pf nat dual gateways

Ghirai

Ghirai

Hi,

I would need some help in getting this working.

The idea is pretty simple, i have a box with 3 NICs; 2 for net pipes, and one for LAN.

Routing and NAT works, however, i need that requests to u_ips always get NATed through u_if, and everything else through ext_if.

As it is now, everything goes through ext_if.

Code: 
ext_if="tun0"
int_if="vr0"
u_if="ed0"

ext_services="{2222}"
int_services="{53,80}"
rdp_port="{3232}"
rdp_srv="{192.168.0.250}"

u_ips="{123.123.123.123}"
u_gw="192.168.1.1"

localnet=$int_if:network

set skip on lo0
set optimization aggressive
set limit states 50000


scrub in all

nat on $ext_if from $localnet to any -> ($ext_if)
nat on $u_if from $localnet to $u_ips -> ($u_if)


rdr pass on $ext_if proto tcp from any to $ext_if port $rdp_port -> $rdp_srv port 3389

antispoof for $ext_if
antispoof for $u_if

block drop all

pass in inet proto tcp from any to any port $ext_services \
	flags S/SA keep state

pass in inet proto {tcp,udp} from $localnet to $int_if port $int_services \
       flags S/SA keep state

pass out all keep state

pass from $localnet to any keep state

And here's ifconfig:

Code: 
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=2808<VLAN_MTU,WOL_UCAST,WOL_MAGIC>
	ether 00:13:d4:a7:84:f9
	inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
ed0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	ether 52:54:00:df:92:3f
	inet 192.168.1.5 netmask 0xffffff00 broadcast 192.168.1.255
	media: Ethernet autoselect (10baseT/UTP)
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 00:02:44:59:91:d5
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 
	inet6 ::1 prefixlen 128 
	inet 127.0.0.1 netmask 0xff000000 
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1492
	inet 111.111.111.111 --> 111.111.111.254 netmask 0xffffffff 
	Opened by PID 449

As you can see, u_if(ed0) has IP addr 192.168.1.5, and the gateway is 192.168.1.1 (u_gw).

Running 7.2-RELEASE, amd64.

Any help is appreciated.
Thanks.
 
Try adding a route to $u_ips and route it to $u_if, something like this:

# route add 123.123.123.123 255.255.255.255 -iface ed0
 
Calderon said:
Well do you have DSL box in your u_if end?

It seems to assign an 192.168.1.x IP to you, you should configure the box as bridged if possible. Or then choose a different sub for you LAN.

Have you read this?

http://daemonforums.org/showthread.php?t=1942
Click to expand...

Yes i stumbled on your thread, i tried a few of the suggestions, however, packets still go through $ext_if.

$u_if is not DSL, it's another network ($ext_if is DSL, but that souldn't matter).

Anyway, here's what i have now, it sill doesn't work:

Code: 
ext_if="tun0"
int_if="vr0"
u_if="ed0"

ext_services="{2222}"
int_services="{53,80}"
rdp_port="{3232}"
rdp_srv="{192.168.0.250}"

u_ips="{123.123.123.123}"
u_gw="192.168.1.1"

localnet=$int_if:network

set skip on lo0
set optimization aggressive
set limit states 50000

scrub in all

nat on $ext_if from $localnet to any -> ($ext_if)
nat pass on $u_if from $localnet to $u_ips -> $u_if

rdr pass on $ext_if proto tcp from any to $ext_if port $rdp_port -> $rdp_srv port 3389


antispoof for $ext_if
antispoof for $u_if

block drop all

pass in quick on $ext_if route-to {($u_if $u_gw)} proto tcp from $localnet to $u_ips \
	flags S/SA keep state

pass in inet proto tcp from any to any port $ext_services \
	flags S/SA keep state

pass in inet proto {tcp,udp} from $localnet to $int_if port $int_services \
       flags S/SA keep state

pass out all keep state

pass out on $u_if proto tcp all keep state flags S/SA

pass from $localnet to any keep state

Obviously i'm doing something wrong here, i just can't figure out what...

SirDice, i tried with static routes as well.
 
How is your routing setup?

My guess is it's routing everything via $ext_if based on the default gateway.
Since that other address needs to be routed through another interface it must have it's own route.
 
Code: 
# netstat -rn
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            111.111.111.254    UGS         0   746851   tun0
111.111.111.254    111.111.111.111    UGH         1        6   tun0
127.0.0.1          127.0.0.1          UH          0   146415    lo0
192.168.0.0/24     link#1             UC          0        0    vr0
192.168.0.141      00:15:f2:1f:2d:4e  UHLW        1       45    vr0    997
192.168.0.150      00:90:a9:21:74:b8  UHLW        1       14    vr0    788
192.168.0.250      00:15:17:27:ef:42  UHLW        1    54068    vr0   1077
192.168.0.254      00:13:d4:a7:84:f9  UHLW        1      377    lo0

Internet6:
Destination                       Gateway                       Flags      Netif Expire
::1                               ::1                           UHL         lo0
fe80::%lo0/64                     fe80::1%lo0                   U           lo0
fe80::1%lo0                       link#5                        UHL         lo0
ff01:5::/32                       fe80::1%lo0                   UC          lo0
ff01:6::/32                       link#6                        UGC        tun0
ff02::%lo0/32                     fe80::1%lo0                   UC          lo0
ff02::%tun0/32                    fe80::213:d4ff:fea7:84f9%tun0 UGC        tun0

Do you think i'm missing routes to 192.168.1.0/24?
And yes, it seems like the default gateway goes through $ext_if.
But shouldn't pf route the packets destined for $u_ip through $u_if based on the rules above?
 
Ghirai said:
Do you think i'm missing routes to 192.168.1.0/24?
Click to expand...
Looks that way. The 123.123.123.123 is reachable via that network?

The routing table doesn't show ed0, which i assume is attached to 192.168.1.0/24?

Is the interface up? If ed0 has an address in 192.168.1.0/24 it should show up in the routing table in a similar way to vr0.

If that's setup then you can add something like:
# route add 123.123.123.123 192.168.1.1 255.255.255.255

Best thing to do is to disable the firewall and make sure traffic at least gets routed to the correct interface/network. Tcpdump is your friend here. Then proceed with the firewall settings.


And yes, it seems like the default gateway goes through $ext_if.
But shouldn't pf route the packets destined for $u_ip through $u_if based on the rules above?
Click to expand...

PF doesn't route traffic. That's done by the routing tables.
 
Yea, ed0 is up as shown in ifconfig in my first post.

The problem is that the person administering that network blocks ICMP, so i wouldn't know if i can reach his gateway (192.168.1.1).

I'll go on site tomorrow and test things out with one of those cheap plastic routers, see if it works, then get back with more info.

Thanks.
 
You must log in or register to reply here.
Back
Top