|
||||
PF NAT and 2 external nic´s
Hi!
Im soon having another connection with static IP (from university) which has daily restrictions about the amount of transferred data. I also have this DSL connection with DHCP. I started to think that i would like to route/redirect some bandwidth eating ports from lan computers to use DSL. This also offers me a chance to "learn" some PF more. I planned that my DSL ext would be BFE0 and the STATIC one would be DC0. oh and the ports i want to put through DSL are all the ports i have defined for LAN machines below. edit: (coming to think of it second scenario would be that all other traffic goes thru DSL except http and port 28960 from LAN. Actually this is much straightforward too.) here is my config now. Code:
ext_if1="bfe0" # Ulkoverkon kortti (DSL) ext_if2="dc0" # Ulkoverkon kortti (Static) int_if="xl0" # Sisäverkon kortti # Macros lahiverkko = $int_if:network icmp_types = "{ 0, 3, 11 }" #LAN machine 1 (pate) pate = "{ 192.168.0.2 }" patetcp = "{ 1412, 49995, 61027 }" #TCP portit, erottele pilkulla, jotka ohjataan koneelle (pate) pateudp = "{ 1412, 49995, 61027 }" #UDP portit, - " - #LAN machine 2 (texina) texina = "{ 192.168.0.3 }" texinatcp = "{ 1414, 2412, 8085, 50200 }" #TCP portit texinaudp = "{ 1414, 2412 }" #UDP portit #tablet table <nonroutable> persist { 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12,10.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16,192.0.2.0/24, 204.152.64.0/23, \ 224.0.0.0/3,255.255.255.255/32 } # options set block-policy return set optimization aggressive set loginterface $ext_if1 set skip on lo0 set skip on xl0 # scrub , Järjestele ja tarkista kaikki paketit sisään scrub in all # Queue. Mahdolliset siirtorajoitukset ja liikenteen priorisoinnit. #altq on $ext_if bandwidth 848Kb hfsc queue { ack, dns, dflt } # queue ack bandwidth 60% priority 7 hfsc (realtime 50%) # queue dns bandwidth 10% priority 6 hfsc (realtime 5%) # queue dflt bandwidth 30% priority 2 qlimit 100 hfsc (realtime 25% default) # Testaus Primary Queue #altq on $ext_if priq bandwidth 828Kb queue { ack, dns, dflt } # queue ack priority 7 # queue dns priority 5 # queue dflt priority 2 priq(default) # # Nat ja Uudelleenohjaukset (Hoidettu ylempänä makroilla, ei tarvitse välttämättä vaihtaa alempia) nat on $ext_if1 from $int_if:network to any -> ($ext_if1) rdr pass on $ext_if1 proto tcp from any to any port $patetcp -> $pate rdr pass on $ext_if1 proto udp from any to any port $pateudp -> $pate rdr pass on $ext_if1 proto tcp from any to any port $texinatcp -> $texina rdr pass on $ext_if1 proto udp from any to any port $texinaudp -> $texina # rules block in log all block out on $ext_if1 from any to <nonroutable> block in log quick on $ext_if1 from <nonroutable> to any #pass quick on $int_if from $int_if:network to $int_if:network pass out quick on $ext_if1 proto udp from ($ext_if1) to any port 53 keep state queue ( dns ) pass out on $ext_if1 from ($ext_if1) keep state queue ( dflt , ack ) antispoof quick for { lo0 $int_if } # pass in rules pass in quick on $ext_if1 inet proto tcp from any to ($ext_if1) port 80 keep state pass in quick on $ext_if1 inet proto tcp from any to ($ext_if1) port 22 keep state pass in on $int_if from $int_if:network to any #pass out on $int_if from any to $int_if:network I also tried to understand this (found with google) http://osdir.com/ml/os.openbsd.pf/2004-07/msg00092.html but with poor results. Or understood it but how to adapt to my use and will it work im unsure. I know its annoying if someone asks ready configuration/examples, but it would be very nice. Im not the type who just puts it to use and enjoys. I really like to know how the thing works before i put it into use. So i read the conf over and over again till i get it. ofc any other help/hints conserning that conf are welcome. thank you very much for your time. Im running FBSD 7 Last edited by Calderon; 16th September 2008 at 06:56 PM. |
|
|||
Have a look at the Load Balance Outgoing Traffic section of the OpenBSD pf user guide.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
I only have one single internet connection to play with, not two, so I cannot give you any practical advice.
RE: ext_gw From that section of the pf user guide: Quote:
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
Here´s what i tried based on that but nothing seems to come back? or does it even go out. pftop snip attached below my conf.
