|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
Best method for forcing packet replies back to the same interface they arrived on
In a nutshell, the problem I'm trying to solve is "What's the best method for forcing packet replies back through the same interface they arrived on?"
This traffic routing problem was introduced by the addition of an always on OpenVPN tunnel to an existing setup. Currently there is an embedded OpenBSD router device that serves a small private LAN. The interface group name for the LAN connection is 'lan' The WAN interface is connected to a DSL Internet connection with a single publicly routable IP address. The interface group name for the WAN connection is the default: 'egress' The router performs firewall/NAT duties and runs an NSD server. It also forwards web, email, tor, and syncthing traffic to other devices on the LAN using pf 'rdr-to' rules. The OpenVPN tunnel connects to a provider and stays up continuously. The interface group for this connection is 'tun'. All outbound traffic originating from the LAN is routed over the VPN tunnel and then on to the open Internet. The problem that was introduced with the OpenVPN tunnel is that whenever it's active, any traffic arriving on the egress interface for the web/email/tor servers does not make it back to the requesting host. I've tried modifying the web/email/tor/syncthing 'rdr-to' rules in pf.conf to include a 'reply-to (egress egress:0)' option but was unable to get it working. My crude workaround to get inbound email connections from two external relay servers working has been to create a static route for each mail server's public IP address and specify the IP of the 'egress' interface as the gateway. This method works OK for two known external hosts with static IP addresses, but it is impractical for the other services. Copied below are the current pf.conf rules. IP addresses have been anonymized. Please let me know if you can spot any errors. Code:
## macros # interfaces # use interface groups like 'egress' 'tun' 'lan' and 'dmz' instead of macros for firewall ruleset portability # ports tcp_riffraff = "{ ssh telnet 135:139 3128 3389 5900 7760 }" udp_riffraff = "{ ssh 135:139 3389 }" # Asterisk traffic ports (SIP and RTP). voip_ports = "{ 5060 5061 10000:20000 }" icmp_types = "echoreq" tcp_fw_outbound = "{ www https bgp domain smtp }" udp_fw_outbound = "{ domain bootps ntp https sip }" # devices ip_phones = "{ 192.168.0.x 192.168.0.x 192.168.0.x 192.168.0.x 192.168.0.x }" trusted = "{ x.x.x.x x.x.x.x }" ## options set block-policy return set loginterface egress set skip on lo0 # udp session timeout should be equal to or larger than your smallest SIP registration # timer timeout. For a typical SIP timeout of 300 seconds, this should suffice. set timeout { udp.first 300, udp.single 150, udp.multiple 900 } ## tables table <bruteforce> persist ## anchors anchor "relayd/*" anchor "ftp-proxy/*" ## match rules match out on egress inet from $ip_phones to any nat-to (egress:0) static-port match out on egress inet from !(egress:network) to any nat-to (egress:0) match out on tun inet from !(tun:network) to any nat-to (tun:0) ## filter rules # drop the 'noise' to keep logs clean block in quick on egress proto tcp to port $tcp_riffraff block in quick on egress proto udp to port $udp_riffraff block in log pass in on lan pass out quick antispoof quick for { lo lan } # connection types allowed from the firewall pass out proto tcp to any port $tcp_fw_outbound pass out proto udp to any port $udp_fw_outbound # nsd DNS server pass in on egress inet proto { udp tcp } to (egress) port 53 # smtpd SMTP server pass in on egress inet proto tcp from $trusted to port smtp rdr-to 192.168.0.10 reply-to (egress egress:0) # Tor relay pass in on egress inet proto tcp to port 9001 rdr-to 192.168.0.11 reply-to (egress egress:0) # syncthing pass in on egress inet proto tcp to port 22000 rdr-to 192.168.0.12 reply-to (egress egress:0) # voip static NAT mapping pass in quick on egress inet proto udp from lan:network to any \ port $voip_ports tag ASTERISK_OUT # ftp workaround pass in log quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 pass out log inet proto tcp from 127.0.0.1 to any port ftp # allow ICMP traffic pass in inet proto icmp all icmp-type $icmp_types |
Tags |
openvpn, pf, reply-to, route |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Changing Which Interface Is Assigned To Network Interface (physical) Port | EverydayDiesel | OpenBSD General | 2 | 18th July 2014 10:25 AM |
OpenBSD 5.4 on yeeloong : input method problem | fstef | OpenBSD Packages and Ports | 6 | 24th November 2013 04:30 PM |
Reliable method to get an IP? | Sunnz | OpenBSD General | 8 | 3rd October 2008 06:52 PM |
vr0: rx packet lost | tutosun | FreeBSD General | 4 | 13th September 2008 10:13 AM |
best package management method | TerryP | Off-Topic | 9 | 18th June 2008 03:57 PM |