Em 14-10-2015 09:28, C.L. Martinez escreveu:
> I am using an OpenBSD vm to act as a firewall for my laptop and as
> openVPN client to connect to several openvpn/ipsec servers.
Your laptop is also running OpenBSD?
> In your opinion, what is the best option: rdomains or mpath? In both
> cases I see one problem: I have only one external interface. How to
> deal with this?
You really, really need multiple default gateways? Because if you only
need to access some networks behind the OpenVPN/IPsec servers, wouldn't
it be easier if you got the routes to these networks and their
respective gateways from the OpenBSD firewall? If you are using dhcpd,
then it can send custom routes to your machine. There is one caveat
though, it should also send a default route. Something like this should do:
host laptop {
option classless-static-routes <net> <gw>, <net> <gw>,
0.0.0.0/0 <gw>;
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address x.x.x.x; #optional
}
With this you only need to deal with pass rules on your pf.conf, and you
can selectively send the routes you want only to specific clients. Now,
about mpath or rdomain, mpath is for configuring multiple default
gateways for connections originating from the OpenBSD firewall itself.
For connections coming from the machines behind it, you only need
route-to rules on your pf.conf, no need for configuring the multiple
default gateways on the OpenBSD machine, unless you want to keep ntpd
running, or your OpenBSD firewall is also running a proxy or dns server.
In this case I find that using mpath along side with ifstated, it's
easier than use rdomain. Specially if your network layout is simple.
Cheers,
Giancarlo Razzolini
