On May 21, 2013, at 4:31 PM, Stuart Henderson wrote: > On 2013-05-21, Aaron Dewell <[email protected]> wrote: >> Hey all, >> >> I know this is slightly off-topic on this list, I'm hoping the OpenBSD >> answer will be "close enough" to the MacOS X (10.8) answer that I'll get >> what I need done. I have gotten zero replies from the Apple communities, so >> I'm asking here. That said, here's what I'm trying to accomplish. >> >> This server has 5 VLAN tagged interfaces (already set up and reachable). >> First one holds the default route (used for administration). >> Ostinato (traffic generator) is installed. >> The other 4 VLAN interfaces are to be used for traffic generation/receiving. >> >> What I want is for traffic sourced (via Ostinato) from a particular IP >> address to be sent via it's own VLAN interface to it's own router. I have >> accomplished this on Linux (the far end of this test) using: >> >> ip route add default via <gateway-X> dev ethX table X >> ip rule add from <network-X> table X priority X >> >> Research online suggests that this used to work before ipfw was deprecated: >> >> ipfw add X fwd <gateway-X> ip from <IP-address-X> to any >> >> (I did try this, and nothing actually happened.) >> >> Further searching led me to this as the possible OpenBSD answer: >> >> route -T X add 0.0.0.0/0 -iface <gateway-X> >> echo pass in from <network-X> to 0.0.0.0/0 rtable X | pfctl -mf - >> >> However, this particular version of the OS does not support the -T option to >> route, so I presume that multiple tables are not supported. However, that >> step may be not needed. >> >> Reading the pfctl man page made my brain hurt. :-) It seems a very >> functional utility and able to do many, many things, but it's so far away >> from things I have used in the past (mostly Linux) that the learning curve >> seems steep. >> >> I'm thinking maybe the extra routing table is not strictly necessary in this >> application, and that pfctl (which in this case is directly from OpenBSD) >> might be able to do exactly what I want it to do by itself. To that end, >> I'm hoping someone could give me some hints on the syntax I need to feed it >> to make this work. >> >> Thanks in advance! I appreciate any and all suggestions. >> >> Aaron >> >> > > For states created by outgoing traffic, you're looking for "route-to". > You may also need "reply-to" if you have incoming traffic to that address > where replies should also be forced via that path. > > e.g. > > pass in from <network-X> route-to 10.1.1.1@vlan9 > > OpenBSD doesn't have the "pfctl -m" syntax you mention, but looking at > Apple's manpage I don't think it does what you expect. It looks like it > is meant for merging "set" options, but it doesn't say what effect > it has on the ruleset; for all I can tell it might well replace the > whole ruleset with the single rule you're piping to it. Probably > better to write the ruleset in a pf.conf file and load that. > Unlike ipfw, PF normally treats the whole ruleset as a unit and > switches to a new ruleset atomically, if you want something other > than this (e.g. on-the-fly replacing of certain rules under script > control) you would normally use an "anchor" so that other rules can > be left alone.
Thanks! See, I'm confused by pfctl in more ways than one! Haha. This is a single set-it-up-and-forget, no script modifying it on the fly. I expect to run this once per reboot or add it to /etc/pf.conf and be done. There will be packets arriving at this interface also, however, they aren't "returned" as such, just counted (except ping testing), so I should be good there. So it sounds like what I need is, for example: pass in from 10.1.1.0/24 route-to 10.1.1.1@vlan1 vlan1 being the correct outgoing interface which is configured with an address on the 10.1.1.0/24 network. That's much simpler than I was imagining. I have four of these, so my pf.conf file could look like: pass in from 10.1.1.0/24 route-to 10.1.1.1@vlan1 pass in from 10.1.2.0/24 route-to 10.1.2.1@vlan2 pass in from 10.1.3.0/24 route-to 10.1.3.1@vlan3 pass in from 10.1.4.0/24 route-to 10.1.4.1@vlan4 If I needed inbound traffic returned (ping), I would add: pass in on vlan1 reply-to 10.1.1.1@vlan1 pass in on vlan2 reply-to 10.1.2.1@vlan2 pass in on vlan3 reply-to 10.1.3.1@vlan3 pass in on vlan4 reply-to 10.1.4.1@vlan4 That's assuming I've understood what you've said correctly! Aaron
