Dear List,
Here I show my network topology. Maybe it seems quite typical. My
internal network is located behind an Intl/Extl Firewall which is
connected to the Internet(IN) via pppoe/ppp(8). On the other side I run
different systems, for instance a home office network, a mobile laptop,
and several customers.
+---+ +---+
| A | | B | (PC)
+-+-+ +-+-+
| | +---------+
--+-----+---| Intl FW |---(DMZ)---+
(LAN/int) +---------+ |
|
+---------------------------------------+
| +---+
| ____ | Z | (PC)
| ( ) +---+
| +---------+ pppoe/ppp(8) +-----------+ ( ) +----+ |
| | |--------------| DSL-Modem |--( )--| GW |----+-
| | | rl0/tun0 +-----------+ ( ) +----+ (HomeOffice)
+--| Extl FW | ( IN ) +----------+
| | pppoe/ppp(8) +-----------+ ( )--| Customer |
| |--------------| DSL-Modem |--( ) +----------+
+---------+ rl1/tun1 +-----------+ ( ) +--------+
OpenBSD 4.8 (____)--| Mobile |
+--------+
My question is about the setup of routing and packet filtering on the
External Firewall:
How can I force my Extl. FW to reply on exactly the same interface it
had been requested on? For example I am running OpenVPN(1194/UDP)
between my HomeOffice (Z=Client) and the Intl. FW(=Server). Alike I
would appretiate SSH-portforwarding from Internet to the Intl. FW.
I tried using "route-to" and "reply-to", but that did not work -
PF.CONF(5) says this should do, but I could not figure out, how. I did
not not understand how "route-to" and "reply-to" actually work (could
not find any explanation, though I have tried hard to search for).
Everything else (NAT, outbound load balancing, filtering) works just
fine.
My routing is:
default XXX.X.XX.XXX UGSP 2 101853 - 8 tun0
default XXX.X.XX.XXX UGSP 0 988 - 8 tun1
I manage my multipath routes (net.inet.ip.multipath=1) via
- ppp.linkup:
MYADDR:
shell route add -mpath default HISADDR
- ppp.linkdown
MYADDR:
shell route delete -mpath default HISADDR
What I tried in pf.conf is:
pass in on tun0 all keep state reply-to ( tun0 tun0:peer )
pass in on tun1 all keep state reply-to ( tun1 tun1:peer )
Asking PF statistics (pfctl -v -s rules) shows that no packet has been
operated by those "reply-to" rules.
Since I consider PF a brilliant concept I would really appretiate any
hint that would help. Thanks to all OpenBSD developers for their great
work and thanks for any advice.
Best regards
Torsten
--
------------------------------------------------------------------------
Torsten Finke
[email protected]
------------------------------------------------------------------------
