Thread: PF: Two internal interfaces and routing
View Single Post
  #1   (View Single Post)  
Old 11th December 2013
capt_cosmo capt_cosmo is offline
New User
  
Join Date: Dec 2013
Posts: 9
Default PF: Two internal interfaces and routing
Hi,

I have a problem regarding my pf ruleset.

My network setup looks as following:

Code:
                            Internet
                                ^
                                |
                          if_wan [pppoe0]
                                |
                                v
(client1..n) <-- if_wlan --> bsd-router <-- if_lan --> (clientn+1..m)
As you can see, I've got two internal interfaces: wlan and lan.

I'd like to achieve the following state:
1a. if_lan can connect to the wlan-clients through if_wlan
1b. if_lan can connect to the sshd on the bsd-router
1c. if_lan can connect to the internet through if_wan
2a. if_wlan can connect to the dhcpd on the bsd-router
2b. if_wlan can connect to the internet

Short:
if_lan -> if_wan, if_wlan, bsd-router:ssh
if_wlan -> if_wan, bsd-router:dhcp

Coming from the iptables world, my current approach seems a little odd to me – although
it seems to work out just fine. Anyways, the relevant lines are:

Code:
# lan:network -> lan:ssh
pass in quick on $if_lan proto tcp from $if_lan:network to $if_lan port ssh

# lan -> {wlan, internet}
block in log quick on $if_lan to $if_lan
pass in quick on $if_lan from $if_lan:network to $if_wlan:network
pass in quick on $if_lan from $if_lan:network

# lan -> router:dhcp
pass in log quick on $if_wlan proto { tcp, udp } from $if_wlan:network to $if_wlan port 67
pass in log quick on $if_wlan proto { tcp, udp } from $if_wlan:network to $if_wlan port 68

# wlan -> pppoe
block in log quick on $if_wlan to $if_lan:network
block in log quick on $if_wlan to $if_wlan:network
pass in quick on $if_wlan from $if_wlan:network
pass out quick on $if_wlan from $if_lan:network
I assumed to state rules just like:
Code:
pass in quick on $if_lan from $if_lan:network to ($if_wan)  # allow if_lan -> internet
pass in quick on $if_lan from $if_lan:network to $if_wlan:network # allow if_lan ->
if_wlan
pass in quick on $if_lan from $if_lan:network to $if_lan port ssh
Those lines I expected to work prevent me from connecting to the internet... Note: I also tried using "(egress)" instead of "($if_wan)".

(I wanted to post a link to the entire ruleset but unfortunately I can't because I need to have at least five posts. Instead I'll just post it here, sorry)
The whole ruleset:
Code:
# interfaces
if_lan="vr0"
if_wan="pppoe0"
if_wlan="vr2"
 
if_wan_bandwith="1400Kb"
 
# tables
table <private_nets> const { 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }
 
# qos definitions
que_low_ports = "{ http, https, 8080, smtp, smtps, 6881:6889 }"
#                           |-- SIP --|  |ICQ|  | Jabber |       |-- Playstation Net --|
que_int_ports_tcp = "{ ssh, 5060, 5061,  5190,  5222, 5223, irc, 3478, 3479, 3480, 5223 }"
#                      |-- SIP --|  |-- PSN --|
que_int_ports_udp = "{ 5060, 5061,  3478, 3479 }"
 
# options
##############
# allow lo communication
set skip on lo
set block-policy drop
 
# hygiene
##############
# scrubbing
match     in all                 scrub (no-df random-id)
match out on $if_wan all scrub (random-id)
match     on $if_wan     scrub (max-mss 1440)
 
# qos
###############
altq on $if_wan priq bandwidth $if_wan_bandwith queue { que_low, que_def, que_int, que_dns, que_ack }
 
queue que_low priq(default) qlimit 80
queue que_def priority 2
queue que_int priority 4 priq(red)
queue que_dns priority 5 qlimit 25
queue que_ack priority 6
 
# nat
###############
match out on $if_wan inet from { $if_lan:network, $if_wlan:network } to any nat-to ($if_wan) static-port
 
# filtering
###############
# block all packets
block all
 
# enable spoofing protection
antispoof quick for { lo $if_wan $if_lan $if_wlan }
 
# reject ipv6
block quick on $if_wan inet6 all
 
# block private addresses on external interfaces
block drop in  quick on $if_wan from <private_nets>
block drop out quick on $if_wan to   <private_nets>
 
# allow output for wan, fill queues
pass out quick on $if_wan proto tcp to port $que_low_ports queue (que_low, que_ack)
pass out quick on $if_wan proto tcp to port $que_int_ports_tcp queue (que_int, que_ack)
pass out quick on $if_wan proto udp to port $que_int_ports_udp queue (que_int, que_ack)
pass out quick on $if_wan proto { tcp, udp } to port domain queue (que_dns, que_ack)
pass out quick on $if_wan queue (que_def, que_ack)
 
# enable input
# lan:network -> lan:ssh
pass in quick on $if_lan proto tcp from $if_lan:network to $if_lan port ssh
 
# lan -> {wlan, internet}
block in log quick on $if_lan to $if_lan
pass in quick on $if_lan from $if_lan:network to $if_wlan:network
pass in quick on $if_lan from $if_lan:network
 
# lan -> router:dhcp
pass in log quick on $if_wlan proto { tcp, udp } from $if_wlan:network to $if_wlan port 67
pass in log quick on $if_wlan proto { tcp, udp } from $if_wlan:network to $if_wlan port 68
 
# wlan -> pppoe
block in log quick on $if_wlan to $if_lan:network  
block in log quick on $if_wlan to $if_wlan:network
pass in quick on $if_wlan from $if_wlan:network
pass out quick on $if_wlan from $if_lan:network
Thanks for any suggestions.

Sören
Reply With Quote