Steven's method has worked for me as well, with OpenVPN on OpenBSD 4.9. Lawrence
On Wed, Jan 11, 2012 at 07:48:55PM -0500, Steven Surdock wrote: > I ran OpenVPN on the loopback and did an rdr (back in the day). It has > worked for me. > > http://marc.info/?l=openbsd-misc&m=119446553412564&w=2 > > -Steve S. > > > -----Original Message----- > > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf > > Of Dr.-Ing. Torsten Finke > > Sent: Wednesday, January 11, 2012 10:48 AM > > To: misc@openbsd.org > > Subject: Re: Multiple ISP-connections/Routing/Packet filtering > > > > Hello Russell, > > > > On Wed, Jan 11, 2012 at 07:46:59AM -0500, Russell Garrison wrote: > > > Have you considered routing domains? > > > > > > no I have not. According to your hint I started to study their > concept, > > but have not found a description that would meet my situation. > > > > > > Thanks for your idea and > > > > best regards > > > > > > Torsten > > > > > > > On Tue, Jan 10, 2012 at 1:41 PM, Dr.-Ing. Torsten Finke > > > <torsten.fi...@igh-essen.com> wrote: > > > > Hello Jorge, > > > > > > > >> I read again your mail and now i'm lost ! > > > >> > > > >> You Wrote: > > > >> > > > >> "How can I force my Extl. FW to reply on exactly the same > interface > > > >> it > > > >> > > had been requested on? For example I am running > > > >> > > OpenVPN(1194/UDP) between my HomeOffice (Z=Client) and the > > > >> > > Intl. FW(=Server). Alike I would appretiate > SSH-portforwarding > > from Internet to the Intl. FW. " > > > >> > > > >> > > > >> SSH port forwarding from internet to Internal server is something > > like : > > > >> > > > >> ext_if=vr0 > > > >> ext_ip=1.2.3.4 > > > >> Spvt= 4.5.6.7 > > > >> > > > >> match in on $ext_if proto tcp from any to $ext_ip port 22 rdr-to > > > >> $Spvt > > > >> > > > >> pass in on $ext_if proto tcp from any to $Spvt port 22 pass out > on > > > >> $int_if proto tcp from any to $Spvt port 22 > > > >> > > > >> > > > >> > > > >> > > > >> The above line redirects all traffic coming from any place in > > > >> internet to my external IP ( 1.2.3.4) to the server 4.5.6.7 > which > > > >> is located in my internal lan, in other words the packet comes in > > > >> on external interface , goes out on internal interface .. > > > >> > > > >> These works on OpenBSD 4.8 or newer ! > > > >> > > > >> Is this what you need ? > > > > > > > > no. Obviously I have not explained clearly what my problem is. > > > > > > > > On my firewall I have TWO different internet connections. It is > > > > simple to forward - for instance ssh - from both connections to an > > > > internal machine. Now this machine answers and the firewall sends > > > > the reply back. How can I force the firewall to send the reply > over > > > > exactly that interface the request came in? The problem is that > the > > > > client anywhere on the internet expects the answer from the very > > address it had contacted. If now the reply comes from another address, > > it will get lost. > > > > > > > > > > > > Best regards > > > > > > > > Torsten > > > > > > > > > > > > > > > >> On Tue, Jan 10, 2012 at 10:46 AM, Dr.-Ing. Torsten Finke < > > > >> torsten.fi...@igh-essen.com> wrote: > > > >> > > > >> > Hello Jorge, > > > >> > > > > >> > > If i understood you well, the answer to your question is here > ! > > > >> > > > > > >> > > > > > >> > > http://www.openbsd.org/faq/pf/pools.html > > > >> > > > > > >> > > Under the section Load Balancing outgoing traffic, or take a > > look at: > > > >> > > > > > >> > > http://www.openbsd.org/faq/faq6.html#Multipath > > > >> > > > > > >> > > > > > >> > > There are good examples there ! > > > >> > > > > > >> > > I hope this can help ! > > > >> > > > > >> > thank you for this. The FAQ on pools has nice examples but none > > > >> > of them really faces my problem. It discusses load balancing of > > > >> > incoming traffic to several servers as well as load balancing > of > > > >> > outgoing traffic. I cannot figure out how to dispatch replies > to > > > >> > incoming requests over different connections. > > > >> > > > > >> > The FAQ on multipath has helped me very well to set up multiple > > > >> > default routes > > > >> > - this works very well. > > > >> > > > > >> > Best regards > > > >> > > > > >> > Torsten > > > >> > > > > >> > > > > >> > > > Dear List, > > > >> > > > > > > >> > > > Here I show my network topology. Maybe it seems quite > > > >> > > > typical. My internal network is located behind an Intl/Extl > > > >> > > > Firewall which is connected to the Internet(IN) via > > > >> > > > pppoe/ppp(8). On the other side I run different systems, > for > > > >> > > > instance a home office network, a mobile laptop, and > several > > customers. > > > >> > > > > > > >> > > > > > > >> > > > +---+ +---+ > > > >> > > > | A | | B | (PC) > > > >> > > > +-+-+ +-+-+ > > > >> > > > | | +---------+ > > > >> > > > --+-----+---| Intl FW |---(DMZ)---+ > > > >> > > > (LAN/int) +---------+ | > > > >> > > > | > > > >> > > > +---------------------------------------+ > > > >> > > > | > > +---+ > > > >> > > > | ____ > | > > Z | (PC) > > > >> > > > | ( ) > > +---+ > > > >> > > > | +---------+ pppoe/ppp(8) +-----------+ ( ) +----+ > > | > > > >> > > > | | |--------------| DSL-Modem |--( )--| GW > |--- > > -+- > > > >> > > > | | | rl0/tun0 +-----------+ ( ) +----+ > > > >> > (HomeOffice) > > > >> > > > +--| Extl FW | ( IN ) > +-------- > > --+ > > > >> > > > | | pppoe/ppp(8) +-----------+ ( )--| > > Customer | > > > >> > > > | |--------------| DSL-Modem |--( ) > +-------- > > --+ > > > >> > > > +---------+ rl1/tun1 +-----------+ ( ) > +-------- > > + > > > >> > > > OpenBSD 4.8 (____)--| > Mobile > > | > > > >> > > > > > > >> > > > +--------+ > > > >> > > > > > > >> > > > My question is about the setup of routing and packet > > > >> > > > filtering on the External Firewall: > > > >> > > > > > > >> > > > How can I force my Extl. FW to reply on exactly the same > > > >> > > > interface it had been requested on? For example I am > running > > > >> > > > OpenVPN(1194/UDP) between my HomeOffice (Z=Client) and the > > > >> > > > Intl. FW(=Server). Alike I would appretiate SSH- > > portforwarding from Internet to the Intl. FW. > > > >> > > > > > > >> > > > I tried using "route-to" and "reply-to", but that did not > > > >> > > > work - > > > >> > > > PF.CONF(5) says this should do, but I could not figure out, > > > >> > > > how. I did not not understand how "route-to" and "reply-to" > > > >> > > > actually work (could not find any explanation, though I > have > > tried hard to search for). > > > >> > > > > > > >> > > > Everything else (NAT, outbound load balancing, filtering) > > > >> > > > works just fine. > > > >> > > > > > > >> > > > My routing is: > > > >> > > > > > > >> > > > default XXX.X.XX.XXX UGSP 2 101853 - 8 > > tun0 > > > >> > > > default XXX.X.XX.XXX UGSP 0 988 - 8 > > tun1 > > > >> > > > > > > >> > > > I manage my multipath routes (net.inet.ip.multipath=1) via > > > >> > > > - ppp.linkup: > > > >> > > > MYADDR: > > > >> > > > shell route add -mpath default HISADDR > > > >> > > > > > > >> > > > - ppp.linkdown > > > >> > > > MYADDR: > > > >> > > > shell route delete -mpath default HISADDR > > > >> > > > > > > >> > > > What I tried in pf.conf is: > > > >> > > > > > > >> > > > pass in on tun0 all keep state reply-to ( tun0 tun0:peer > ) > > > >> > > > pass in on tun1 all keep state reply-to ( tun1 tun1:peer > ) > > > >> > > > > > > >> > > > Asking PF statistics (pfctl -v -s rules) shows that no > packet > > > >> > > > has been operated by those "reply-to" rules. > > > >> > > > > > > >> > > > Since I consider PF a brilliant concept I would really > > > >> > > > appretiate any hint that would help. Thanks to all OpenBSD > > > >> > > > developers for their great work and thanks for any advice. > > > >> > > > > > > >> > > > > > > >> > > > Best regards > > > >> > > > > > > >> > > > Torsten > > > >> > > > > > > >> > > > > > > >> > > > -- > > > >> > > > > > > >> > > ----------------------------------------------------------------- > > > >> > ------- > > > >> > > > Torsten Finke > > > >> > > > f...@igh-essen.com > > > >> > > > > > > >> > > ----------------------------------------------------------------- > > > >> > ------- > > > >> > > > > > > >> > > > > > > >> > > > > > >> > > > > > >> > > -- > > > >> > > Cordialmente, > > > >> > > > > > >> > > 00110111 00111011 > > > >> > > > > >> > > > > >> > -- > > > >> > > ----------------------------------------------------------------- > > > >> > ------- > > > >> > Torsten Finke > > > >> > f...@igh-essen.com > > > >> > > ----------------------------------------------------------------- > > > >> > ------- > > > >> > > > > >> > > > > >> > > > >> > > > >> -- > > > >> Cordialmente, > > > >> > > > >> 00110111 00111011 > > > > > > > > -- > > > > > -------------------------------------------------------------------- > > > > ---- > > > > Torsten Finke > > > > f...@igh-essen.com > > > > > -------------------------------------------------------------------- > > > > ---- > > > > > > > > -- > > > ------------------------------------------------------------------------ > > Torsten Finke > > f...@igh-essen.com > > > ------------------------------------------------------------------------
