Solved Multiple connections to same subnet for different functions



Reaction score: 4
Messages: 28

I am trying out an idea I had for my FreeBSD-12.2-based router, which has six GbE ports ([FONT=courier new]em0[/FONT] to [FONT=courier new]em5[/FONT]), to tweak how things work on the network. For the last year or two, I had things setup the traditional way where [FONT=courier new]em0[/FONT] was the WAN and [FONT=courier new]em1[/FONT] was the LAN, and a firewall governed what moved between these two interfaces. The router used [FONT=courier new]em1[/FONT] not only as the network gateway, but also exposed its administrative services on [FONT=courier new]em1[/FONT] as well. The downside here was because when using NAT w/ an IPFW firewall, you have to use a default-allow firewall approach, and I couldn't find a clean way to limit access to the administrative services of the router (primarily SSH). Since I have six GbE ports on this thing, I figured I would do something like this:

em0 --> WAN
em1 --> Gateway (
em2 --> Services (

And then have this criteria be met:
  1. Traffic from LAN destined for Internet --> em1 --> NAT --> WAN/em0
  2. Traffic from LAN destined for router --> em2
  3. Traffic from router itself destined for Internet --> NAT --> WAN/em0
  4. Traffic from router itself destined for LAN --> em2

Traffic from other points on the LAN meant for the Internet would flow to [FONT=courier new]em1/[/FONT], where the firewall script would NAT/send or receieve/NAT to/from the Internet on [FONT=courier new]em0[/FONT]/WAN (item #1). The router itself would use [FONT=courier new]em2/[/FONT] to expose services (like SSH) or access network services elsewhere on the LAN (like NFS) (items #2 and #4). I can then easily modify the firewall to better govern what can go where and do what on the network by the [FONT=courier new]em2[/FONT] interface directly.

The problem that arises, however, is how do I teach the router to send anything meant for the WAN out [FONT=courier new]em1/[/FONT] for NATing (like other devices do), but if it wants to access services like NFS on another machine on the network, to have it go out [FONT=courier new]em2/[/FONT]? It should not use [FONT=courier new]em1/[/FONT] to talk to other devices on the network, even though [FONT=courier new]em1[/FONT] is attached to the same subnet as [FONT=courier new]em2[/FONT]. More to the point, if this is possible, how would I codify it into [FONT=courier new]/etc/rc.conf[/FONT]? I am assuming that the defaultrouter variable won't work here, as that variable appears to be for simpler setups. I have internal DNS setup for other systems to know how to get to the router's services that will listen on [FONT=courier new]em2[/FONT].

I am open to other approaches if this is not a good idea.



Reaction score: 1,164
Messages: 1,375

I'm pretty sure that won't work because your router/firewall would wind up with two addresses in the same subnet. I think I could achieve what you want with the following pf(4) rules
# 1
nat on $ext_if from $internal_net to any -> ($ext_if)

block all

# Also #1
pass in on $int_if from $internal_net to !$int_address

# 1 and 3
pass out on $ext_if from { $internal_net ($exit_if) }

# 2
pass in on $int_if from $internal_net to $int_address port 22

# 4
pass out on $int_if
I didn't actually try these out, so they may not work. They're meant to give an idea of how to do this.

You could have different subnets on em1 and em2, but then you'd have to configure two IP addresses on every machine on the LAN side.



Reaction score: 4
Messages: 28

And after some bungling around on Google, this post kinda points out that what I want to do is not possible:

Though I think I might get away with the basic idea if I learn to use jails on the router and move the router piece of the device into a jail. That is going to take some thinking and re-planning of things. Guess I'll revert my changes for now and revisit this at a later date.