Re: 'route to' question
Sorry too, if cross-list posting is frowned upon, but I got an undelivered message error from gmail SMTP server when sending this message to [EMAIL PROTECTED] You can do that using SNAT, since packet filtering rules are applied after NAT rules in PF. Suppose you want computers from VLAN5 reach the Internet through gwA and those from VLAN6 through gwB. This would be the rules to accomplish this task, considering ipA is an IP from netA, ipB is an IP from netB. ext_if="em0" netA="A.A.A.A/28" netB="B.B.B.B/28" ipA="a.a.a.a" ipB="b.b.b.b" gwA="ga.ga.ga.ga" gwB="gb.gb.gb.gb" vlan5="10.10.5/24" vlan6="10.10.6/24" # NAT section nat on $ext_if from $vlan5 to any -> $ipA nat on $ext_if from $vlan6 to any -> $ipB # PACKET FILTER SECTION pass out on $ext_if route-to ( $ext_if $gwA ) from $netA to any keep state pass out on $ext_if route-to ( $ext_if $gwB ) from $netB to any keep state The idea is to route packets by source IP as criterion. This solution works for me, too. PS: Please, when answering to this e-mail don't make my address appear in the body of the message.
Re: 'route to' question
Use the VLAN interface: like vlan0 vlan1 vlan2 not the real interface :- it worked for me :-) On 7/6/06, Peter Blair <[EMAIL PROTECTED]> wrote: Hello lists! (sorry if cross-list posting is frowned upon) I'm setting up a BSD/pf machine that will be working as a binat firewall for a number of hosts on two /28 subnets belonging to the same co-location provider. The BSD machine is already live, working hard for one subnet, and I don't have extra hardware to test this out in a lab environment (nice, I know), so I'd just like a little wisdom from the lists before I go live with this pf change: I'm wondering if I can use the "route to" option with pf in order to force all traffic from subnet A through subnet A's gateway, while subnet B's traffic goes through subnet B's gateway. Right now, subnet B is setup and running with B's gateway as the host for the 0.0.0.0 network. Now, with straight routing, I can't seem to find a way to enable multi-path routing to the 0.0.0.0 network along these lines: if src is from netA: pass traffic to gwA if src is from netB: pass traffic to gwB Now, since I have only one external interface (see diagram at bottom), how can I rearrange the following pf statements (from the pf faq): pass out on em0 route-to (em0 $ext_gw2) from em0 to any pass out on em0 route-to (em0 $ext_gw1) from em0 to any Can I get by by simply aliasing all of the IPs on em0 (external interface) or do I have to vlan the external device to get distinct interface names? Thanks, Pete. Quick/Dirty Diagram: 204.15.193.0\28 <+ (aliases 204.15.193.2->14) | +--> (em0) BSD (em1) <--+ (Tagged VLAN) | | 204.15.193.16\28 <-- + | ( aliases 204.15.193.18->30) +-+ | +-+-> VLAN2 (192.168.3/24) | | | +-> VLAN5 (10.10.5/24) | +---> VLAN6 (10.10.6/24) -- Key fingerprint = 9864 E575 E207 FB90 44C8 26A2 0167 E57E 66ED 0F1D
'route to' question
Hello lists! (sorry if cross-list posting is frowned upon) I'm setting up a BSD/pf machine that will be working as a binat firewall for a number of hosts on two /28 subnets belonging to the same co-location provider. The BSD machine is already live, working hard for one subnet, and I don't have extra hardware to test this out in a lab environment (nice, I know), so I'd just like a little wisdom from the lists before I go live with this pf change: I'm wondering if I can use the "route to" option with pf in order to force all traffic from subnet A through subnet A's gateway, while subnet B's traffic goes through subnet B's gateway. Right now, subnet B is setup and running with B's gateway as the host for the 0.0.0.0 network. Now, with straight routing, I can't seem to find a way to enable multi-path routing to the 0.0.0.0 network along these lines: if src is from netA: pass traffic to gwA if src is from netB: pass traffic to gwB Now, since I have only one external interface (see diagram at bottom), how can I rearrange the following pf statements (from the pf faq): pass out on em0 route-to (em0 $ext_gw2) from em0 to any pass out on em0 route-to (em0 $ext_gw1) from em0 to any Can I get by by simply aliasing all of the IPs on em0 (external interface) or do I have to vlan the external device to get distinct interface names? Thanks, Pete. Quick/Dirty Diagram: 204.15.193.0\28 <+ (aliases 204.15.193.2->14) | +--> (em0) BSD (em1) <--+ (Tagged VLAN) | | 204.15.193.16\28 <-- + | ( aliases 204.15.193.18->30) +-+ | +-+-> VLAN2 (192.168.3/24) | | | +-> VLAN5 (10.10.5/24) | +---> VLAN6 (10.10.6/24)
route-to question: routing by ports
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi list, I'd like to use PF's route-to option to route traffic through a tunnel (tun0) interface for certain ports only. - From what i read here: http://www.openbsd.org/faq/pf/pools.html, here: http://www.monkey.org/openbsd/archive/misc/0311/msg00640.html and here http://www.benzedrine.cx/pf/msg04941.html, these rules should do the trick : - --[snip]-- nat on $ext_if from $lan_net to any -> $ext_if nat on $tun_if from $lan_net to any -> $tun_if pass in quick on $int_if route-to ($tun_if $tun_gw) \ proto tcp from $lan_net to any port 25 keep state - --[snip]-- but they doesn't. It's like the "keep state" flag is not acting, because when i tcpdump on a target machine : some.lan_net.machine$ telnet target 25 target.machine# tcpdump -vv -i sis0 dst port 25 tcpdump: listening on sis0, link-type EN10MB (Ethernet), capture size 96 bytes 14:30:16.594788 IP (tos 0x10, ttl 59, id 50921, offset 0, flags [DF], proto: TCP (6), length: 60) tunnel.interface.1635 > target.smtp: S, cksum 0xf540 (incorrect (-> 0xca86), 4250289696:4250289696(0) win 5840 the target is effectively reached by the good tunnelized host but the reply nevers comes back. And yes, the tunnel works, routing by default over it is ok. Is there any trick i misread ? Thanks for your time. NB: just in case, i'm using NetBSD 3.0 PF port - - iMil <[EMAIL PROTECTED]> _ http://gcu-squad.org ASCII ribbon campaign ( ) - against HTML email X & vCards / \ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (NetBSD) iD8DBQFDuS6FFG3BlGWyzUIRAmwqAJwO1Fn1EL5pm8YqJKKdh75oPIbARwCdFTxn aCEv6zLwf9s07Fc05kN5bdA= =PN2x -END PGP SIGNATURE-
Ftp-proxy and route-to question
I posted a similar question previously but incorrectly said ftpd when I meant ftp-proxy. This led to several private emails but yet no solution. More directly to the point now: I am following the example from the User's Guide to use pf's route-to option on "pass in" from the LAN for packets destined for the WAN. It seems to be working properly. However, these rules are not applying to FTP client requests from the LAN. I believe that this is because we are using ftp-proxy, which redirects the FTP requests to itself, then makes the outgoing connections to servers. Is there a clean fix for this that I can implement ? Or perhaps a duplicate set of rules applying to lo0 ? It would be fine if a change affected all traffic originating from the firewall itself. George
