Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Thread Tools Display Modes
  #1   (View Single Post)  
Old 25th May 2008
tpprodigy tpprodigy is offline
New User
Join Date: May 2008
Posts: 1
Default dual ISP connection problems

I am having an issue trying to get my network set up. I am attempting to set up a openbsd 4.3 router with two internal subnets and two internet connections(a T1 and a comcast connection). I would like all traffic on the internal networks to use the comcast connection so that the T1 connection would only be used for the webserver. Right now the two internal networks are working correctly, and using the comcast internet connection, but my website is not accessible and the public IP address for the T1 connections(website address IP) cannot be pinged from the outside. I am not using the multipath option, since whenever I tried to use multipath it caused internal LANs to use the T1 connection half the time. So I am using the mygate file that has the comcast gateway in it and the hostname file for T1 interface adds a default route to the routing table for its gateway.

Heres some information about my system.
Network 1 clients:
Network 2 clients:

Route show command:

default            UGS         0     3243      -   dc0
default            64-192-xxx-xxx.meg UGS         0        0      -   re0
10.1.10/24         link#3             UC          1        0      -   dc0          00:13:f7:be:f1:52  UHLc        1        0      -   dc0         localhost          UGHS        0        0  33208   lo0
64-192-xxx.xxx.meg link#2             UC          1        0      -   re0
64-192-xxx.xxx.meg 00:a0:c8:22:07:6f  UHLc        1        0      -   re0
loopback           localhost          UGRS        0        0  33208   lo0
192.168.1/24       link#4             UC         10        0      -   re1        00:19:db:61:c1:4d  UHLc        0       27      -   re1        00:03:47:f5:f8:3f  UHLc        0        3      -   re1
pf.conf file:
# Defining Macros

# external interfaces
ext0="re0" # T1 (MegaGate)
ext1="dc0" # Comcast

# internal interfaces
lan1="re1" # our main LAN
lan2="msk0" # secondary lan for untrusted computers

# groups of interfaces
lan= "{" $lan1 $lan2 "}"
all_if= "(" $ext0 $ext1 $lan1 $lan2 ")"

# static ip addresses

# port macros
webPorts="(80, 443)"

# Options

# setting default block policy to drop
set block-policy drop

# disable filtering on loopback interface
set skip on lo0

set optimization conservative

# NAT Rules

# NAT defaults for connecting from LAN1 and LAN2 to the Internet through
# comcast. All connections made from outside the LAN to the  
# webserver will default out through the T1 line.
nat on $ext0 proto tcp from any to $webServer port 80 -> $ext0
nat on $ext1 from $lan1:network to any -> $ext1
nat on $ext1 from $lan2:network to any -> $ext1

# Redirects (port forwarding)

# forward web traffic to webserver (trac)
rdr on $ext0 proto tcp from any to ($ext0) port 80 -> $webServer

# forward https web traffic to webserver
rdr on $ext0 proto tcp from any to ($ext0) port 443 -> $webServer
So any idea where my problem is? I think the problem is in NAT somewhere, but I've yet to be able to get NAT to control traffic properly.

EDIT: When doing a traceroute to the T1 address, the next hop after the T1's gateway is the comcast interface, so there is definitely a routing/redirection problem somewhere..

Last edited by tpprodigy; 25th May 2008 at 04:29 AM. Reason: Updated information
Reply With Quote
  #2   (View Single Post)  
Old 25th May 2008
J65nko J65nko is offline
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,825

# forward web traffic to webserver (trac)
rdr on $ext0 proto tcp from any to ($ext0) port 80 -> $webServer
From man pf.conf
     Packets that match a translation rule are only
     automatically passed if the pass modifier is given, otherwise they are
     still subject to block and pass rules.
And from the pf users guide
NOTE: Translated packets must still pass through the filter engine and will be blocked or passed based on the filter rules that have been defined.

The only exception to this rule is when the pass keyword is used within the rdr rule. In this case, the redirected packets will pass statefully right through the filtering engine: the filter rules won't be evaluated against these packets. This is a handy shortcut to avoid adding pass filter rules for each redirection rule. Think of it as a normal rdr rule (with no pass keyword) associated to a pass filter rule with the keep state keyword. However, if you want to enable more specific filtering options such as synproxy, modulate state, etc. you'll still have to use a dedicate pass rule as these options don't fit into redirection rules.
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Dual/Quad NIC schrodinger General Hardware 12 28th February 2009 11:27 PM
dual boot with osol chill FreeBSD Installation and Upgrading 4 2nd February 2009 10:23 AM
dual boot buba OpenBSD General 2 5th August 2008 11:32 AM
Dual core and FreeBSD ViperChief FreeBSD General 13 2nd June 2008 08:30 PM
Dual WAN gateway. LordZ OpenBSD Security 2 2nd June 2008 09:00 AM

All times are GMT. The time now is 09:52 AM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick