|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
rdomains and multiple interfaces
Hi everyone,
I am happy to make my first post, these forums are full of knowledge and I hope to contribute. I have been using OpenBSD since 4.9 and have enjoyed using it on a variety of machines. I have a new configuration I'd like to try out but need a little help finding the best approach. I am using a PCE APU as my home router and recently I've been learning about rdomains with the goal of hosting two internal networks -- one routed through a VPN service and one routed directly through the service provider. The router is running 5.6-stable amd64. Currently, the internal interfaces are bridged together and vether0 is provided as a gateway. All internal traffic is routed and NATed through tun0 by default. Here's a quick diagram: Code:
re0 tun0 | | <---- bridge0 -----> vether0 re1 re2 ral0 192.168.2.x/24 (egress is tun0 for the internal network) My goal is to add another internal network where the default route will always be through re0. I could then NAT the traffic separately and bypass the tunnel based upon source network. Diagram attempt: Code:
re0 tun0 \ / re1 re2 ral0 / \ 192.168.2.x/24 10.0.2.x/24 to tun0 to re0 (egress based on source network) 1) packetmischief.ca/2011/09/20/virtualizing-the-openbsd-routing-table 2) spacebugs.nl/index.php?option=com_content&task=view&id=259&Item id=33 The first article utilizes two discrete physical interfaces, but in my configuration the traffic could arrive from re1, re2, or ral0. I think this would necessitate additional virtual interfaces to function as gateways. The second article (watch out for the URL space) uses VLANs but I'm not sure yet if they are helpful for this task. Ultimately I know that rdomains will provide a simple and secure way to separate the traffic, but I'm unsure how use rdomains with my current interface configuration. Do I need vether, vlans, or even new rdomains at all? I feel I still have a lot of reading to do but am hoping a push in the right direction will get me started on an implementation. Thanks for reading, and hello! ssh2ksh Last edited by ssh2ksh; 24th November 2014 at 11:24 AM. Reason: Added version |
|
||||
One addition: The ral(4) driver does not support VLAN tagging, but the re(4) driver does. So here are the various options I believe you can consider:
|
|
|||
Hi jggimi and thank you,
You're absolutely right about 1) and 2) -- I'm using the bridge(4)/vether(4) combination essentially to mimic an off the shelf router where every interface is on the same Ethernet segment. I understand it might be a naïve configuration and I'm open to changing it, I just found it easy to understand and write my pf rules around. I've seen it recommended here to just deal with each interface separately and ditch the bridge(4). One last complication is that due to the router's awkward location, everything currently connects to it wirelessly through ral(4) and the internal re(4) interfaces are mostly unused. This will change eventually but for now using re(4) requires an Ethernet cable across the room. It's an option but I'd like to avoid it. Unfortunately I don't have any other switches currently available (sorry, this should have ruled out VLANs from the start) but with the help of your suggestions:
Last edited by ssh2ksh; 24th November 2014 at 05:34 PM. Reason: Formatting |
|
||||||
Quote:
Quote:
The price of 802.1Q switches has been dropping at the low end, and, if I were in the market today I'd be buying them for personal use, rather than using separate unmanaged switches as I do today. There's increased flexibility, as I can provision Ethernet segments within a single switch, and don't have to re-cable to move a device from one segment to another, and a reduction in NIC use on platforms like OpenBSD that support 802.1Q tags. Quote:
Quote:
Quote:
Note that if you don't bridge, each NIC will need to be on a separate subnet. But if you write rules based on networks rather than interfaces (e.g: use from and to rather than on), your rules shouldn't be too complicated. Example: you might use 10.0.1/24, 10.0.2/24, and 10.0.3/24 for three subnets without bridging. A rule that refers to 10.0/16 would encompass all three subnets. Quote:
Last edited by jggimi; 24th November 2014 at 06:18 PM. Reason: typos |
|
|||
I really appreciate the assistance, jggimi, thanks! I've been working on this and wanted to make sure I had done more research before asking any more questions.
