Dual WAN, outgoing routing problem
Firewall using OpenBSD 3.8, 2 WAN, 1 LAN I am experiencing a problem with my configuration of pf as regards the choice of WAN ports to route an outgoing packet. Can someone help please ? The scenario comes up when ext_if1 is the default gateway in the routing tables, but I am trying to use a rule to force a packet from a machine on the LAN to route through ext_if2. In some cases, the packet gets routed to ext_if1 and then dropped. I can't figure out why, and this seems like a very easy case to get right. I have this rule: pass in quick on $int_if \ route-to ($ext_if2 $ext_gw2) \ inet proto tcp from 192.168.1.120 to any flags S/SA \ keep state (floating) \ label xxx If I go to 192.168.1.120 and try to connect to an offsite computer, some packets (not all) are dropped and show up on pflog0 as so: /etc tcpdump -e -i pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: listening on pflog0, link-type PFLOG 19:13:50.464705 rule 3/(match) block out on fxp0: src.63198 dest.45870: [|tcp] (DF) 19:13:53.457378 rule 3/(match) block out on fxp0: src.53544 dest.45870: [|tcp] (DF) 19:13:53.486403 rule 3/(match) block out on fxp0: src.54951 dest.45870: [|tcp] (DF) 19:13:59.457679 rule 3/(match) block out on fxp0: src.57831 dest.45870: [|tcp] (DF) 19:13:59.611530 rule 3/(match) block out on fxp0: src.56602 dest.45870: [|tcp] (DF) where rule 3 is block drop out log on fxp0 all. (fxp0 == ext_if1). If I look at the stats for that rule before and after attempting to connect, I see that the connection has resulted in matching packets and bytes but state = 0. How it can match without creating state, I don't know! Any helpful pointers would be much appreciated. George --
Dual WAN, outgoing routing problem
Config: Firewall using OpenBSD 3.8, 2 WAN, 1 LAN I am experiencing a problem with my configuration of pf as regards the choice of WAN ports to route an outgoing packet. Can someone help please ? The scenario comes up when ext_if1 is the default gateway in the routing tables, but I am trying to use a rule to force a packet from a machine on the LAN to route through ext_if2. In some cases, the packet gets routed to ext_if1 and then dropped. I can't figure out why, and this seems like a very easy case to get right. I have this rule: pass in quick on $int_if \ route-to ($ext_if2 $ext_gw2) \ inet proto tcp from 192.168.1.120 to any flags S/SA \ keep state (floating) \ label xxx If I go to 192.168.1.120 and try to connect to an offsite computer, some packets (not all) are dropped and show up on pflog0 as so: /etc tcpdump -e -i pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: listening on pflog0, link-type PFLOG 19:13:50.464705 rule 3/(match) block out on fxp0: src.63198 dest.45870: [|tcp] (DF) 19:13:53.457378 rule 3/(match) block out on fxp0: src.53544 dest.45870: [|tcp] (DF) 19:13:53.486403 rule 3/(match) block out on fxp0: src.54951 dest.45870: [|tcp] (DF) 19:13:59.457679 rule 3/(match) block out on fxp0: src.57831 dest.45870: [|tcp] (DF) 19:13:59.611530 rule 3/(match) block out on fxp0: src.56602 dest.45870: [|tcp] (DF) where rule 3 is block drop out log on fxp0 all. (fxp0 == ext_if1). If I look at the stats for that rule before and after attempting to connect, I see that the connection has resulted in matching packets and bytes but state = 0. How it can match without creating state, I don't know! Any helpful pointers would be much appreciated. George
Re: Dual WAN, outgoing routing problem
On Wed, Aug 16, 2006 at 02:04:32PM -0700, George Pontis wrote: pass in quick on $int_if \ route-to ($ext_if2 $ext_gw2) \ inet proto tcp from 192.168.1.120 to any flags S/SA \ keep state (floating) \ You seem to be assuming that a floating state created on $int_if will match packets on fxp0 (presumably $ext_if). That's simply not the case. More details can be found in http://marc.theaimsgroup.com/?l=openbsd-pfm=114372425614238 In short, you need a pass out on fxp0 ... keep state rule for those connections, and you'll get TWO states per connection. Daniel
RE: Dual WAN, outgoing routing problem
On Wed, Aug 16, 2006 at 02:04:32PM -0700, George Pontis wrote:
pass in quick on $int_if \
route-to ($ext_if2 $ext_gw2) \
inet proto tcp from 192.168.1.120 to any flags S/SA \
keep state (floating) \
You seem to be assuming that a floating state created on $int_if will match
packets on fxp0 (presumably $ext_if). That's simply not the case.
More details can be found in
http://marc.theaimsgroup.com/?l=openbsd-pfm=114372425614238
In short, you need a pass out on fxp0 ... keep state rule for those
connections, and you'll get TWO states per connection.
Daniel
---
---
Yes, my understanding of (floating) was incorrect and I thank you for the
pointer which explained that nicely.
The original problem remains, though, since I have always used pass out
rules for both external interfaces:
##
pass out on $ext_if1 inet proto tcp all flags S/SA keep state queue (q_def1,
q_pri1)
pass out on $ext_if1 inet proto { udp, icmp } all keep state queue (q_def1,
q_pri1)
pass out on $ext_if2 inet proto tcp all flags S/SA keep state queue (q_def2,
q_pri2)
pass out on $ext_if2 inet proto { udp, icmp } all keep state queue (q_def2,
q_pri2)
#
# route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
ext_if2 to ext_gw2
#
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any flags
S/SA keep state
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any flags
S/SA keep state
###
There must be something about my understanding of how packets are routed
that is at the root of the problem. I say that
since the packets that are dropped are being routed out ext_if1 in
contradiction to the route-to ext_if2 option.
How can I express the logic in pf that will ensure that all the traffic for
a specific LAN host will always route
through a specific interface, no matter what is in the system routing tables
?
Geo.
Re: Dual WAN, outgoing routing problem
On Wed, Aug 16, 2006 at 08:33:10PM -0700, George Pontis wrote: # # route packets from any IPs on $ext_if1 to $ext_gw1 and the same for ext_if2 to ext_gw2 # pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any flags S/SA keep state pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any flags S/SA keep state There must be something about my understanding of how packets are routed that is at the root of the problem. I say that since the packets that are dropped are being routed out ext_if1 in contradiction to the route-to ext_if2 option. How can I express the logic in pf that will ensure that all the traffic for a specific LAN host will always route through a specific interface, no matter what is in the system routing tables ? Your two rules above only re-route packets with source addresses $ext_if1 and $ext_if2. A specific LAN host would only have such a source address if you were using NAT. You have given no indication of whether you are, and what your NAT rules are... How else would packets from a LAN host have one of the firewall's own IP addresses as source address? Or what did you think from $ext_if1 meant? Daniel