Code:
ext_if1="bfe0" # Ulkoverkon kortti (DSL) ext_if2="dc0" # Ulkoverkon kortti (Static) int_if="xl0" # Sisäverkon kortti ext_gw1="88.193.77.121" ext_gw2="88.193.68.22" # Macros lahiverkko = $int_if:network icmp_types = "{ 0, 3, 11 }" #LAN machine 1 (pate) pate = "{ 192.168.0.2 }" patetcp = "{ 1412, 49995, 61027 }" #TCP portit, erottele pilkulla, jotka ohjataan koneelle (pate) pateudp = "{ 1412, 49995, 61027 }" #UDP portit, - " - #LAN machine 2 (texina) texina = "{ 192.168.0.3 }" texinatcp = "{ 1414, 2412, 8085, 50200 }" #TCP portit texinaudp = "{ 1414, 2412 }" #UDP portit #tablet table <nonroutable> persist { 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12,10.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16,192.0.2.0/24, 204.152.64.0/23, \ 224.0.0.0/3,255.255.255.255/32 } # options set block-policy return set optimization aggressive set loginterface $ext_if1 set loginterface $ext_if2 set skip on lo0 # scrub , Järjestele ja tarkista kaikki paketit sisään scrub in all # Nat ja Uudelleenohjaukset (Hoidettu ylempänä makroilla, ei tarvitse välttämättä vaihtaa alempia) nat on $ext_if1 from $int_if:network to any -> ($ext_if1) nat on $ext_if2 from $int_if:network to any -> ($ext_if2) rdr pass on $ext_if1 proto tcp from any to any port $patetcp -> $pate rdr pass on $ext_if1 proto udp from any to any port $pateudp -> $pate rdr pass on $ext_if1 proto tcp from any to any port $texinatcp -> $texina rdr pass on $ext_if1 proto udp from any to any port $texinaudp -> $texina # rules # block in log all block in from any to any block out from any to any #block out on { $ext_if1 , $ext_if2 } from any to <nonroutable> #block in log quick on { $ext_if1 , $ext_if2 } from <nonroutable> to any # pass all outgoing packets on internal interface pass out on $int_if from any to $lahiverkko # pass in quick any packets destined for the gateway itself pass in quick on $int_if from $lahiverkko to $int_if pass in quick on $int_if route-to \ ($ext_if2 $ext_gw2) \ proto udp from $lahiverkko port 28960 to any keep state pass in on $int_if route-to \ ($ext_if1 $ext_gw1) \ from $lahiverkko to any keep state # general "pass out" rules for external interfaces pass out on { $ext_if1 , $ext_if2 } from any to any # route packets from any IPs on $ext_if1 to $ext_gw1 and the same for # $ext_if2 and $ext_gw2 pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any #web and ssh on ADSL pass in quick on $ext_if1 inet proto tcp from any to ($ext_if1) port 80 keep state pass in quick on $ext_if1 inet proto tcp from any to ($ext_if1) port 22 keep state Code:
tcp In 192.168.0.2:2328 128.30.52.52:80 CLOSED:SYN_SENT 00:00:01 00:00:29 1 48 48 5 tcp Out 192.168.0.2:2328 128.30.52.52:80 88.193.77.121:59053 SYN_SENT:CLOSED 00:00:01 00:00:29 1 48 48 6 tcp In 192.168.0.2:2329 128.30.52.52:80 CLOSED:SYN_SENT 00:00:01 00:00:29 1 48 48 5 tcp Out 192.168.0.2:2329 128.30.52.52:80 88.193.77.121:65359 SYN_SENT:CLOSED 00:00:01 00:00:29 1 48 48 6 What am i missing. I also tested to connect via port 28960 udp from my lan and pftop showed that its going out on right if. above i got when tried to open page with browser, which timed out after a while. atleast box can connect because my dnsmasq can provide dns information to LAN computers. Last edited by Calderon; 17th September 2008 at 06:06 AM. Reason: additional information |
|
|||
Some tips
Start with a simple ruleset only allowing outgoing DNS. Test your ruleset by resolving names to IP addresses with dig. Then add outgoing www port 80 access and test browsing. Replace your redundant block rules with Code:
block log all Code:
# tcpdump -eni pflog0 You can run these tcpdumps from a workstation being ssh'ed-in to the firewall. To prevent 'ssh' pollution of your tcpdump output , just add 'not port ssh' to the tcpdump command Remember: 'Real Men debug their firewall with tcpdump'
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Hi
I'm running pf here in the office that is doing load balancing for our 2 adsl lines. I would suggest you first try a very basic setup to get it working and then start adding your route-to and reply-to rules. The most basic will be as J65nko pointed out with the link to the pf page. Once you have that working then you can start routing your traffic to where you want them to go. Here are a few examples for incoming traffic Code:
rdr on $ext_if1 proto tcp from any to $ext_if1 port 80 -> $webserver pass in log quick on $ext_if1 reply-to ($ext_if1 $ext_gw1) proto tcp from any to { $webserver } port = 80 Code:
pass in quick on $int_if route-to { ( $ext_if1 $ext_gw1 ) } proto tcp from $lan_net to any port = 22 |
|
||||
Hmm.. some question. NAT is not involved in this one (i think)
Now i have 2 "external" nic's. I want sshd to listen on bfe0 port 22 and rl0 on port 8081 (university line has only this port open for remote cons). I have sshd configured for that and i think it´s fine. Here´s the ruleset. I think the Bold one most relevant. Code:
bsdkone# pfctl -s rules scrub in all no-df fragment reassemble block return log all block return in quick on bfe0 proto tcp from <sshguard> to any port = ssh label "ssh bruteforce" block drop in on ! lo0 inet6 from ::1 to any block drop in on ! lo0 inet from 127.0.0.0/8 to any anchor "ftp-proxy/*" all pass out proto ipv6 all keep state pass in proto ipv6 all keep state pass out on xl0 inet from any to 192.168.133.0/24 flags S/SA keep state pass out on xl0 inet6 from any to 2001:14b8:125::/64 flags S/SA keep state pass in quick on xl0 inet from 192.168.133.0/24 to 192.168.133.1 flags S/SA keep state pass in quick on xl0 inet6 from 2001:14b8:125::/64 to fe80::250:4ff:feaf:97b0 flags S/SA keep state pass in quick on xl0 inet6 from 2001:14b8:125::/64 to 2001:14b8:125::10 flags S/SA keep state pass in quick on xl0 route-to (rl0 94.237.80.1) inet proto udp from 192.168.133.0/24 port = 28960 to ! 88.192.186.40 keep state pass in on xl0 route-to (bfe0 84.249.128.1) inet proto tcp from 192.168.133.0/24 to any flags S/SA modulate state pass in on xl0 route-to (bfe0 84.249.128.1) inet proto udp from 192.168.133.0/24 to any keep state pass in on xl0 route-to (bfe0 84.249.128.1) inet proto icmp from 192.168.133.0/24 to any keep state pass out on bfe0 proto tcp all flags S/SA keep state pass out on bfe0 proto udp all keep state pass out on bfe0 proto icmp all keep state pass out on rl0 proto tcp all flags S/SA keep state pass out on rl0 proto udp all keep state pass out on rl0 proto icmp all keep state pass out on bfe0 route-to (rl0 94.237.80.1) inet from 94.237.82.251 to any flags S/SA keep state pass out on rl0 route-to (bfe0 84.249.128.1) inet from 88.192.186.40 to any flags S/SA keep state pass quick on xl0 all flags S/SA keep state pass in on rl0 inet proto tcp from any to (rl0) port = 8081 flags S/SA keep state pass in quick on bfe0 inet proto tcp from any to (bfe0) port = http flags S/SA keep state pass in quick on bfe0 inet proto tcp from any to (bfe0) port = ssh flags S/SA keep state pass in quick on bfe0 inet proto udp from any to (bfe0) port = 28960 keep state pass in quick on bfe0 inet proto tcp from any to (bfe0) port = 28960 flags S/SA keep state pass in quick on bfe0 inet proto tcp from any to (bfe0) port = smtp flags S/SA keep state Code:
bsdkone# tcpdump -i rl0 | grep 8081 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on rl0, link-type EN10MB (Ethernet), capture size 96 bytes 02:42:33.136204 IP dsl-jklbrasgw2-fea6f800-250.dhcp.inet.fi.61579 > as82-251.tontut.fi.8081: S 2117910606:2117910606(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 464460900 0,sackOK,eol> 02:42:36.136417 IP dsl-jklbrasgw2-fea6f800-250.dhcp.inet.fi.61579 > as82-251.tontut.fi.8081: S 2117910606:2117910606(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 464463900 0,sackOK,eol> 02:42:39.335786 IP dsl-jklbrasgw2-fea6f800-250.dhcp.inet.fi.61579 > as82-251.tontut.fi.8081: S 2117910606:2117910606(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 464467100 0,sackOK,eol> Now when i run tcpdump on another external interface (the one which shouldn´t be any part of this? there goes the answer and it uses rl0 ones IP?) Code:
