View Single Post
  #1   (View Single Post)  
Old 3rd August 2014
geppettodivacin geppettodivacin is offline
Real Name: Eric Dilmore
New User
 
Join Date: Aug 2014
Location: Dallas, TX
Posts: 3
Question Virtual Vs. Physical Interfaces in pf

I just set up a new OpenBSD gateway for a small nonprofit. The gateway has one external interface and one internal, but the internal one is sectioned off into several VLANs: one for secure traffic, one for guest traffic, one for internal phones, and one for our external Asterisk phone server.

I'm trying to set up QoS for the Asterisk server by using queues. Given that a queue acts on an interface, I would think that I could put a queue on the internal interface and section off bandwidth like that. However, for some reason pf doesn't seem to honor any rules dealing with the internal interface (named rl0), despite tcpdump showing quite a bit of traffic flowing in and out on that interface.

In order to test it, I put "match log (all) on $int_if" before any rules. Nothing is logged from that rule, however.

The pf FAQ says in its section on CARP that you should filter the physical interface, not the virtual one. (Admittedly, it's not talking about VLAN interfaces, but it's still a virtual if.) I've seen several other references to this behavior. However, the pf manpage, in its section on the in and out keywords, that a "packet always comes in on, or goes out through, one interface."

I'm confused about the relationship between the physical and the virtual interface in pf, and I would also like to be able to set up a queue for the full physical interface. Any suggestions?

Here's my pf.conf for reference:
Code:
# Interface macros
int_if = "rl0"
ext_if = "re0"

nat_ip = "64.194.211.214"

open_vlan = "vlan10"
secure_vlan = "vlan11"
phone_vlan = "vlan12"
dmz_vlan = "vlan14"

asterisk_ext = "64.194.211.210"
asterisk_int = "10.10.14.10"
phone_out = "10.10.30.130"

# Services hosted on the gateway
gateway_services = "{ssh domain}"
dhcp = "{67 68}"
# Services the gateway needs to be able to access
allowed_services = "{ssh http https ftp domain ntp}"

# Addresses that should never be sent to under any circumstances
table <martians> const {0.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.2.0/24 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 240.0.0.0/4}

# Drop packets when blocked
set block-policy drop

# Don't filter any loopback traffic
set skip on {lo }

# Default to block packets
block log
# Block all ipv6 traffic
block quick inet6

# Don't allow users to spoof packets
block quick from <martians>
block quick to <martians>

# General antispoofing. Should block packets that come from illogical places
# (internal from outside, and vice versa).
antispoof for $ext_if
antispoof for $int_if

# Always allow ICMP (ping)
pass proto icmp

###################
# TRAFFIC SHAPING #
###################
# Parent queues: Total bandwidth
queue outbound on $ext_if bandwidth 1544K
queue inbound on $int_if bandwidth 1544K

# Outbound queues
queue general_out parent outbound bandwidth 1000K default
queue asterisk_out parent outbound bandwidth 544K

# Inbound queues
queue general_in parent inbound bandwidth 1000K default
queue asterisk_in parent outbound bandwidth 544K

# Rules to match
match set prio (3 7) # Give more priority to low-latency packets
match from $asterisk_int set queue asterisk_out
match to $asterisk_ext set queue asterisk_in

#######
# OUT #
#######
pass out proto {tcp udp} to port $allowed_services
pass out quick on $int_if proto {tcp udp} to port $dhcp

######
# IN #
######
pass in on $int_if proto {tcp udp} to port $gateway_services
pass in on $int_if proto {tcp udp} to port $dhcp
pass in on {$secure_vlan $open_vlan}

###########################
# Kill Inter-VLAN Traffic #
###########################
block out on $secure_vlan received-on $open_vlan
block out on $secure_vlan received-on $phone_vlan
block out on $open_vlan received-on $phone_vlan
block out on $phone_vlan received-on $open_vlan
# Note that the secure vlan can still reach both the open and phone vlans

#######
# NAT #
#######
match out on $ext_if received-on $open_vlan nat-to $nat_ip
match out on $ext_if received-on $secure_vlan nat-to $nat_ip
pass out on $ext_if received-on $open_vlan
pass out on $ext_if received-on $secure_vlan

############
# Asterisk #
############
match on $ext_if from $asterisk_int to any binat-to $asterisk_ext
match on $secure_vlan from $asterisk_int to any binat-to $asterisk_ext
pass on $ext_if from $asterisk_ext to any
pass on $secure_vlan from $asterisk_ext to any
pass on $dmz_vlan
Reply With Quote