DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 12th August 2017
afdruiprek afdruiprek is offline
New User
 
Join Date: Jun 2017
Posts: 9
Default Route some ip addresses outside VPN

Hello I’m a new member to this forum but i have used it a lot before i became a member.

I have a router with pfSense but would like to change it in favor for OpenBSD pf .

My setup looks like this.

ISP **** ROUTER **** AP

I run one Openvpn client on the router so that all machines on the wifi AP goes through the vpn.

Now comes the problem i would want some of the clients ip addresses to be routed through wan (without VPN) i have tried different routing alternatives but i haven’t find anything that works.
Everything else seems to work even the "killswitch".


Here is my pf.conf any suggestions on optimizations would also be appreciated
thanks in advance !!
Code:
ext_if = "em0"              # External interface
int_if = "em1"              # Internal interface
vpn_if = "tun0"             # Vpn interface


table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16     \
                   172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
		   192.168.0.0/16 198.18.0.0/15 198.51.100.0/24        \ 			          203.0.113.0/24 }


set block-policy drop
set loginterface $ext_if 
set skip on lo0  



match in all scrub (no-df random-id max-mss 1440)


match out on $ext_if inet from ($int_if:network) to any nat-to ($ext_if:0)
match out on $vpn_if inet from ($int_if:network) to any nat-to ($vpn_if:0)


block in quick on $ext_if from <martians> to any
block return out quick on $ext_if from any to <martians>

block all
pass in on $int_if from $int_if:network to any tag NO_WAN_EGRESS keep state



block quick on $ext_if tagged NO_WAN_EGRESS
#block return out quick on $ext_if tagged NO_WAN_EGRESS

pass out quick inet
#pass in on $int_if inet

Last edited by ocicat; 12th August 2017 at 07:43 PM. Reason: Please use [code] & [/code] tags when posting file contents.
Reply With Quote
 

Tags
vpn;pf;client;routing;openbsd

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenVPN No Route To Host Peter_APIIT OpenBSD Security 10 18th September 2015 03:05 AM
Route to enc0 WeakSauceIII OpenBSD Security 11 1st June 2015 07:40 PM
No Route to Host rtwingfield FreeBSD Installation and Upgrading 9 25th May 2015 03:05 AM
route on openbsd hpabsdbeginner1 OpenBSD General 2 15th April 2014 07:17 PM
How to add static route using virtual NIC bsdplus Solaris 1 22nd August 2010 02:10 AM


All times are GMT. The time now is 11:21 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick