Thread: 2 gateways
View Single Post
Old 30th July 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
Join Date: May 2008
Location: USA
Posts: 6,909

  • Devices on subnet (B) must be informed they are directly connected to two routers, "OpenBSD" and "Gateway". Their default route should be through "Gateway" as it reaches every address not on subnets (A) or (B). The additional route is needed to reach subnet (A) via the router "OpenBSD". This can be provided to each device manually/statically or via a DHCP server option such as classless-static-routes or classless-ms-static-routes.
  • Devices on subnet (A) only need their default route through "OpenBSD"
  • If NAT is not used in transitioning "Gateway" then devices on subnet (C) and other local subnets in your network need to have at least two additional routes, directing traffic to both subnets (A) and (B) through "Gateway".
  • The "OpenBSD" router needs a default route through "Gateway," just as other devices on subnet (B). It does not need a route added for subnet (A), as that is directly attached to a NIC.
PF (just a possible example, completely untested)
subnet_a = "10.31/16"

# default block
block return log

# pass all traffic originating from subnet (A):
pass log from $subnet_a

# pass SSH inbound to this router:
pass log proto tcp to self port ssh

# permit this router to communicate:
pass log from self
# but do not permit this router to reach subnet (A):
block log from self to $subnet_a

# authpf(8) rules will be inserted here:
 anchor "authpf/*"
AuthPF (again, untested)
# your previously permitted traffic
allowed_tcp_ports="{ ssh, https, rdp }"
icmp_types="{ echoreq, unreach }"

# currently defined:
subnet_a = "10.31/16"

pass log proto tcp from $user_ip to $subnet_a port $allowed_tcp_ports
pass log proto icmp from $user_ip to $subnet_a icmp-type $icmp_types

Last edited by jggimi; 30th July 2019 at 10:50 PM. Reason: four typos
Reply With Quote