DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General
Reload this Page Best method for forcing packet replies back to the same interface they arrived on
FAQ Today's Posts Search

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 10th June 2015
sysfu sysfu is offline
Port Guard
  
Join Date: Jun 2008
Posts: 36
Default Best method for forcing packet replies back to the same interface they arrived on
In a nutshell, the problem I'm trying to solve is "What's the best method for forcing packet replies back through the same interface they arrived on?"

This traffic routing problem was introduced by the addition of an always on OpenVPN tunnel to an existing setup.

Currently there is an embedded OpenBSD router device that serves a small private LAN. The interface group name for the LAN connection is 'lan'

The WAN interface is connected to a DSL Internet connection with a single publicly routable IP address. The interface group name for the WAN connection is the default: 'egress'

The router performs firewall/NAT duties and runs an NSD server. It also forwards web, email, tor, and syncthing traffic to other devices on the LAN using pf 'rdr-to' rules.

The OpenVPN tunnel connects to a provider and stays up continuously. The interface group for this connection is 'tun'. All outbound traffic originating from the LAN is routed over the VPN tunnel and then on to the open Internet.

The problem that was introduced with the OpenVPN tunnel is that whenever it's active, any traffic arriving on the egress interface for the web/email/tor servers does not make it back to the requesting host.

I've tried modifying the web/email/tor/syncthing 'rdr-to' rules in pf.conf to include a 'reply-to (egress egress:0)' option but was unable to get it working.

My crude workaround to get inbound email connections from two external relay servers working has been to create a static route for each mail server's public IP address and specify the IP of the 'egress' interface as the gateway.

This method works OK for two known external hosts with static IP addresses, but it is impractical for the other services.

Copied below are the current pf.conf rules. IP addresses have been anonymized. Please let me know if you can spot any errors.

Code:
## macros
# interfaces
# use interface groups like 'egress' 'tun' 'lan' and 'dmz' instead of macros for firewall ruleset portability
# ports
tcp_riffraff = "{ ssh telnet 135:139 3128 3389 5900 7760 }"
udp_riffraff = "{ ssh 135:139 3389 }"
# Asterisk traffic ports (SIP and RTP).
voip_ports = "{ 5060 5061 10000:20000 }"
icmp_types = "echoreq"
tcp_fw_outbound = "{ www https bgp domain smtp }"
udp_fw_outbound = "{ domain bootps ntp https sip }"
# devices
ip_phones = "{ 192.168.0.x 192.168.0.x 192.168.0.x 192.168.0.x 192.168.0.x }"
trusted = "{ x.x.x.x x.x.x.x }"

## options
set block-policy return
set loginterface egress
set skip on lo0
# udp session timeout should be equal to or larger than your smallest SIP registration
# timer timeout. For a typical SIP timeout of 300 seconds, this should suffice.
set timeout { udp.first 300, udp.single 150, udp.multiple 900 }

## tables
table <bruteforce> persist

## anchors
anchor "relayd/*"
anchor "ftp-proxy/*"

## match rules
match out on egress inet from $ip_phones to any nat-to (egress:0) static-port
match out on egress inet from !(egress:network) to any nat-to (egress:0)
match out on tun inet from !(tun:network) to any nat-to (tun:0)

## filter rules
# drop the 'noise' to keep logs clean
block in quick on egress proto tcp to port $tcp_riffraff
block in quick on egress proto udp to port $udp_riffraff
block in log
pass in on lan
pass out quick
antispoof quick for { lo lan }
# connection types allowed from the firewall
pass out proto tcp to any port $tcp_fw_outbound
pass out proto udp to any port $udp_fw_outbound
# nsd DNS server
pass in on egress inet proto { udp tcp } to (egress) port 53
# smtpd SMTP server
pass in on egress inet proto tcp from $trusted to port smtp rdr-to 192.168.0.10 reply-to (egress egress:0)
# Tor relay
pass in on egress inet proto tcp to port 9001 rdr-to 192.168.0.11 reply-to (egress egress:0)
# syncthing
pass in on egress inet proto tcp to port 22000 rdr-to 192.168.0.12 reply-to (egress egress:0)
# voip static NAT mapping
pass in quick on egress inet proto udp from lan:network to any \
 port $voip_ports tag ASTERISK_OUT
# ftp workaround
pass in log quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
pass out log inet proto tcp from 127.0.0.1 to any port ftp
# allow ICMP traffic
pass in inet proto icmp all icmp-type $icmp_types
Reply With Quote
Reply

Tags
openvpn, pf, reply-to, route

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Changing Which Interface Is Assigned To Network Interface (physical) Port EverydayDiesel OpenBSD General 2 18th July 2014 10:25 AM
OpenBSD 5.4 on yeeloong : input method problem fstef OpenBSD Packages and Ports 6 24th November 2013 04:30 PM
Reliable method to get an IP? Sunnz OpenBSD General 8 3rd October 2008 06:52 PM
vr0: rx packet lost tutosun FreeBSD General 4 13th September 2008 10:13 AM
best package management method TerryP Off-Topic 9 18th June 2008 03:57 PM


All times are GMT. The time now is 11:30 PM.

DaemonForums.org RSS Feeds - Contact Us - DaemonForums.org - Archive - Privacy Statement - Top

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick