|
|||
2 gateways
I have a little problem that I cannot seem to figure out.
Client A machine 10.31.0.20 BSD ext_if 10.31.0.25 gateway 10.21.0.252 BSD int_if 10.10.0.10 Client B inside 10.10.0.0/16 network = 10.10.0.12 gateway on this client is 10.10.0.100 When I try to ssh to client B from client A I cannot log in at all. When I change the gateway for client B to 10.10.0.10 then it works but client B also need the 10.10.0.100 because this is its route out of the network. The pf set to pass only for the moment for testing. |
|
|||
Quote:
These are my rules so far: pf.conf Code:
### Variables ### extif="em0" intif="em1" icmp_types="{ echoreq, unreach }" allowed_tcp_ports="{ ssh, https, rdp }" set block-policy drop set loginterface $extif set skip on lo table <authpf_users> persist ### Block all Incoming Traffic ### block all pass in on $extif inet proto icmp all icmp-type $icmp_types keep state pass in on $extif proto tcp to $extif port $allowed_tcp_ports pass in on $intif inet proto icmp all icmp-type $icmp_types keep state pass out on $extif inet proto icmp all icmp-type $icmp_types keep state ### Authpf per user IP rules from /etc/authpf/authpf.rules ### anchor "authpf/*" #pass proto tcp to any port $allowed_tcp_ports Code:
allowed_tcp_ports="{ ssh, https, rdp }" icmp_types="{ echoreq, unreach }" int_if="em1" ## vlan10 ext_if="em0" ## vlan21 pass proto tcp from $user_ip to any port $allowed_tcp_ports pass in on $ext_if proto tcp from $user_ip to any port $allowed_tcp_ports 1. As you can see authpf allows the client machine to SSH into the locked down network. But I also what the servers inside the locked down network to be able to SSH out to any server outside the network. I have been going around in circles for the past 2 hours and cannot get it to work. |
|
||||
I provided a possible solution in your pf rules thread. You did not continue the discussion there.
Unfortunately, without a better description of your subnets and topology, I don't have enough information to offer any new proposals.. From your post number 1 in this thread -- which is now no longer what you have -- it was possible that Client B had an incorrect netmask. But I was unsure, because you didn't provide enough information and I didn't want to post that without more information. Your post number 3 also doesn't provide a clear picture of your topology. It's a repeat of what you'd posted in your authpf thread. If you can't diagram your topology, then please:
Last edited by jggimi; 30th July 2019 at 04:43 PM. Reason: changed "authpf" to "pf rules" as highlighted |
|
|||
Quote:
[A-10.31.0.20] - {10.31} - [10.31.0.25-BSD-10.10.0.10] - {10.10/16} - [10.10.0.12-B] - - - - - - - - - - -- - - - - - - - | [GW-10.10.0.10] | {other networks} It is much the same as you made it with a change in the gateway. On the BSD machine there is a static route (route add -net 192.168.5.0/24 10.10.0.1) The IP GW 10.10.0.1 is another router outside the internal network. So to be able to reach "A" from "B" you ssh via 10.10.0.10 authpf then takes care of the access control upon successful login in. The you are able to SSH direct to 10.31.0.21 from your client "B". Also once logged into client "A" I need to be able to SSH to any other machine outside the network like the following: [A 10.31.0.20] - - [10.31.0.25-BSD-10.10.0.10] - [GW 10.10.0.1] - [192.168.5/24] The network from 10.10.0.1 is vlan routed on a router. What is important is that no one can use SSH to client "A" without authpf. I hope this makes a lot more sense now |
|
||||
I still have unanswered questions, because I am still confused by your topology descriptions.
While I still don't know the CIDR or netmask for your 10.31 network, you have stated twice that the 10.10 is a /16. You have a route added to the BSD router to reach the 192.168.5/24 subnet through a router not shown on your diagram at 10.10.0.1. It also appears that your BSD router and your gateway router share the same IP address of 10.10.0.10. Is that a typo? Or did you actually intend for the gateway router to show the address 10.10.0.1? |
|
|||
Hi so the netmask for the 10.31 is 255.255.0.0 so /16. Yes it was a typo it should be 10.10.0.1, I missed the router out from the diagram by accident but the vlan interface is 10.10.0.1 also on the router there is a vlan interface 192.168.5.1 for the other destination network.
|
|
||||
I'll try again to understand, by restating your networks and routers. You tell me where I've misunderstood.
Last edited by jggimi; 30th July 2019 at 08:19 PM. Reason: one minor typo |
|
|||
Quote:
You understood perfectly |
|
||||
Routing
Code:
subnet_a = "10.31/16" # default block block return log # pass all traffic originating from subnet (A): pass log from $subnet_a # pass SSH inbound to this router: pass log proto tcp to self port ssh # permit this router to communicate: pass log from self # but do not permit this router to reach subnet (A): block log from self to $subnet_a # authpf(8) rules will be inserted here: anchor "authpf/*" Code:
# your previously permitted traffic allowed_tcp_ports="{ ssh, https, rdp }" icmp_types="{ echoreq, unreach }" # currently defined: subnet_a = "10.31/16" pass log proto tcp from $user_ip to $subnet_a port $allowed_tcp_ports pass log proto icmp from $user_ip to $subnet_a icmp-type $icmp_types Last edited by jggimi; 30th July 2019 at 10:50 PM. Reason: four typos |
|
|||
Im very grateful, it works perfectly
|
|
|||
Yes the gateway was very easy to figure and I completely understand your ruleset.
|
|
|||
Yes I know this, I made some adjustments and to be honest I don't want people to ping the gateway. I could learn a lot from you.
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Using multiple gateways | ivanatora | FreeBSD General | 7 | 15th November 2008 06:57 PM |