pf nat with 2 gateways

Sat, 24 Jan 2004 12:52:09 -0800 

We have now 2 gateways , one with leased line, another is with dsl.
outbound internet is flowed through the dsl and our mail/web servers
are  (must be) reached via leased line.
With one line, everything was working fine. After dsl connected,
i reorginized the rules, and our mail/web services not being 
accessable from outside. I see that returned packets are going 
through WAN_IF2 interface, but these must be on WAN_IF!
I have routes and i can see that route tables are ok.

OpenBSD 3.4
(GENERIC) #18: Wed Sep 17 03:34:47 MDT 2003

lan <=> 10.0.0.254 [OpenBSD 3.4]
             WAN_IF2 => 10.0.1.1 => 10.0.1.254(DSL) => Outbound
             WAN_IF  <= 1.2.3.4 <= 1.2.3.254 (cisco) <= Internet
Mail Server : 1.2.3.5:25 => 10.0.0.x:25

I need also route 1.2.x.x to 1.2.3.254, not just 1.2.3.x, so,
i have a "route -n add -net 1.2.0.0/16 1.2.3.254" run on startup.
This part is working. Because, we have to reach some 1.2.x.x hosts
via 1.2.3.254 thanks to isp's firewall.

I am using ftp-proxy transparently, working both 
PASV/PORT via WAN_IF/WAN_IF2, working fine.

# route -n get 1.2.3.4
   route to: 1.2.3.4
destination: 1.2.0.0
       mask: 255.255.0.0
    gateway: 1.2.3.254
  interface: dc0
      flags: <UP,GATEWAY,DONE,STATIC>
#
But when i try to connect to 1.2.3.5:25 from outside world, i see
the returned ACK packets on the 10.0.1.1 interface with tcpdump.
What should i do?

MAIL="10.0.0.x"
MAIL_EXT="1.2.3.5"

#leased line, inbound, and outbound to a subnet
WAN_IF="dc0"
WAN_IF_NAT="1.2.3.4"
WAN_IF_GW="1.2.3.254"
WAN_IF_IP="{ 1.2.3.4/32, 1.2.3.5/32 }"

# adsl, outbound
WAN_IF2="dc2"
WAN_IF2_NAT="10.0.1.1"
WAN_IF2_GW="10.0.1.254"
WAN_IF2_IP="{ 10.0.1.1/32 }"

#TRANSLATIONS
nat on $WAN_IF from ! ($WAN_IF) to any -> $WAN_IF_NAT
nat on $WAN_IF2 inet from ! ($WAN_IF2) to any -> $WAN_IF2_NAT
rdr on $WAN_IF proto tcp from any to $MAIL_EXT port 25 -> $MAIL port 25
# ...


pass out on $WAN_IF route-to ($WAN_IF2 $WAN_IF2_GW) from $WAN_IF2 to any keep state
pass out on $WAN_IF2 route-to ($WAN_IF $WAN_IF_GW) from $WAN_IF to any

# i am restricting the OUT traffic on the LAN interface, 
# this way, i am just permitting on the $WAN_IF/$WAN_IF2 OUT.

pass in quick on $WAN_IF proto tcp from any to $MAIL port { 25, 110, 80 } keep state 
label "MAIL:$dstport"
pass out quick on $LAN_IF inet proto tcp from any to $MAIL port { 25, 110, 80 } keep 
state label "MAIL:$dstport"

# what is wrong with the nat/filters?

Reply via email to