pf question: multiple multihomed machines

Wed, 05 Jan 2011 12:41:36 -0800 

What is the recommended pf.conf to get symmetrical routing
for incoming and outgoing connections using a dual-homed
gateway and internal hosts with static IPs on both WANs?

I'm assuming "route-to" and "reply-to" are the correct
tools to use.

I've looked at the FAQ, googled for dual & multihomed machines,
and haven't found a clear answer yet.

I know there's a multihome section in the FAQ, but
it only handles pools of nat-ed machines, and the last couple
of lines are not obvious.

I've got 2 WAN connections going to a gateway machine
with 3 physical interfaces and one virtual interface:

          vether0
             |
wan1 --- bridge0 --- wan2
             |
            lan------|
                     |----nat-host-1
multihomed-host-1----|
                     |----nat-host-2
multihomed-host-2----|
                     |----nat-host-3
multihomed-host-3----|
                     |----nat-host-4

For one wan, the PF can be reasonably simple, with most
of the rules on the WAN interfaces. Even now, it's quite long:

block in on $wan all
block in quick on $wans from <evil-hosts> to any
block out on wan proto udp from any to any port $bad_port_list
block out on wan proto tcp from any to <internals>
block out on wan proto udp from any to <internals>
....etc

pass in on wan proto tcp from any to <www-hosts> port www
pass in on wan proto tcp from <ssh-hosts> \
        to <ssh-servers> port ssh
pass in on wan proto tcp from <mail-clients> \
        to <mail-server> port $mail-ports
pass in on wan proto tcp from any to <mail-servers> port smtp
.... many "pass in" ....
pass in on wan proto icmp $icmp_types to <ping_hosts>

pass out on wan from <static_ip_range> to ! <static_ip_range>

.......and more things to handle nat-host-x on vether0
..... voip port range rules are lengthy

I could generate 2 copies of the ruleset matching
each IP range and route-to/reply-to everywhere, but
that is lengthy, error prone, and otherwise painful.

Given the current pf.conf, presumably a

pass out on $wan2 from <wan2_ip_range> to \
     !<any_internal_ip> route-to ($wan2 $wan2_gateway)

and "no state" on any outgoing rules would work for
outbound traffic.

What about inbound traffic?
  "no state" on all incoming rules, and a

pass in on $wan2 from any to <wan2_ip_range> reply-to \
     ($wan2 $wan2_gateway)
rule could work.

Is this the best solution, given pf internals?

geoff steckel

Reply via email to