Multiple VLANs & PF rules
Hello, I am replacing a Cisco ASA at my home with an openbsd server. I've pf with nat and some basic rules in place. my internal machines are able to reach out to the internet with no problems. I've a separate lab network of servers which are segregated into multiple VLANs. I've been able to create the various vlans on the openbsd server, but I am not sure how inter-VLAN routing is suppose to work. The interface layout looks like this: em0 - outbound to ISP em1 - my home network em2 - member of trunk0 em3 - member of trunk0 trunk0 - lacp trunk for my lab network trunk0.vlan12 - vlan 12 trunk0.vlan15 - vlan 15 So, can one of you help me understand how I can write the pf rules to allow communication between em1 and vlan 12/15 or communication between vlan 12 and vlan 15 etc. Please let me know. Thanks, dot
Re: Multiple VLANs & PF rules
Em 19-08-2015 16:50, Dot Yet escreveu: > So, can one of you help me understand how I can write the pf rules to allow > communication between em1 and vlan 12/15 or communication between vlan 12 > and vlan 15 etc. If all machines have OpenBSD as their gateway, simple pass rules should do. No need for nat nor anything. Now, if some of these networks do not have the OpenBSD machine as its gateway, but the OpenBSD machine has access to the network, then you will need nat. You can have other things such as routes being passed using DHCP, RIP (or other internal routing protocol), etc. Assuming the OpenBSD machine can communicate with every network and every machine on it, you have plenty of options. Cheers, Giancarlo Razzolini
Re: Multiple VLANs & PF rules
OK, great, that's helpful. The machines are all pointing to the openbsd server as their default gateway. the nat is only being used to get out to the internet (em0). internal subnets do not use nat to communicate. I don't want to use any routing protocol for this, but just simple firewall rules to allow or deny the traffic. I'll read through some more docs to gain more information. Thanks Giancarlo! On Wed, Aug 19, 2015 at 5:14 PM, Giancarlo Razzolini wrote: > Em 19-08-2015 16:50, Dot Yet escreveu: > > So, can one of you help me understand how I can write the pf rules to > allow > > communication between em1 and vlan 12/15 or communication between vlan 12 > > and vlan 15 etc. > > If all machines have OpenBSD as their gateway, simple pass rules should > do. No need for nat nor anything. Now, if some of these networks do not > have the OpenBSD machine as its gateway, but the OpenBSD machine has > access to the network, then you will need nat. You can have other things > such as routes being passed using DHCP, RIP (or other internal routing > protocol), etc. Assuming the OpenBSD machine can communicate with every > network and every machine on it, you have plenty of options. > > Cheers, > Giancarlo Razzolini
Re: Multiple VLANs & PF rules
Em 19-08-2015 18:25, Dot Yet escreveu: > The machines are all pointing to the openbsd server as their default > gateway. Nice. > the nat is only being used to get out to the internet (em0). internal > subnets do not use nat to communicate. So you have the setup I outlined. > I don't want to use any routing protocol for this, but just simple > firewall rules to allow or deny the traffic. You won't need to. The pf man pages are great, and they provide lots of examples. Also, if you take some time to learn BNF, it will surely help you. Cheers, Giancarlo Razzolini
Re: Multiple VLANs & PF rules
I have multiple blans and a trunk port. I have hostname.vlan100 hostname.200 in /etc. then my pf.conf file uses packet tagging to separate the vlan traffic On Wednesday, August 19, 2015, Dot Yet wrote: > Hello, > > I am replacing a Cisco ASA at my home with an openbsd server. I've pf with > nat and some basic rules in place. my internal machines are able to reach > out to the internet with no problems. I've a separate lab network of > servers which are segregated into multiple VLANs. I've been able to create > the various vlans on the openbsd server, but I am not sure how inter-VLAN > routing is suppose to work. The interface layout looks like this: > > em0 - outbound to ISP > em1 - my home network > em2 - member of trunk0 > em3 - member of trunk0 > trunk0 - lacp trunk for my lab network > trunk0.vlan12 - vlan 12 > trunk0.vlan15 - vlan 15 > > So, can one of you help me understand how I can write the pf rules to allow > communication between em1 and vlan 12/15 or communication between vlan 12 > and vlan 15 etc. > > Please let me know. > > Thanks, > dot
