Re: how can cheap routers do it?
How about the ability to handle IPSec passthrough??? I think both IPSec/PPTP passthrough abilities would be a big + for PF for people that are looking for this feature but stuck using a Linksys router to do it... I don't want to put any maps.. i just want it to work. uf
redirecting packets to a vpn tunnel
hi all, on my openbsd firewall i have a vpn tunnel running to the 10.0.43.0 subnet from an other company. The VPN tunnel works fine when i ping from the firewall to the other subnet using my external address (ping -I 81.223.6.246 10.0.43.11). Our own internal net is 172.16.0.0/24 - i'd now like my firewall to redirect packets coming from 172.16.0.0/24 with destination address 10.0.43.0/24 to go over the vpn tunnel. I've already tried to play around with pf, route, ipsecadm flow - but i don't get the point how to get this working. can anyone here give me a hint ? best regards Wolfgang
Re: how can cheap routers do it?
it's the nature of the protocol. Use nat-t and you should not have any problem... On Tue, Jul 06, 2004 at 04:04:59PM -0700, cell-X wrote: How about the ability to handle IPSec passthrough??? I think both IPSec/PPTP passthrough abilities would be a big + for PF for people that are looking for this feature but stuck using a Linksys router to do it... I don't want to put any maps.. i just want it to work. uf -- -- - Jean-Francois Dive -- [EMAIL PROTECTED] I think that God in creating Man somewhat overestimated his ability. -- Oscar Wilde
Re: PF $if:network syntax with more than one interface IP.
On 5 Jul 2004 12:54:48 -0700, [EMAIL PROTECTED] (Per-Olov Sjöholm) wrote: Is is possible to fix the interface a'la Solaris where you can specify interfaces for example hme0:1, hme0:2 etc where you have a separate interface name for each IP on the same physical interface.. The solaris syntax for interface aliases is logical and easy to work with. Such an addition would be welcome imho. greg -- Konnt ihr mich horen? Konnt ihr mich sehen? Konnt ihr mich fuhlen? Ich versteh euch nicht
RE: redirecting packets to a vpn tunnel
When I did this back in OpenBSD 3.1 days (and permuting to your subnets), I had to: (1) put the following line in /etc/rc.local: route add -net 10.0.43.0/25 a.b.c.d (where a.b.c.d is the address of the external interface of the remote OpenBSD firewall...the other company in your case), and (2) ensure a similar return route was on configured on the remote Since the ping works when the source address is your external interface address but not when the source address is on your internal net, I'm wondering if the icmp echo request packets are being sent, but the remote network doesn't know the route by which to return the icmp echo reply packets. Running tcpdump on your external interface may help determine this. Hope this helps. --jim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wolfgang Pichler Sent: Wednesday, July 07, 2004 6:39 AM To: openbsd pf Subject: redirecting packets to a vpn tunnel hi all, on my openbsd firewall i have a vpn tunnel running to the 10.0.43.0 subnet from an other company. The VPN tunnel works fine when i ping from the firewall to the other subnet using my external address (ping -I 81.223.6.246 10.0.43.11). Our own internal net is 172.16.0.0/24 - i'd now like my firewall to redirect packets coming from 172.16.0.0/24 with destination address 10.0.43.0/24 to go over the vpn tunnel. I've already tried to play around with pf, route, ipsecadm flow - but i don't get the point how to get this working. can anyone here give me a hint ? best regards Wolfgang
monitoring pf rule statistics
Hello, I'm planning an upgrade of the internet connection at the place where I work and am faced with upgrading our current Packeteer traffic shaper as well. Since these babies are quite expensive if you wish to deploy them in a redundant setup I managed to get the beancounters interested in an OpenBSD solution instead. What we're looking at is 2 * 2 bridges in a CARP failover setup, one set doing a 6mbit leased line, the other set will need to handle a 100 mbit connection. After they has gotten over the initial scare of using the commandline they did found 1 item missing: byte packetcounters for each rule. At the moment pfctl -vv -s all show something like this: [ Evaluations: 400582 Packets: 400582 Bytes: 264645786 States: 0 ] However what we need is something more aking to snmp interface statistics, but then for pf rules: x packets in, x packets out, x bytes in, x bytes out. Is there any way to get these statistics out of pfctl? Thanks. // nick
