DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 25th November 2015
jasonvp's Avatar
jasonvp jasonvp is offline
Real Name: Jason
Port Guard
 
Join Date: Nov 2015
Location: Northern VA
Posts: 15
Default PF and NAT: Specify SRC IP Address?

Hey folks -

In the final step of migrating every system in my house from Linux to FreeBSD, I did the router yesterday. That was... challenging to say the least. Partially because the router needs to NAT some outbound connections while allowing others to just pass through (or route through) natively. NAT'd connections should be sourced from a different IP address than the router's egress IP.

More words: I have a Verizon business class FIOS connection with a block of "almost a /28" of IPs (VZ are a bunch of idiots when it comes to IP addressing). The router has to bridge my public VLAN with Verizon's, and that works fine. Interface bridge0 on the router has its own external IP address (XX.YY.ZZ.AA/24) and an alias on it for NAT (XX.YY.ZZ.BB/32). I'd like to force PF to NAT outbound connections to the second of those IPs, never the first. I can't figure out how to do that without ... some inventiveness.

The NAT rules look like so:
Code:
# Get NAT going for the RFC1918 space
no nat on $br from $external_ipv4_lan to $local_ipv4_lan
no nat on $br from $local_ipv4_lan to $external_ipv4_lan
nat on $br from $local_ipv4_lan to any -> ...
It's the ellipses part of that statement that I'm trying to figure out. If I put $br (which is bridge0), it'll sometimes use the main IP, and sometimes use the alias IP. I can't put an actual IP where the ellipses are because that's not allowed.

My solution thus far is to create interface lo100, assign the NAT IP to that, and then make the last line look like:
Code:
nat on $br from $local_ipv4_lan to any -> lo100
That works. Or at least it appears to. I'm wondering if there's another way to accomplish what I'm trying to do?
Reply With Quote
  #2   (View Single Post)  
Old 25th November 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,944
Default

I'm glad you have a circumvention which appears to be working for you. I'm not sure I can help improve it.

The OpenBSD pf.conf(5) man page from May 2007 - pre-fork - mentioned that the external address field must be routable.

With that limited knowledge, I'm only able to conjecture that you cannot use an alias address.

Possibly, you may be able to revise your network block so that the NIC's base address can be used for routing and for NAT.

---

I don't know what an "almost /28" is. A /28 is a block of 16 IP addresses, with 2 reserved and 14 available for device addressing.

Last edited by jggimi; 25th November 2015 at 05:18 PM. Reason: typo
Reply With Quote
  #3   (View Single Post)  
Old 25th November 2015
jasonvp's Avatar
jasonvp jasonvp is offline
Real Name: Jason
Port Guard
 
Join Date: Nov 2015
Location: Northern VA
Posts: 15
Default

Quote:
Originally Posted by jggimi View Post
I don't know what an "almost /28" is. A /28 is a block of 16 IP addresses, with 2 reserved and 14 available for device addressing.
Sorry for the confusion. VZ doesn't allocate IP blocks within proper CIDR boundaries. They give their customers 13 (not 14) IP address. Or 5 (not 6) IP address. For instance, my allocated IPs are:

XX.YY.ZZ.210 - .222

I don't own .208 or .209. I own .210-.222. And the broadcast domain is technically a /24, not a /28. That's why I said it's almost a /28.

My gut tells me they're protecting themselves for a future where maybe they start doing proper routing, and they assume the routed interface on the customer's CPE would be the .209 (in my case). But that's not what I have right now.

In other words: they're idiots.
Reply With Quote
  #4   (View Single Post)  
Old 25th November 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,944
Default

Ah, well then. I've never used an ISP that leased a subset of addresses within a CIDR -- in your case, what appears to be a 13 address range within a /24.

I wonder what isolation method is deployed between customers on the same subnet. One would hope they have one. But perhaps all they're doing is blocking broadcasts. Perhaps.

It's my guess that this gives them addressing flexibility as customers come and go. IPv4 is fully committed.

Do they also offer IPv6? If so, addressing schemas may be normal -- if anything in IPv6 can be described with that word.

Last edited by jggimi; 25th November 2015 at 07:56 PM. Reason: typos, clarity
Reply With Quote
  #5   (View Single Post)  
Old 25th November 2015
jasonvp's Avatar
jasonvp jasonvp is offline
Real Name: Jason
Port Guard
 
Join Date: Nov 2015
Location: Northern VA
Posts: 15
Default

Quote:
Originally Posted by jggimi View Post
I wonder what isolation method is deployed between customers on the same subnet. One would hope they have one.
Can you hear me laughing from here? If not, I'll exhale harder while I laugh. Listen closely...

(None)

Quote:
Do they also offer IPv6?
And the laughter continues! No, no IPv6 for business class customers as of yet. Consumer class IPv6 deployment is dragging, too. They're way behind. I'm using HE for a tunnel, and perhaps another topic/post, but I can't automate the tunnel bring-up with FreeBSD 10.1. The gif0 int gets created and the IPv6 endpoints get assigned per the rc.conf file. But the important IPv4 end points never get added. I have to do that manually for some oddball reason.
Reply With Quote
  #6   (View Single Post)  
Old 25th November 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,944
Default

If I were doing this, I'd isolate each customer on their own C-VLAN with QinQ. Ethernet traffic should not travel between customers.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Address book fossala Programming 6 5th July 2011 05:26 PM
could not look up internet address for .lan idefix FreeBSD General 2 31st January 2009 02:22 PM
MAC address to IP rex FreeBSD General 9 11th November 2008 07:06 PM
Asking about IPv6 address berlowin Off-Topic 2 9th July 2008 02:39 AM


All times are GMT. The time now is 06:44 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick