Re: pf question

To: Konrad Neuwirth <konrad%mailathome.or.at@localhost>
Subject: Re: pf question
From: Gerard Lally <gerard%netmail.ie@localhost>
Date: Sat, 18 May 2013 19:19:42 +0100

On Sat, 18 May 2013 13:42:47 +0200
Konrad Neuwirth <konrad%mailathome.or.at@localhost> wrote:
> Hello, 
> 
> we are currently struggling with a pf configuration that we can't
> seem to get working. 
> 
> Basically, the challenge is that we have a NetBSD system acting as a
> router for a largish network. Said system has two upstream nodes
> ('default routes') that apply, depending on the ip address that we
> use. Basically, we have one broadband connection that should be used
> for most every (outgoing) traffic. The exception is that the second
> upstream handles a subnet that we have here, and all traffic to and
> from those addresses should, of course, be going over that second
> link. 
> 
> What we've done is added the broadband as the default route, and then
> had a pf rule to the effect of: 
> 
> pass out route-to ($ext_if_dsl $dsl_gw) proto tcp \
>       from $fixed_ip to any
> 
> But this does not work -- the packets just do not go out over the
> appropriate interface. Connecting to something on one of those IP
> numbers just … has a connection that times out. 
> 
> What am I missing? What do we need to do? 

I haven't tried this yet with NetBSD but this is how I did something
similar when I used OpenBSD. The OpenBSD version I used was 5.0. Bear
in mind that there were substantial changes to PF syntax around OpenBSD
version 4.7, and as far as I know the NetBSD pf syntax corresponds with
the older versions. The "route-to" option is certainly different, but
perhaps you will still find this reply helpful.

My situation differs from yours in that I had just one internal subnet
and two WAN providers, and all I needed to do on the second WAN link
was to connect from a single LAN host to a single remote host for a
scheduled FTP download.

First of all I defined the default gateway in OpenBSD's /etc/mygate as
usual. Then I added the second gateway to /etc/rc.local

# 123.123.456.xxx is remote FTP server which can be accessed only
# through second upstream provider
# 123.456.789.xxx is second WAN gw
#
route add -host 123.123.456.xxx 123.456.789.xxx


In pf.conf I had the following (irrelevant parts snipped):

# network interfaces

if_wan1 = "fxp0"
if_wan2 = "xl0"
if_lan = "xl1"
if_lo = "lo0"

# gateways
gw_wan1 = "xxx.xxx.xxx.113"
gw_wan2 = "123.456.789.xxx"

# networks
net_lan = "192.168.1.0/24"

# hosts
remote_ftp_host = "123.123.456.xxx"

...

# scrubbing
match on $if_wan1 scrub (random-id reassemble tcp max-mss 1440)
match on $if_wan2 scrub (random-id reassemble tcp max-mss 1440)

# nat
match out on $if_wan1 from $net_lan to any \
        nat-to ($if_wan1) port 1024:65535
match out on $if_wan2 from $net_lan to any \
        nat-to ($if_wan2) port 1024:65535 

...

# filtering
pass out
pass in on $if_lan
pass in on $if_lan inet proto tcp from any to $remote_ftp_host \
        port ftp route-to ($if_wan2 $gw_wan2)

-- 
Gerard Lally

References:
- pf question
  - From: Konrad Neuwirth

Prev by Date: pf question
Next by Date: Re: Status of NetBSD 6.1_RC3?
Previous by Thread: pf question
Next by Thread: asterisk 11 and ConfBridge?
Indexes:

Home | Main Index | Thread Index | Old Index