I spent some time with each interface on its own subnet but have moved back to bridge(4)/vether(4) for now. I also got much further along with rdomains but I'm thinking maybe I can do this without them. I tried to create a simplied goal: pass some traffic out re0, some out tun0, and let the decision be based upon source address or source interface. I have already accomplished this but in reverse. For example, I listen to a streaming music service and there's no need to tunnel that traffic, so I added static routes to rc.local(8) and rules to pf.conf(5) to accomplish this: Code:
# /etc/rc.local echo -n 'rc.local:' echo -n ' static-routes' /sbin/route add 70.42.73.18 192.168.0.1 > /dev/null 2>&1 /sbin/route add 70.42.73.32 192.168.0.1 > /dev/null 2>&1 echo '.' Code:
# /etc/pf.conf streams = "{ 70.42.73.18 70.42.73.32 }" lan_net = "10.0.2.0/24" set skip on lo match out log on re0 from $lan_net to $streams nat-to re0 match out log on tun0 from $lan_net to any nat-to (tun0) block log pass in log on vether0 pass out log on re0 proto tcp from re0 to $streams port www pass out log on tun0 from (tun0) to any * I think I am using the term DMZ incorrectly/loosely here Code:
# /etc/pf.conf (updated) streams = "{ 70.42.73.18 70.42.73.32 }" lan_net = "10.0.2.0/24" dmz_net = "10.0.3.0/24" set skip on lo match out log on re0 from $lan_net to $streams nat-to re0 match out log on re0 from $dmz_net to any nat-to re0 match out log on tun0 from $lan_net to any nat-to (tun0) block log block out log quick on tun0 from $dmz_net to any pass in log on { vether0 vether1 } pass out log on re0 from re0 to any pass out log on tun0 from (tun0) to any Code:
# tcpdump -nei pflog0 rule 7 pass in on vether1: 10.0.3.2 > 192.168.0.1: icmp: 8 0 rule 2 match out on re0: 192.168.0.8 > 192.168.0.1: icmp: 8 0 rule 8 pass out on re0: 192.168.0.8 > 192.168.0.1: icmp: 8 0 rule 7 pass in on vether1: 10.0.3.2 > 8.8.8.8: icmp: 8 0 rule 5 block out on tun0: 10.0.3.2 > 8.8.8.8: icmp: 8 0 Code:
# route -n show (excerpt) Internet: Destination Gateway Flags Refs Use Mtu Prio Iface 0/1 10.0.88.88 UGS 63 328932 - 8 tun0 default 192.168.0.1 UGS 1 553500 - 8 re0 70.42.73.18 192.168.0.1 UGHS 0 1153 - 8 re0 70.42.73.32 192.168.0.1 UGHS 1 204395 - 8 re0 Code:
pass in log on vether1 from $dmz_net to !re0 route-to re0 Code:
# tcpdump -nei pflog0 rule 8 pass in on vether1: 10.0.3.2 > 8.8.8.8: icmp: 8 0 rule 2 match out on re0: 192.168.0.8 > 8.8.8.8: icmp: 8 0 rule 9 pass out on re0: 192.168.0.8 > 8.8.8.8: icmp: 8 0 Code:
When a route-to rule creates state, only packets that pass in the same direction as the filter rule specifies will be routed in this way. Packets passing in the opposite direction (replies) are not affected and are routed normally.
Last edited by ssh2ksh; 28th November 2014 at 07:14 PM. Reason: Minor update |
|
||||
Quote:
Quote:
Quote:
Quote:
I've no personal experience with route-to and reply-to, and don't have any guidance for you with PF routing options. The only "fancy" routing I've ever done has been equal cost multipath routing, and that didn't involve PF directed routing. (I just followed the FAQ.) --- [1] Recent discussion of trusted vs. untrusted LAN tiers on the OpenBSD misc@ mailing list: http://marc.info/?t=141711266800001&r=1&w=2 Last edited by jggimi; 28th November 2014 at 07:51 PM. Reason: typo, mailing list link |
Tags |
rdomain, vether, vlan |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Virtual Vs. Physical Interfaces in pf | geppettodivacin | OpenBSD Security | 4 | 4th August 2014 08:25 PM |
PF: Two internal interfaces and routing | capt_cosmo | OpenBSD Security | 18 | 19th December 2013 11:12 PM |
two lan interfaces and one network | peric0 | OpenBSD General | 1 | 29th March 2012 02:16 AM |
bringing up vlan interfaces | xiphias | FreeBSD General | 3 | 5th March 2010 04:04 PM |
PHP database interfaces | TerryP | Programming | 6 | 11th September 2008 01:03 PM |