RE: redirecting packets to a vpn tunnel
Am Mi, den 07.07.2004 schrieb Fisher, James L. um 13:48: When I did this back in OpenBSD 3.1 days (and permuting to your subnets), I had to: (1) put the following line in /etc/rc.local: route add -net 10.0.43.0/25 a.b.c.d (where a.b.c.d is the address of the external interface of the remote OpenBSD firewall...the other company in your case), and this can't work - because my firewall can't route something for the remote ip address (Bad file descriptor) (2) ensure a similar return route was on configured on the remote i don't have access to the remote firewall Since the ping works when the source address is your external interface address but not when the source address is on your internal net, I'm wondering if the icmp echo request packets are being sent, but the remote network doesn't know the route by which to return the icmp echo reply packets. Running tcpdump on your external interface may help determine this. the connection works when the source address is 81.223.6.246 (thats one of my external addresses) - the ping goes through (i can see it with tcpdump -i enc0) Hope this helps. --jim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wolfgang Pichler Sent: Wednesday, July 07, 2004 6:39 AM To: openbsd pf Subject: redirecting packets to a vpn tunnel hi all, on my openbsd firewall i have a vpn tunnel running to the 10.0.43.0 subnet from an other company. The VPN tunnel works fine when i ping from the firewall to the other subnet using my external address (ping -I 81.223.6.246 10.0.43.11). Our own internal net is 172.16.0.0/24 - i'd now like my firewall to redirect packets coming from 172.16.0.0/24 with destination address 10.0.43.0/24 to go over the vpn tunnel. I've already tried to play around with pf, route, ipsecadm flow - but i don't get the point how to get this working. can anyone here give me a hint ? best regards Wolfgang
Re: redirecting packets to a vpn tunnel
On Wed, Jul 07, 2004 at 12:38:41PM +0200, Wolfgang Pichler wrote: on my openbsd firewall i have a vpn tunnel running to the 10.0.43.0 subnet from an other company. The VPN tunnel works fine when i ping from the firewall to the other subnet using my external address (ping -I 81.223.6.246 10.0.43.11). Our own internal net is 172.16.0.0/24 - i'd now like my firewall to redirect packets coming from 172.16.0.0/24 with destination address 10.0.43.0/24 to go over the vpn tunnel. I've already tried to play around with pf, route, ipsecadm flow - but i don't get the point how to get this working. can anyone here give me a hint ? Your internal network doesn't seem to be part of the ipsec flow. Try nat on lo0 from 172.16.0.0/24 to 10.0.43.0/24 - 81.223.6.246 and route -q add -src 172.16.0.0/24 -dst 10.0.43.0/24 127.0.0.1 (plus some scrub rule to set max-mss to whatever your tunnel can cope with, e.g. 1396 works for me). Cheers, Marc
Re: redirecting packets to a vpn tunnel
Wolfgang Pichler wrote: Our own internal net is 172.16.0.0/24 - i'd now like my firewall to redirect packets coming from 172.16.0.0/24 with destination address 10.0.43.0/24 to go over the vpn tunnel. Assuming you've configured your tunnel(s) correctly, both firewalls should have routes to the corresponding side; i.e. your firewall will have a static route for the 10.0.43.0/24 network and packets from your LAN should automatically go across. For example, a netstat -rnf encap on my office firewall shows: [EMAIL PROTECTED] ~ netstat -rnf encap Routing tables Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) 130.57.44.64/27 0 192.168.168.30/32 0 0 206.14.107.83/50/use/in 130.57.44.64/27 0 192.168.168.32/32 0 0 208.16.27.92/50/use/in 130.57.44.64/27 0 192.168.168.50/32 0 0 208.16.27.92/50/use/in 130.57.44.64/27 0 192.168.169.2/32 0 0 208.16.27.92/50/use/in --snip-- The boxes at 192.168.168.30/.32/.50 and 192.168.169.2 reach the 130.57.44.64/27 network over the VPN tunnel. Check out your SAs and see what flows you actually have configured. cheers, Sean
