PF 2 gateways possible

I have a little problem that I cannot seem to figure out.

Client A machine 10.31.0.20
BSD ext_if 10.31.0.25 gateway 10.21.0.252
BSD int_if 10.10.0.10
Client B inside 10.10.0.0/16 network = 10.10.0.12 gateway on this client is 10.10.0.100

When I try to ssh to client B from client A I cannot log in at all. When I change the gateway for client B to 10.10.0.10 then it works but client B also need the 10.10.0.100 because this is its route out of the network.

The pf set to pass only for the moment for testing.
 
The B system needs a static route for 10.31.0.0/24, pointing to 10.10.0.10.
 
Actually after reading your reply I decided to go with a different model:

These are my rules so far:

pf.conf
Code:
### Variables ###

extif="em0"
intif="em1"
icmp_types="{ echoreq, unreach }"
allowed_tcp_ports="{ ssh, https, rdp }"

set block-policy drop
set loginterface $extif
set skip on lo
table <authpf_users> persist

### Block all Incoming Traffic  ###

block all

pass in on $extif inet proto icmp all icmp-type $icmp_types keep state
pass in on $extif proto tcp to $extif port $allowed_tcp_ports

pass in on $intif inet proto icmp all icmp-type $icmp_types keep state
pass out on $extif inet proto icmp all icmp-type $icmp_types keep state

### Authpf per user IP rules from /etc/authpf/authpf.rules ###

anchor "authpf/*"

authpf.rules
Code:
allowed_tcp_ports="{ ssh, https, rdp }"
icmp_types="{ echoreq, unreach }"
int_if="em1" ## vlan10
ext_if="em0" ## vlan21
pass proto tcp from $user_ip to any port $allowed_tcp_ports
pass in on $ext_if proto tcp from $user_ip to any port $allowed_tcp_ports

You may be familiar with this ruleset. I realised that I was going in the wrong direction with my last post, therefore I will explain further what i am trying to achieve.

1. As you can see authpf allows the client machine to SSH into the locked down network. But I also what the servers inside the locked down network to be able to SSH out to any server outside the network. I have been going around in circles for the past 2 hours and cannot get it to work.
 
Yes I have a route on the bsd router something like this:

Code:
route add -net 10.31.0.0/16 10.10.0.1

It's the rules I'm referring to now I had it working with a rule but I forgot how
 
Is this Client B? I lost track of which machine does what. Connections need to go from where? To where?


[A-10.31.0.20/16] - {10.31} - [10.31.0.25-BSD-10.10.0.10] - {10.10/16} - [10.10.0.12-B] - - - - - - - - - - -- - - - - - - -
|
[GW-10.10.0.1]
|
{other networks}

It is much the same as you made it with a change in the gateway.

On the BSD machine there is a static route (route add -net 192.168.5.0/24 10.10.0.1)

The IP GW 10.10.0.1 is another router outside the internal network.

So to be able to reach "A" from "B" you ssh via 10.10.0.10 authpf then takes care of the access control upon successful login in. The you are able to SSH direct to 10.31.0.21 from your client "B".

Also once logged into client "A" I need to be able to SSH to any other machine outside the network like the following:

[A 10.31.0.20] - - [10.31.0.25-BSD-10.10.0.10] - [GW 10.10.0.1] - [192.168.5/24]

The network from 10.10.0.1 is vlan routed on a router.

What is important is that no one can use SSH to client "A" without authpf.

I hope this makes a lot more sense now
 
Back
Top