Routing- Devices on subnet (B) must be informed they are directly connected to two routers, "OpenBSD" and "Gateway". Their default route should be through "Gateway" as it reaches every address not on subnets (A) or (B). The additional route is needed to reach subnet (A) via the router "OpenBSD". This can be provided to each device manually/statically or via a DHCP server option such as classless-static-routes or classless-ms-static-routes.
- Devices on subnet (A) only need their default route through "OpenBSD"
- If NAT is not used in transitioning "Gateway" then devices on subnet (C) and other local subnets in your network need to have at least two additional routes, directing traffic to both subnets (A) and (B) through "Gateway".
- The "OpenBSD" router needs a default route through "Gateway," just as other devices on subnet (B). It does not need a route added for subnet (A), as that is directly attached to a NIC.
PF (just a possible example, completely untested)
Code:
subnet_a = "10.31/16"
# default block
block return log
# pass all traffic originating from subnet (A):
pass log from $subnet_a
# pass SSH inbound to this router:
pass log proto tcp to self port ssh
# permit this router to communicate:
pass log from self
# but do not permit this router to reach subnet (A):
block log from self to $subnet_a
# authpf(8) rules will be inserted here:
anchor "authpf/*"
AuthPF (again, untested)
Code:
# your previously permitted traffic
allowed_tcp_ports="{ ssh, https, rdp }"
icmp_types="{ echoreq, unreach }"
# currently defined:
subnet_a = "10.31/16"
pass log proto tcp from $user_ip to $subnet_a port $allowed_tcp_ports
pass log proto icmp from $user_ip to $subnet_a icmp-type $icmp_types