PF or IPFW basic nat firewall with fibs

PaulWebster

PaulWebster

Good day all,

I am attemping to utilize 3 seperate internet connections and am struggling desperately getting either ipfw or pf to work with them.

The setup is as thus:
em0 -> standard lan type gateway - fib 0
ng0 -> PPPoE connection - fib 1
ng1 -> PPPoE connection fib 2
re0 -> LAN 172.31.5.0/24

ng0 and ng1 have the same remote gateway

setfib 0 ping 1.1.1.1
setfib 1 ping 1.1.1.1
setfib 2 ping 1.1.1.1

All work from their expected public ips.

I really just need a simple NAT firewall that will work with fib 1 or fib 2 for ipfw or pf, I should be able to figure it out from there but the resource for dealing with fibs are quite thin and I just cannot figure out how to get them to work.
 
if I down em0 and make it so ng0 is on fib 0 then the normal firewall works as expected (just adding to prove the appropriate nat stuff for mpd5 are working)
 
For anyone wondering I still have not figured out ipfw and fibs ... however some light with pf, before reading it beware this is just the simplest I could make. To work from, the reason for the assignments is:
em0 -> 4G connection, kind of a backup - used for the gateway its self and any jails or vms its running
ng0 -> PPPoE connection that I will use for my computer so work does not get disrupted by the kids or wife youtubing or whatever
ng1 -> PPPoE connection the lan will use for well youtube, netflix etc.

Note the order of the match's I did it this way as everything should be valid for em0, things on the lan are valid for ng1 and finally only my pc is viable for ng1

-- Start of script

ext_if0 = "em0"
ext_if1 = "ng0"
ext_if2 = "ng1"

lan_if = "re0"
lan_net = "172.31.5.0/24"

paul="172.31.5.99/32"

set block-policy drop
set skip on lo0

# NAT sets
nat on $ext_if2 tagged nat2 rtable 2 -> ($ext_if2)
nat on $ext_if1 tagged nat1 rtable 1 -> ($ext_if1)
nat on $ext_if0 tagged nat0 rtable 0 -> ($ext_if0)

# Tag any packets from our lan also put them on the correct fib
match in on $lan_if from any to any rtable 0 tag nat0
match in on $lan_if from $lan_net to ! $lan_net rtable 2 tag nat2
match in on $lan_if from $paul to ! $lan_net rtable 1 tag nat1

# tag packets from the wan to the correct fib
match in on $ext_if0 from any to any rtable 0 tag fib0
match in on $ext_if1 from any to any rtable 1 tag fib1
match in on $ext_if2 from any to any rtable 2 tag fib2


-- End of script
 
PaulWebster said:
For anyone wondering I still have not figured out ipfw and fibs ... however some light with pf, before reading it beware this is just the simplest I could make. To work from, the reason for the assignments is:
em0 -> 4G connection, kind of a backup - used for the gateway its self and any jails or vms its running
ng0 -> PPPoE connection that I will use for my computer so work does not get disrupted by the kids or wife youtubing or whatever
ng1 -> PPPoE connection the lan will use for well youtube, netflix etc.

Note the order of the match's I did it this way as everything should be valid for em0, things on the lan are valid for ng1 and finally only my pc is viable for ng1

-- Start of script

ext_if0 = "em0"
ext_if1 = "ng0"
ext_if2 = "ng1"

lan_if = "re0"
lan_net = "172.31.5.0/24"

paul="172.31.5.99/32"

set block-policy drop
set skip on lo0

# NAT sets
nat on $ext_if2 tagged nat2 rtable 2 -> ($ext_if2)
nat on $ext_if1 tagged nat1 rtable 1 -> ($ext_if1)
nat on $ext_if0 tagged nat0 rtable 0 -> ($ext_if0)

# Tag any packets from our lan also put them on the correct fib
match in on $lan_if from any to any rtable 0 tag nat0
match in on $lan_if from $lan_net to ! $lan_net rtable 2 tag nat2
match in on $lan_if from $paul to ! $lan_net rtable 1 tag nat1

# tag packets from the wan to the correct fib
match in on $ext_if0 from any to any rtable 0 tag fib0
match in on $ext_if1 from any to any rtable 1 tag fib1
match in on $ext_if2 from any to any rtable 2 tag fib2


-- End of script
Click to expand...
Hi Paul can you help me with fib's
3-to-1_bsd-router.jpg


I want to make one router out of three, so that each local network would access the Internet through its own provider.

in rc.conf

Code: 
# ISP1
ifconfig_vlan988="inet 87.25.23.210 netmask 255.255.255.248 vlan 988 vlandev hn0 fib 0"
# gw 87.25.23.214
# LAN1
ifconfig_vlan1="inet 172.17.7.18 netmask 255.255.255.0 vlan 1 vlandev hn1"

# ISP2
ifconfig_vlan523="inet 87.25.24.25 netmask 255.255.255.240 vlan 523 vlandev hn0 fib 1"
# gw 87.25.24.30
# LAN2
ifconfig_vlan25="inet 192.168.25.1 netmask 255.255.255.0 vlan 25 vlandev hn1"

# blocking router by default
# defaultrouter="87.25.24.30"
gateway_enable="YES"

static_routes="gw988 gw523"
route_gw988="-fib 0 default 87.25.23.214"
route_gw523="-fib 1 default 87.25.24.30"

everything works fine, but there is a problem with nat
in pf.rules:

Code: 
set skip on lo0
scrub in all

nat on vlan988 tagged nat0 rtable 0 -> 87.25.23.210
nat on vlan523 tagged nat1 rtable 1 -> 87.25.24.25

match in on vlan1 from any to any rtable 0 tag nat0
match in on vlan25 from any to any rtable 1 tag nat1

match in on vlan988 from any to any rtable 0 tag fib0
match in on vlan523 from any to any rtable 1 tag fib1

I can't get nat to work using fib's

Update:
nat in pf works fine only with fib 0
but not with fib 1
 
You must log in or register to reply here.
Back
Top