bsdkone# tcpdump -i bfe0 | grep 8081 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on bfe0, link-type EN10MB (Ethernet), capture size 96 bytes 02:44:18.790543 IP as82-251.tontut.fi.8081 > dsl-jklbrasgw2-fea6f800-250.dhcp.inet.fi.60800: S 178549870:178549870(0) ack 2933603272 win 65535 <mss 1460,nop,wscale 9,sackOK,timestamp 545701484 464563537> 02:44:18.966214 IP as82-251.tontut.fi.8081 > dsl-jklbrasgw2-fea6f800-250.dhcp.inet.fi.60800: S 178549870:178549870(0) ack 2933603272 win 65535 <mss 1460,nop,wscale 9,sackOK,timestamp 545701484 464566737> 02:44:21.965584 IP as82-251.tontut.fi.8081 > dsl-jklbrasgw2-fea6f800-250.dhcp.inet.fi.60800: S 178549870:178549870(0) ack 2933603272 win 65535 <mss 1460,nop,wscale 9,sackOK,timestamp 545701484 464566737> 02:44:22.166126 IP as82-251.tontut.fi.8081 > dsl-jklbrasgw2-fea6f800-250.dhcp.inet.fi.60800: S 178549870:178549870(0) ack 2933603272 win 65535 <mss 1460,nop,wscale 9,sackOK,eol> The bfe0 if is the default "gateway" but shouldn't the answering packets go the same way as they came? EDIT: Answering myself that IN and OUT are 2 different states. What am I missing here? Last edited by Calderon; 30th May 2009 at 06:49 PM. |
|
||||
Seen this?
Code:
set state-policy The state-policy option sets the default behaviour for states: if-bound States are bound to interface. floating States can match packets on any interfaces (the default). For example: set state-policy if-bound |
|
||||
And there's:
Code:
reply-to The reply-to option is similar to route-to, but routes packets that pass in the opposite direction (replies) to the specified inter- face. Opposite direction is only defined in the context of a state entry, and reply-to is useful only in rules that create state. It can be used on systems with multiple external connections to route all outgoing packets of a connection through the interface the incoming connection arrived through (symmetric routing enforce- ment). |
|
||||
Quote:
What reply-to does is basically two things: reply-to ( $nic $gw ) 1. provide the physical way out -> nic 2. provide the necessary routing for that action -> gateway |
|
||||
Code:
rdr on $ext_if2 proto tcp from any to $ext_if2 port 8081 -> 94.237.82.251 pass in log quick on $ext_if2 reply-to ($ext_if2 $ext_gw2) proto tcp from any to 94.237.82.251 port = 8081 Same results. Maybe i should take a little distance from this, and take a look with fresh eyes :-). I think this should be easy but... Atleast im learning something on the way wich was my purpose also. Last edited by Calderon; 7th June 2012 at 05:33 PM. |
|
|||
Hi
If you want to connect directly to your firewall you don't need a reply-to rule. The reply-to rule only applies when you are using rdr rules to access servers behind the firewall. you can use reply-to as follows Code:
rdr on $ext_if1 proto tcp from any to $ext_if1 port 22 -> 10.100.100.104 pass in quick on $ext_if1 reply-to ($ext_if1 $ext_gw1) proto tcp from any to 10.100.100.104 port = 22 Code:
pass in log quick on $ext_if2 inet proto tcp from 94.237.82.251 to $ext_if2 port = 8081 Last edited by hamba; 29th May 2009 at 07:33 PM. |
|
||||
Code:
pass in quick on $ext_if2 reply-to ($ext_if2 $ext_gw2) proto tcp from any to ($ext_if2) port 8081 keep state (floating) Anyway a nice lesson again how things work for me, the harder it is the better you remember :-) Thanks again everybody. |
|
||||
Another question regarding 2 External nic's...
How will i be able to configure so that my rl0 gets it´s lease from dhcpd first. Now it seems that this is going in alphabetical order (no matter what is first in rc.conf) and dhclient on bfe0 gets it´s IP first on bootup. After that routing and stuff is messed up. I have now disabled dhcp in rc.conf on bfe0 and manually start it after reboot but is there way to specify in rc.conf or anywhere else that rl0 would "dhcp" first. thanks.
__________________
SpreadBsd |
Tags |
2 external, 2 isp, firewall, nat, pf |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
mounting external XFS HDD | rativid | OpenBSD General | 5 | 3rd September 2010 02:31 PM |
External Ips | zomo | OpenBSD General | 12 | 20th November 2008 09:47 AM |
Router for external IP's | bichumo | General software and network | 11 | 22nd July 2008 03:07 AM |
2 external NIC + 1 internal NIC | AlexV | FreeBSD General | 7 | 4th June 2008 08:18 AM |
ssh/external access | jwhal | OpenBSD General | 11 | 21st May 2008 07:19 PM |