route-to (em0 $ext_gw1) from em0 to any Can I get by by simply aliasing all of the IPs on em0 (external interface) or do I have to vlan the external device to get distinct interface names? Thanks, Pete. Quick/Dirty Diagram: 204.15.193.0\28 <+ (aliases 204.15.193.2->14) | +--> (em0) BSD (em1) <--+ (Tagged VLAN) | | 204.15.193.16\28 <-- + | ( aliases 204.15.193.18->30) +-+ | +-+-> VLAN2 (192.168.3/24) | | | +-> VLAN5 (10.10.5/24) | +---> VLAN6 (10.10.6/24)
