pf and routing question

giulianoz · #1 June 19th, 2009, 13:01

Hello,
I'm trying to replace our current firewall (clavister) with freebsd/pf. I'm almost done but I have some rules I don't know how to convert. I've tried googling around but I've found nothing useful (maybe I'm looking for the wrong terms).

I have the following scenario:

Code:

LAN (192.168.1.0/24) connected to fxp0 (192.168.1.1)
DMZ1 (10.0.1.0/24) connected to dc0 (10.0.1.1)
DMZ2 (10.0.2.0/24) connected to dc1 (10.0.2.1)
DMZ3 (10.0.3.0/24) connected to dc2 (10.0.3.1)
DMZ4 (10.0.4.0/24) connected to dc3 (10.0.4.1)

The internet is accessible through another router on the LAN (192.168.1.254). The same router provides connections to a remote office using a VPN tunnel. On the remote site there are other 4 DMZ with the same network setup of DMZ1-4.
The PCs on the LAN have their default gateway set to the 192.168.1.254 router so when they try to reach any 10.0.x.x IP address they connect to the remote site. This is correct because the production servers are in the remote site and only a few people use the local DMZs that are for development/testing.
To actually reach the local DMZs I’ve configured the clavister firewall to route all the requests for network 10.10.1.0/24 to local 10.0.1.0/24 (and the same with the other 3 DMZs) and setup some static routes on the default gateway.

Can I do the same with pf without having one rdr rule for every DMZ’s host ?
Do I have to setup an alias on the LAN connected interface for every IP on the networks 10.10.1-4.0/24 ?
Is there a better way to have a similar setup ?
Maybe I can modify the destination IP during the routing process (ie: 10.10.1.10 -> 10.0.1.10, 10.10.2.53 -> 10.0.2.53, and so on) ?

Thanks for your help

giuliano

**SirDice** · #2 June 19th, 2009, 14:37

You will make life a whole lot easier for yourself if you use diffent IP ranges for the local servers.

giulianoz · #3 June 19th, 2009, 14:41

hello,
yes, I know that

but the local network must be the exact replica of the production envionment (this was decided by the previous manager...). In addition it would be a pain to reconfigure all the servers and the development/test clients...

giuliano

**SirDice** · #4 June 19th, 2009, 14:45

I've had similar discussions before on one of my previous jobs.

Having a different IP address doesn't change anything. You should use fully qualified hostnames in applications anyway, not hardcoded IP addresses. That way it'll be easy to switch from production to test, simply by adding a few hosts entries. Using hardcoded IP addresses is really, really bad form. Just try and imagine what kind of cr*p you run into when your company decides to renumber (because of some merger with another company).

I had warned them about this, would they listen? Of course not.. Guess who got to clean up the crap when they did merge and we had to renumber....

giulianoz · #5 June 19th, 2009, 14:48

Quote:

Originally Posted by SirDice

I've had similar discussions before on one of my previous jobs.

Having a different IP address doesn't change anything. You should use fully qualified hostnames in applications anyway, not hardcoded IP addresses. That way it'll be easy to switch from production to test, simply by adding a few hosts entries. Using hardcoded IP addresses is really, really bad form. Just try and imagine what kind of cr*p you run into when your company decides to renumber (because of some merger with another company).

I totally agree

**SirDice** · #6 June 19th, 2009, 14:59

Oh yeah.. And I forgot.. Next thing they'll want is to copy data from the production servers to the test servers.
Try and solve that riddle when both have the same IP addresses

Trojan · #7 August 1st, 2009, 16:03

Guys please help to clarify the following issue: I have two subnets 192.168.1.0/25 and 192.168.1.128/25 and there is a FreeBSD with PF running between subnets. The scheme is below:

Subnet1 192.168.1.0/25 .1|------FreeBSD------|.129 192.168.1.128/25 Subnet2

Packet forwarding is already enabled on FreeBSD and now I need to create the approriate and as much as possible restrictive rules.

When I create the rules:

Code:

pass in all
pass out all

the connections between subnets works but it also allows incoming and outgoing traffic from anywhere to anywhere, not only to and from Subnet 1 and Subnet 2.

When I create the rules:

Code:

 pass in on $lan1_if from $lan1_net to $lan2_net
 pass out on $lan1_if from $lan2_net to $lan1_net
 pass in on $lan2_if from $lan2_net to $lan1_net
 pass out on $lan2_if from $lan1_net to $lan2_net

The connections between subnets becomes lost.

What's wrong with my rules and what rules should I create to allow connection between subnets?

**DutchDaemon** · #8 August 1st, 2009, 18:56

Try:

Code:

pass quick on { $lan1_if $lan2_if} from { $lan1_net $lan2_net } to { $lan1_net $lan2_net } keep state

Trojan · #9 August 1st, 2009, 19:49

Quote:

Originally Posted by DutchDaemon

Try:

Code:

pass quick on { $lan1_if $lan2_if} from { $lan1_net $lan2_net } to { $lan1_net $lan2_net } keep state

No any luck.

Code:

pfctl: Syntax error in config file: pf rules not loaded

Maybe because the direction statement (in/out) is missed?

**DutchDaemon** · #10 August 1st, 2009, 20:03

No direction statement is needed. E.g. 'pass all' = 'pass in all' + 'pass out all'. That statement in my previous post works fine on my system (adjusted for my own networks and network interfaces).

Trojan · #11 August 2nd, 2009, 03:54

DutchDaemon, sorry. I just made a little mistake in rule (wrote # instead of $). Now it's OK.

But unfortunately your rule didn't help me. The traffic between subnets still not forwarded. Here is the full list of rules:

Code:

lan1_if="em0"   #replace with actual external interface name i.e. dc0
lan2_if="em1"   #replace with actual internal interface name i.e. dc1
lan1_net="192.168.1.0/25"
lan2_net="192.168.128/25"

block in all
block out all

pass quick on { $lan1_if $lan2_if } from { $lan1_net $lan2_net } \
to { $lan1_net $lan2_net } keep state
pass in on $lan1_if from $lan1_net to 192.168.1.1
pass out on $lan1_if from 192.168.1.1 to $lan1_net
pass in on $lan2_if from $lan2_net to 192.168.1.129
pass out on $lan2_if from 192.168.1.29 to $lan2_net

**DutchDaemon** · #12 August 2nd, 2009, 23:15

Add 'set skip on lo0'.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Routing all traffic through a VPN tunnel	telecommand	Networking	4	December 18th, 2011 18:11
routing problem	neo_leopard	Networking	21	June 1st, 2009 15:50
Routing from DHCP adress	Ugluk911	Networking	5	April 8th, 2009 15:11
bind and routing problems	apolinsky	Web & Network Services	2	March 24th, 2009 13:53
routing issue?	rage	Networking	1	February 13th, 2009 16:41

The Following User Says Thank You to DutchDaemon For This Useful Post:
Trojan (August 3rd, 2009)